$ dfa.machine
Legal · Policy 06

Compliance

Last updated 28 May 2026. An overview of how DFA Machine meets its regulatory, security and contractual obligations.

1. Regulatory framework

DFA Machine Ltd is a UK private limited company (no. 17276533) regulated under the laws of England and Wales. We are registered with the Information Commissioner's Office (ICO) as a data controller and processor, and we operate within the boundaries of UK GDPR, the Data Protection Act 2018, EU GDPR (Regulation 2016/679), PECR, the UK Modern Slavery Act 2015, and the UK Bribery Act 2010.

2. Information security

  • ISO/IEC 27001:2022 certified Information Security Management System covering all production services. Annual surveillance audits by a UKAS-accredited body.
  • SOC 2 Type II report covering Security, Availability and Confidentiality criteria, issued annually. Available under NDA.
  • Cyber Essentials Plus certified.
  • Penetration testing performed annually by an independent CREST-accredited firm; remediation tracked to closure.

3. Data protection

We act as a data processor for customer-uploaded content and as a data controller for account, billing and support data. Our Data Processing Addendum incorporates the UK IDTA and EU SCCs. Records of Processing Activity (Article 30) are maintained and reviewed quarterly. A Transfer Impact Assessment is on file for each non-UK/EU processor.

4. Financial crime

We operate a risk-based AML, sanctions and counter-terrorist-financing programme proportionate to our service offering. See our KYC / AML Policy for full detail. All staff complete annual financial-crime training.

5. Supply chain

Suppliers are tier-rated by criticality and subject to due diligence covering security, privacy, ethics, modern slavery and financial standing before onboarding, and at minimum every 24 months thereafter. Suppliers must accept our Supplier Code of Conduct.

6. Anti-bribery and ethics

We maintain a zero-tolerance policy for bribery and corruption (UK Bribery Act 2010). Gifts and hospitality are logged in a central register and capped at £75 per occurrence. A confidential Speak-Up channel is available to all employees, suppliers and customers.

7. Modern slavery

We publish an annual Modern Slavery Statement in line with section 54 of the Modern Slavery Act 2015, even though our turnover is below the statutory threshold.

8. Environmental

Production workloads run in datacentres committed to 100% renewable matched power (Equinix LD8, Telehouse North, Interxion FRA1). We track Scope 1, 2 and material Scope 3 emissions annually and target net-zero operations by 2030.

9. Business continuity

Documented BCP/DR plans, with active-active multi-region architecture for production services. RTO ≤ 1 hour, RPO ≤ 5 minutes for tier-1 systems. Tabletop exercises every six months; full failover test annually.

10. Reporting concerns

Compliance or ethics concerns: contact@dfamachine.com or via the anonymous Speak-Up channel. Security vulnerabilities: see Responsible Disclosure.