Watch Taking a Sledgehammer to Bottlenecks 🎥 as Ruth & Steph show how AI actually fixes margins.

AI Security

How GoSmarter uses AI and keeps your data safe

GoSmarter uses AI to classify and extract data from mill certificates. Here’s exactly what happens, where your data goes, and what protections are in place.

What AI does in GoSmarter

StepWhat happensWhere
ClassificationIdentifies the document type and supplier from the first pageUK South
ExtractionReads each page and extracts structured data (heat numbers, chemical composition, mechanical properties)Sweden Central (EU)
OptimisationCalculates cutting patterns to minimise wasteUK South

Mill certificates are used to train our models but never Microsoft’s

We operate a continuously learning system where the AI models are regularly retrained on new data to improve accuracy. When you provide suppliers we haven’t seen before or make edits to the extracted data, this feedback is used to enhance our models. The certificates are only used to help us identify a supplier and work out how to extract information from that supplier’s certificates. There is no way your certificates or the data associated with themcan be shown to other customers.

Microsoft’s AI data processing commitments

Microsoft’s AI services operate under their data, privacy, and security commitments for Azure AI:

  • Your data is not used to train, retrain, or improve Microsoft AI models
  • Your data is not available to other customers
  • Processing is covered by Microsoft’s standard Data Processing Agreement

How we process a certificate

Every uploaded document is first scanned for malware by Microsoft Defender for Storage before any steps are taken to prevent malicious content from being processed.

The certificate is then processed with our custom computer vision model service, identifying the document type and supplier and returning a confidence score. GoSmarter deletes any temporary files generated during this process immediately after processing. No files leaves the UK during classification.

Once a supplier has been identified, the document is sent to a custom computer vision model designed specifically to process that supplier’s certificates. This model extracts structured data such as chemical composition, mechanical properties, and certificate numbers. This processing happens in Sweden Central (EU) because Azure Content Understanding is not yet available in UK South. However, the service is stateless and encrypted in transit, and no customer data is persisted in Sweden after processing. No files remain outside the UK after extraction.

Why Sweden? Azure Content Understanding is not yet available in UK South. Sweden Central is within the EU, covered by the UK GDPR adequacy framework. The service is stateless; no customer data is persisted in Sweden.

The extracted data is then stored in our database in UK South, and the original certificate file is kept in UK South.

Cutting optimisation: no AI involved

The cutting optimisation service is a pure algorithmic solver using heuristic and genetic algorithm techniques. It:

  • Runs entirely within your deployment in UK South
  • Makes no external AI or API calls
  • Reads order and inventory data from the database
  • Calculates optimal cutting patterns to minimise waste
  • Writes results back to the database

How AI services authenticate

All AI services use managed identity as the primary authentication method. This means:

  • No API keys stored in application code or configuration files
  • Credentials are managed by the Azure platform
  • Each service has its own identity with minimum required permissions
  • Access is granted through Azure role-based access control (RBAC)

Isolation and scaling

Each AI processing job runs as an isolated processing service that:

  • Starts when a document arrives, stops when processing is complete
  • Scales to zero when not in use, so no resources are consumed and no data is stored when there are no documents to process
  • Has no shared state between processing runs
  • Cannot access other customers’ data (tenant isolation enforced at the API layer)

Key points for your security team

  • Model training with your data: We use your data to continuously improve our models, but this data is never shared with Microsoft or other customers. It is only used to enhance our ability to classify and extract data from mill certificates.
  • UK processing for classification: Document Intelligence runs in UK South
  • EU processing for extraction: Content Understanding runs in Sweden Central (stateless, encrypted in transit)
  • No AI in optimisation: Cutting solver is pure algorithm with no external calls
  • Managed identity authentication: No static API keys in service configuration
  • Ephemeral processing: Containers scale to zero; temporary files deleted after each document
  • Malware gate: Every uploaded document is scanned by Defender for Storage before classification. Documents only proceed if the scan returns clean.

Request evidence

Need more detail about our AI data handling?

  • Details of AI processing activities and data flows
  • Microsoft’s AI data processing commitments
  • Our Data Processing Agreement (DPA)

Email us, contact us online, or book a compliance call.