The methodology

The Custodiance Standard

The operating standard behind every engagement, written down and applied consistently. It is what "built to your regulator's standard" means in practice — four principles, and a concrete mapping from each authority we work under to the way an estate is actually built.

Why it is written down

A website is something you buy once and worry about forever. Your digital estate is something a named, accountable expert holds and runs on your behalf — in-jurisdiction, to your regulator's standard, indefinitely. You stop owning a problem and gain a custodian.

A posture that lives only in one engineer's head is not a standard; it is a habit. Custodiance publishes the standard so the way your estate is built is auditable, repeatable, and the same as the way the next one is.

The operating principles

Four principles, applied as the floor

These are not premium options behind a higher tier. They are the floor of every Custodiance engagement — simply what it means for us to run an estate at all.

Principle 01

Compliance-fluent by default

Your own regulator's standard is the floor of the build, written down in advance and applied from the first day of an engagement. It is never retrofitted once a problem appears, and never invoiced as a later add-on. Because the posture is documented rather than improvised, the way your estate is built is the way the next one is — auditable, repeatable, and defensible.

Principle 02

Data sovereignty, in-jurisdiction

Client data and hosting stay within UK and EU jurisdiction by design. Hosting regions are pinned in configuration rather than assumed, sub-processors are documented, and access is held to a known shortlist. When a regulator, a client, or your own board asks where your data lives and who can reach it, the answer is precise and without caveats.

Principle 03

A named, accountable CTO

A single senior technical partner is personally accountable for the estate — a name and a direct line, not a ticket queue or a rotating pool. For a practice too small to justify a full-time chief technology officer, this is the equivalent on a fractional basis: someone who carries the work between requests and answers for it when something needs to be put right.

Principle 04

Maintenance as a continuous managed service

The estate is not a project that ends at launch. It is held and run indefinitely — monitored, patched, and kept to standard as obligations and threats move. A compliant build that is then left to drift is not compliant for long; custody means the posture is maintained, not set once and forgotten.

The mapping

What your regulator's standard means in practice

Each authority we work under translates into concrete infrastructure standards. This is how a regulatory obligation becomes a property of the estate rather than a clause in a policy document.

SRA

Law firms

Solicitors Regulation Authority

Confidentiality and client-money obligations carried into the infrastructure: in-jurisdiction hosting for client and matter data, enforced transport and at-rest encryption, access held to a named shortlist, and a documented sub-processor list — so the duty of confidentiality is a property of the estate, not a clause in a policy nobody can evidence.

ICAEW

Accountancy practices

Institute of Chartered Accountants in England and Wales

Client confidentiality and integrity of records reflected in the build: tamper-evident handling of client data, sovereign hosting and backup, controlled access to financial information, and a continuity posture that survives a vendor or hosting failure — the practice can answer where records sit and how they are protected.

KCSIE

Schools

Keeping Children Safe in Education

Safeguarding carried through to the public estate: appropriate handling and minimisation of any pupil or family data, in-jurisdiction storage, restricted access, and forms and contact paths built so a safeguarding concern reaches the right person — not a generic inbox. The web estate is treated as part of the safeguarding surface, not separate from it.

ICO / UK GDPR

Every regulated practice

Information Commissioner's Office — UK GDPR

The data-protection regime engineered in rather than bolted on: lawful-basis-aware data capture, data minimisation by default, a maintained record of processing and sub-processors, working subject-access and erasure paths, and a DPIA where processing warrants one. Hosting and sub-processors are pinned to the UK and EU so transfers do not become the unanswered question.

NTSELAT

Estate and letting agents

National Trading Standards Estate & Letting Agency Team

Material-information and transparency duties reflected on the public estate: fee and material-information disclosure surfaced correctly, accurate and current listings, and auditable handling of enquiry and client data in-jurisdiction — so the web presence meets the disclosure standard the regulator now expects rather than working against it.

NHS DSPT

Clinics and healthcare practices

NHS Data Security and Protection Toolkit

The DSPT control expectations carried into the web and email estate: sovereign hosting for any patient-adjacent data, enforced encryption, least-privilege access, monitoring and an evidenced incident path, and documented sub-processors — so the estate supports the practice's toolkit submission rather than becoming a gap in it.

The guarantee

What a Custodiance engagement guarantees

  • Your estate is built to your own regulator's standard from the first day — written down in this methodology, not improvised per project.
  • Your data and hosting are pinned to UK and EU jurisdiction, with a documented, current sub-processor list you can hand to a regulator or client.
  • A single named senior technical partner is personally accountable for the estate — a name and a direct line, carried between requests.
  • The posture is maintained continuously as a managed service: monitored, patched, and kept to standard as obligations move — not set once and left to drift.

Custody, not marketing.

Have a senior partner hold your estate to this standard

A scoping call is a measured conversation about your obligations, your current setup, and what it would take to run it to the standard above. No obligation, and no pressure.