Plain English, no jargon.

Glossary

A plain English explanation of every technical, legal, and cloud term I use across the use case pages and articles. Written the way I'd explain it to a partner who'd rather not read the manual.

Each entry has its own anchor link. If you want to send someone a definition, the heading is shareable.

Jump to: A · C · D · E · G · I · L · M · O · P · R · S · T · U · W

AI

Software that produces text, answers, summaries, or images by drawing on what it has previously read.

"AI" on this site usually means generative AI: tools that read your question and write back a reply in plain English. ChatGPT, Claude, and Gemini are the three best known public ones.

The assistants I build are private versions of the same idea, running inside your own AWS account so the conversation stays put.

Worth saying out loud: AI as it stands today is good at language, mediocre at facts, and bad at maths unless it's set up carefully. The work in a Sovereign AI build is in the careful set up.

See also: generative AI, Sovereign AI, private AI assistant.

API

Application Programming Interface. A way for one piece of software to talk to another, without a person in between.

The systems you already run use APIs constantly. Your CRM, your accounting tool, your document management system: they all expose APIs so other tools can ask them questions and act on the answers.

For a Sovereign AI build, putting an API on the assistant means your existing systems can use it without anyone copying and pasting.

A case management tool could ask "summarise this client's recent correspondence", or a quote builder could ask "find the closest comparable contract", and the answer comes back programmatically.

Also called: Application Programming Interface.

Application Load Balancer

The piece of AWS that takes web traffic from the internet and sends it to your application.

If twenty people are using the assistant at once, the load balancer makes sure each request goes to a server that's free, and that none of them are dropped.

It also handles the certificate that turns the site from http to https.

See also: ECS Fargate, Caddy.

AWS

Amazon Web Services. The bit of Amazon that rents you computers, storage, and software by the minute.

When you hear "the cloud" in a UK business context, it's usually AWS, Microsoft Azure, or Google Cloud.

AWS is the biggest of the three and the one I use for the Sovereign AI use cases. They run their UK operation out of three data centres around London, which is why the use cases on this site live in the eu-west-2 region.

Amazon doesn't read what's stored in your AWS account. They charge you to store it and run it; that's the whole arrangement.

See also: AWS Bedrock, eu-west-2, EC2.

AWS Bedrock

A service from Amazon that lets you run an AI tool inside your own private space on Amazon's cloud.

You send a question, the AI sends back an answer, and the whole conversation stays inside your AWS account. Amazon doesn't keep your data, doesn't read your conversations, and doesn't use them to train anyone else's AI.

Bedrock is a menu of AI tools you can pick from. On this site I use Mixtral 8x7B from Mistral, with Llama 3 from Meta as a documented alternative. Both are open weights.

Bedrock is the bit that makes the rest of the build possible. It's the difference between "we're sending your organisation's documents to a US AI company" (what ChatGPT does) and "we're running an AI inside your own corner of a UK data centre with the door locked from the outside" (what Bedrock makes possible).

Also called: Amazon Bedrock.

See also: open weights, Mixtral 8x7B Instruct, eu-west-2.

AWS region

A geographic location where Amazon has built a cluster of data centres.

AWS has dozens of regions around the world. Which region your data sits in determines which country's laws apply, how fast the service feels for users near it, and which AI tools are available (not every tool is in every region).

The Sovereign AI use cases on this site all run in eu-west-2, which is the London region. Same country as the customer, same data protection laws, no transfer to the US.

See also: eu-west-2, AWS.

Caddy

A small piece of software that sits in front of an application and handles the certificates that turn the site from http to https.

Caddy is open source and free. It also automatically renews the certificate every couple of months, which used to be a fiddly manual job.

In the starter version of the Sovereign AI build, Caddy is the bit that lets the assistant be reached at a real https web address rather than an ugly raw IP.

See also: Application Load Balancer.

Chunking

Cutting a long document into smaller pieces so the AI can read the relevant pieces of it without trying to swallow the whole thing at once.

AI tools have a limit on how much text they can hold in their head at once. A forty page contract is too long; a paragraph or two from that contract is fine.

Chunking is the process of breaking the document up so the AI can find the right paragraph for the question being asked.

A side effect: chunks are independent, so a clause that depends on something defined fifty pages earlier can be tricky. Worth knowing as a known limitation rather than a surprise.

See also: workspace, citation.

Citation

The reference back to the source document on every answer the assistant gives.

If the assistant says "you can take up to two weeks of paid leave", a proper citation tells you exactly which document and which section that comes from, so you (or a tribunal, or an auditor) can verify it.

Public AI tools don't do this reliably; they often invent references. A grounded Sovereign AI assistant cites every answer back to a specific section of a specific document the workspace was loaded with.

See also: workspace, system prompt.

Cognito

The AWS service that handles signing in.

If you've used a website that lets you sign in with your work Google or Microsoft account, that's the kind of thing Cognito does.

In a Sovereign AI build, Cognito connects the assistant to whatever single sign on the organisation already uses, so staff don't need a new password and the organisation gets its usual joiners and leavers process applied automatically.

See also: single sign on, identity provider.

Cyber Essentials Plus

A UK government backed cybersecurity standard. The "Plus" version means an external assessor has tested the controls.

Often listed as a mandatory requirement on UK public sector tenders, particularly anything touching council or NHS data. Most consultancies hold it.

It's a specific scheme name; not the same thing as ISO 27001.

See also: ISO 27001, ITT.

Data (Use and Access) Act 2025

The 2025 UK Act that updates how UK data protection works after Brexit.

Often shortened to DUAA. It changes some details around lawful basis for processing, recognised legitimate interests, scientific research, and AI specific provisions.

It does not replace UK GDPR; it sits on top of it.

For most small businesses the day to day rules are the same; for AI builds the new provisions are the most relevant bit.

You may see it abbreviated: DUAA.

See also: UK GDPR, Data Protection Act 2018, ICO.

Data Protection Act 2018

The UK law that, alongside UK GDPR, sets the rules for handling personal data.

UK GDPR is the headline rules; the 2018 Act fills in the UK specific details (special exemptions, the role of the ICO, criminal offences, law enforcement processing).

When you hear "the DPA", this is what people mean.

See also: UK GDPR, ICO.

Docker

A way of packaging up software so it runs the same on every computer.

If you've ever installed something and watched it fail because your Mac is on a different version of something else, Docker exists to make that not happen.

The application gets bundled with all of its dependencies into a single thing called a "container", and that container runs identically on a developer's laptop, a test server, or a production server in AWS.

In the Sovereign AI build, the assistant runs as a Docker container. That's how the same set up is portable between the starter version and the production version, and between AWS and a different cloud if you ever wanted to move it.

See also: ECS Fargate, EC2.

DPIA

Data Protection Impact Assessment. A short written document that says "here's what we're doing with personal data, here's the risks, here's how we mitigate them".

Required under UK GDPR when a processing activity is high risk: large scale data, special category data, automated decision making, AI in some contexts.

For most office activities it isn't needed; for an AI build that processes employee or customer data, it usually is.

See also: UK GDPR, ICO, lawful basis.

DPO

Data Protection Officer. The person inside an organisation responsible for data protection compliance.

Required by UK GDPR for some kinds of organisations: public authorities, organisations doing large scale monitoring, and those processing large amounts of special category data.

Most small businesses don't need a formal DPO. They can have a "data protection lead" instead: somebody senior who looks after data protection as part of their job rather than as their whole job.

See also: UK GDPR, ICO.

DSAR

Data Subject Access Request. An individual's right to ask what personal data you hold about them and to get a copy.

A protected right under UK GDPR. Anybody (an employee, a customer, a former customer, a job applicant) can submit one, and you have a month to respond.

DSARs are the way an applicant comes back later to ask "what happened to my CV when I applied for that paralegal role". That's one of the reasons the use case pages on this site are careful about not pasting CVs into ChatGPT.

You'll also see: subject access request, SAR.

See also: UK GDPR, ICO.

EC2

Elastic Compute Cloud. The AWS name for "rent a computer by the hour".

When you launch a server in AWS to run an application, that server is an EC2 instance.

In the starter version of the Sovereign AI build, the whole assistant runs on one EC2 instance, which keeps it simple and cheap.

In the production version, you don't deal with EC2 directly any more; ECS Fargate runs the container for you.

See also: ECS Fargate, Docker.

ECS Fargate

An AWS service that runs Docker containers without you having to manage the server underneath.

EC2 is "rent a computer". Fargate is "I just want to run my container, you sort the computer out for me".

For a production Sovereign AI build, Fargate is the right call: AWS handles patching, security, scaling, and replacing servers if one fails. You only pay for the time your container is actually running.

See also: EC2, Docker, Application Load Balancer.

EFS

Elastic File System. AWS's shared file storage that multiple servers can read from and write to at once.

Important when you've got more than one server (a production Sovereign AI build runs the container on more than one server for reliability). Without shared storage, each server has its own copy of the data and they fall out of sync.

EFS is the shared place every server reads from and writes to. The smaller starter deploy doesn't need it because there's only one server.

See also: ECS Fargate.

Equality Act 2010

The UK law that prohibits discrimination based on a list of "protected characteristics".

The protected characteristics are: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation.

The CV shortlisting use case refuses to evaluate candidates on any of these, both because doing so would breach the Act and because it's the right thing to do regardless of the law.

See also: special category personal data.

eu-west-2

The AWS region in London. The Sovereign AI use cases on this site run here.

There's also eu-west-1 (Dublin, Ireland) and eu-central-1 (Frankfurt, Germany), both of which are inside the EU and a reasonable choice.

eu-west-2 is in the UK so the data physically stays in the UK, which is the simpler answer for any client whose data protection notice promises that.

See also: AWS region, AWS.

Generative AI

The kind of AI that produces new content (text, an image, a summary, a piece of code) rather than just classifying or sorting things.

The headline category that ChatGPT, Claude, Gemini, and Mixtral all sit in. When this site says "AI" it almost always means generative AI.

Older types of AI (the kind that recognises faces in photos, predicts which customer will churn, recommends a film) are different and aren't what these use case pages are about.

See also: AI.

Grounding

Tying the assistant's answers to your own source documents, so it answers from what's actually in them rather than from memory or guesswork.

A plain question to a public AI tool is answered from whatever it absorbed during training. It has no sight of your handbook, your contracts, or your casework, so it fills the gaps and can state things that simply aren't true.

A grounded answer works the other way round. The assistant first pulls the relevant passages from the documents you loaded, then answers from those, with a citation back to the exact section. If the documents don't cover the question, a grounded assistant says so rather than inventing an answer.

It's what RAG exists to do, and it's the difference between an assistant you can rely on for work and one you have to double check every time.

See also: RAG, citation, workspace.

IAM role

Identity and Access Management role. AWS's way of saying "this server is allowed to do this specific thing".

If your assistant needs to talk to AWS Bedrock, the server it runs on needs an IAM role that says "this server is allowed to call Bedrock to ask for AI answers, and nothing else".

The principle is "give every part of the system the smallest possible amount of permission", so that if any one part is compromised, the damage is limited to what that part could do.

See also: AWS Bedrock.

ICO

Information Commissioner's Office. The UK regulator for data protection.

Based in Wilmslow, Cheshire. Publishes a lot of guidance for businesses (much of which is what the ICO Q&A use case on this site is built around).

Has the power to investigate, enforce, and fine for breaches of UK GDPR and PECR.

They also run a helpline for small businesses, which is genuinely useful and less intimidating than people expect.

See also: UK GDPR, PECR, DPO.

Identity provider

The system that holds your work account: typically Microsoft Entra (formerly Azure AD), Google Workspace, or Okta.

When you sign in to a work app with single sign on, the identity provider is the thing checking your password and your second factor.

In a Sovereign AI build, the assistant connects to whichever identity provider the organisation already uses, via Cognito.

See also: single sign on, Cognito.

ISO 27001

An international information security standard. A certificate showing the organisation has documented and audited controls around how it handles data.

Often required by enterprise and public sector customers. Mid sized consultancies usually hold it; very small organisations often don't because it costs five figures a year.

Different from Cyber Essentials Plus, though some clients accept either.

See also: Cyber Essentials Plus, ITT.

ITT

Invitation to Tender. The formal document a public sector buyer publishes when they want to buy something significant.

Sometimes called an RFP (Request for Proposal) in the private sector.

The tender qualification use case on this site is exactly the kind of document this term refers to: a long PDF with mandatory requirements, desirable requirements, evaluation criteria, and a deadline.

Your organisation reads it, decides whether to bid, then writes a response.

See also: ISO 27001, Cyber Essentials Plus.

Lawful basis

The reason you're legally allowed to use somebody's personal data.

UK GDPR requires you to have one before you do anything with personal data. There are six possible reasons: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Consent and legitimate interests are the two most often relied on by small businesses. Whichever one you use, you have to be able to point to it if asked.

See also: UK GDPR, ICO.

Llama 3 70B

An AI tool from Meta (the company behind Facebook). The documented alternative to Mixtral in the Sovereign AI use cases on this site.

Like Mixtral, Llama is open weights, which means the workings of the AI are published rather than locked inside a US vendor's data centre. That makes it eligible to run inside your own AWS account in London.

The "70B" describes how big it is. It's bigger than Mixtral, slower per question, often a touch better on complex reasoning.

If a client wanted a single AI brand on the build, Llama would be the choice for "we want a Meta tool". For most office work, Mixtral is faster and good enough.

See also: Meta, open weights, Mixtral 8x7B Instruct, AWS Bedrock.

Meta

The US company that owns Facebook, Instagram, and WhatsApp, and that publishes the Llama AI tools.

Meta is American so the company itself is not "UK sovereign".

The Llama AI tools, though, are open weights. Meta publishes them, and once published, they can be run by anyone, anywhere, including inside your own AWS account in London.

Running Llama through Bedrock means your conversations don't go anywhere near Meta's servers.

See also: Llama 3 70B, open weights.

Mistral AI

A French AI company based in Paris. They publish the Mixtral AI tool used as the default in the Sovereign AI use cases on this site.

Founded by alumni of Google DeepMind and Meta, with significant backing from Microsoft and from the French state.

From a UK and EU perspective, having a French published, open weights AI tool to use as the engine matters: it isn't an American tool, and it isn't locked in a US vendor's account.

See also: Mixtral 8x7B Instruct, open weights.

Mixtral 8x7B Instruct

An AI tool from Mistral, a French AI company. The default tool I use in the Sovereign AI use cases on this site.

Mixtral is open weights, which means the workings of the AI are published rather than locked inside a vendor's data centre. That matters for a Sovereign AI build because it lets a tool like Mixtral be run inside your own AWS account in London, instead of being called over the internet to a US provider.

It's a capable, general purpose AI suitable for the kinds of work the use case pages show: answering questions from your documents, comparing one document to another, ranking, and summarising. For specialist legal or scientific work, it's worth testing alongside Llama 3 70B.

See also: Mistral AI, open weights, Llama 3 70B, AWS Bedrock.

Open Government Licence v3.0

The licence under which most UK public sector content (including ICO guidance) is published, allowing it to be reused.

Free to use, free to share, and free to adapt (including in commercial products), provided you credit the source.

The ICO Q&A use case on this site is built on ICO guidance documents made available under this licence, which is what makes the use legitimate without paying or asking permission.

Often abbreviated: OGL.

See also: ICO.

Open weights model

An AI tool whose internal workings are published, rather than locked inside a vendor's data centre.

The opposite of "closed weights", which describes ChatGPT, Claude, and Gemini: those are run only by their makers, behind APIs you can't see inside.

With an open weights AI tool like Mixtral or Llama, the workings have been published, so anyone who wants to can run a copy inside their own systems.

That's the technical basis for being able to run an AI inside your own AWS account in London rather than sending every question to a US vendor.

(Sometimes called "open source" in this context, though the two are slightly different. Open weights specifically means the published thing is the AI itself; open source typically also implies the code around it is open.)

See also: Mixtral 8x7B Instruct, Llama 3 70B, AWS Bedrock.

PECR

Privacy and Electronic Communications Regulations 2003. The UK rules on email marketing, cookies, and direct marketing.

Often confused with UK GDPR. The two work together: UK GDPR is the headline data protection rules, PECR is the specific rules for marketing communications and tracking.

It's what stops you emailing a list of contacts you bought at a trade show; UK GDPR alone wouldn't quite get you there.

See also: UK GDPR, ICO.

Private AI assistant

The user facing chat interface in a Sovereign AI build. Looks and feels like ChatGPT, runs entirely inside your own systems.

It's the bit you actually see and click on: the chat box, the workspace switcher, the document upload, the conversation history.

The intelligence behind it is provided by an AI tool like Mixtral, hosted on AWS Bedrock.

The assistant is the friendly front door that makes it usable for staff who aren't technical.

See also: workspace, AWS Bedrock, Sovereign AI.

Public AI tools

Phrase I use on this site to mean ChatGPT, Claude, Gemini, Copilot: anything where you're sending questions to a vendor's website over the open internet.

Useful for many things; not appropriate for your organisation's confidential data.

The "why this should not be done in public AI tools" sections on the use case pages explain the specific reasons: data leaves the organisation's tenancy, sits in vendor logs, may be used to train future AI tools, and can't be audited.

See also: US frontier provider, Sovereign AI.

RAG

When the AI looks things up in your own documents before answering, instead of relying only on what it learned during training.

A plain question to ChatGPT only has what the AI was trained on, which doesn't include your contracts, your handbook, or your casework. RAG fixes that.

When a question comes in, the build first finds the most relevant chunks of your own documents, then sends those chunks along with the question to the AI. The answer comes back grounded in your sources, with citations back to specific paragraphs.

It's the pattern under most of the Sovereign AI use cases on this site. Without RAG, the assistant guesses based on its training data and can confidently invent things that aren't true.

With RAG, the assistant has to back up what it says from documents you control.

Also called: retrieval augmented generation.

See also: chunking, citation.

Route 53

The AWS service that turns domain names like sovereign-ai-demo.peterbrady.co.uk into the addresses computers use to find each other.

Every website on the internet needs a DNS service to translate human friendly names into machine addresses. Route 53 is AWS's version.

In the Sovereign AI build, Route 53 is what makes the assistant reachable at a real domain name rather than a numeric IP address.

See also: Application Load Balancer.

Single sign on

The arrangement where you sign in once with your work account and that signs you into everything else.

Sometimes shortened to SSO. The opposite of having a separate username and password for every system.

In a Sovereign AI build, single sign on means staff don't need a new account; they use whatever they already use for email and the rest of their work tools, and access ends automatically when they leave the organisation.

See also: Cognito, identity provider.

Sovereign AI

An AI tool that runs inside your own systems, on AI tools you can see inside, in a country whose laws you understand.

The phrase I use across this site to describe the kind of build I do. It has three parts. Inside your own systems: the conversations, the documents, and the answers stay in your own AWS account. AI tools you can see inside: I use open weights AI like Mixtral or Llama, not closed black boxes. A country whose laws you understand: everything runs in eu-west-2 (London) by default, so UK GDPR applies and there's no transfer to the US.

The opposite of public AI: ChatGPT or Claude or Gemini, where your data goes to a US company's servers, the AI itself is closed, and the rules are American.

See also: open weights, AWS Bedrock, eu-west-2, public AI tools.

Special category personal data

The kinds of personal data that get extra protection under UK GDPR.

The list: race or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, and sexual orientation.

CVs sometimes contain bits of this (a stated disability, a religious affiliation in a referee, a trade union role). Recruitment monitoring forms typically do.

The CV shortlisting use case treats this carefully: it never evaluates candidates on protected characteristics, and the workspace is archived when the role closes.

See also: UK GDPR, Equality Act 2010, DPIA.

System prompt

The set of instructions the assistant always follows, no matter what question it's asked.

The bit of the build that does most of the careful work.

A good system prompt does three jobs: defines the format of the answer (a table, a list, a short paragraph), enforces citation back to the source documents, and refuses cleanly when the question is out of scope or would require something the assistant shouldn't be doing (giving legal advice, evaluating people on protected characteristics, drafting bid responses).

The system prompt is invisible to the staff using the assistant. It's the difference between a tool that hallucinates confidently and one that knows what it doesn't know.

See also: workspace, citation.

Tenancy

Your own walled off space inside a cloud provider, where your data and systems sit apart from everyone else's.

Cloud providers like AWS run shared infrastructure, but each customer gets their own account that's sealed off from the rest. Your tenancy is that space: the part of the cloud that belongs to you, that only your people and systems can reach.

When the use case pages say personal data "never leaves your tenancy", this is the point. In a Sovereign AI build the documents, the conversations, and the answers all stay inside your own account in eu-west-2. Nothing is sent out to a US AI company.

With a public AI tool the opposite is true: the moment someone pastes a document in, it leaves your tenancy and lands in the vendor's.

See also: AWS, Sovereign AI, public AI tools.

Terraform

Software for describing AWS (or another cloud) in code, then making the cloud match.

Made by HashiCorp, a US company. Free to use.

The idea: instead of clicking around the AWS console to create resources by hand, you write a few small text files describing what you want, and Terraform creates and updates the resources to match.

It also remembers what it created, so it can tear the whole thing down cleanly when you're done.

For a Sovereign AI build, Terraform is what makes the same configuration deployable into a client's AWS account instead of mine. The text files describe the build; the client runs them; the build appears in their account, identical to the starter version.

(There's a fork called OpenTofu maintained by the open source community after HashiCorp changed Terraform's licence in 2023. They're functionally compatible.)

See also: AWS, EC2, ECS Fargate.

UK GDPR

The UK version of the General Data Protection Regulation. The headline rules for handling personal data in the UK.

Originally an EU law (the GDPR), kept in UK law after Brexit, then amended over time.

Together with the Data Protection Act 2018 and the Data (Use and Access) Act 2025, this is what makes the rules for any UK business handling personal information (employees, customers, prospects, applicants).

The penalties are large: up to £17.5m or 4% of global annual turnover, whichever is higher. Enforcement is done by the ICO.

See also: Data Protection Act 2018, Data (Use and Access) Act 2025, ICO, lawful basis.

US frontier provider

Phrase I use across this site to mean a US company at the leading edge of AI: OpenAI, Anthropic, Google, Microsoft.

Their AI is impressive. The point of being specific about "US frontier provider" is to flag the country and the corporate type, not to dismiss the technology.

The reason to keep your organisation's documents away from a US frontier provider isn't that the AI is bad; it's that the data goes to America under American rules.

The Mistral and Meta AI tools I use on the Sovereign AI builds are themselves frontier capable, just published openly so they can be run inside your own systems.

See also: public AI tools, Sovereign AI.

Workspace

The place where one set of documents and one running chat live together inside the assistant.

A useful organising idea. A workspace contains the documents (the staff handbook, or the open role's CVs, or the supplier contract and the procurement playbook), the system prompt that shapes how the assistant behaves, and the chat history.

Each use case on this site is a separate workspace; opening a new workspace gives you a clean slate.

See also: private AI assistant, system prompt.

Get in touch

Tell me who you are and what your organisation does. If any of this sounds like your situation, that's a good place to start. I'll let you know honestly whether I can help. Even a 30 to 45 minute call often leaves people with a clearer picture of the path forward, whether or not we end up working together.

For context: I work best with programme managers, partners, operations directors, and IT leads in UK law firms, financial services, manufacturing, charities, and non profits. Respectfully, I don't work with recruitment or development agencies.

Email: peter@peterbrady.co.uk

Sovereign AI Architect, Peter Brady

PNB Technologies Limited
55 Yew Tree Road, Ormskirk
Lancashire, L39 1NT, United Kingdom

Company Reg: 07166600
VAT Reg: GB986726850

© 2026 Peter Brady. All rights reserved.

Links

Reference