The practice management system where compliance happens by itself
Every matter you open, every payment you take in, every AI draft you accept — Cognik generates the SRA, MLR and UK GDPR evidence as a side-effect. You run your matter; the audit trail writes itself.
SRA, MLR and UK GDPR don’t leave you alone.
The same SRA Code of Conduct, MLR 2017 obligations, UK GDPR clocks and Accounts Rules apply to every regulated firm. The regulator has been clear: compliance is no longer a point-in-time exercise. It’s a continuous duty.
A further 54% were only partially compliant. (Source: SRA Anti-Money Laundering Annual Report 2024–25.)
Breach detected on a Friday evening means the ICO notification is due Monday afternoon, with documented reasons if you miss it. Hand-tracking that in a spreadsheet is how deadlines get missed.
Sanctions lists change. Beneficial owners change. Sources of funds shift. The regulator’s expectation is that you’re seeing those changes as they happen — not catching up at year-end.
Cognik’s answer: compliance shouldn’t be a separate task. It should be the quiet output of running a well-organised matter. Every action your firm takes generates the evidence you’d need at SRA inspection — automatically.
Compliance built in, not bolted on
Eight capabilities that go beyond the SRA baseline — designed for the realities of running an SRA-regulated firm, not retro-fitted from a generic CRM.
Live Compliance Health Score
A single 0–100 score that summarises your firm’s posture across CDD, retention, supervision, conflicts, AML, complaints, continuing competence, AI governance and more. Recomputed nightly — partners see weak spots before the SRA does.
SRA Code of Conduct + Code for Firms
Continuing Competence Evidence Engine
A reflective-practice diary with AI-prompted competency triggers and a signed annual statement, captured as evidence at the moment the learning happens — not reconstructed at renewal.
SRA Continuing Competence
Real-time AML Risk Recalibration
Six detectors re-score every active client every night: sanctions hits, jurisdiction changes, beneficial-owner shifts, funds-vs-declared mismatches, structured transactions and dormancy. Continuous monitoring instead of an annual review point.
MLR 2017 reg 28(11) + POCA 2002 s.330
Proactive Complaint Detection
NLP on inbound client messages auto-flags sentiment shifts that look like complaints in the making, so COLP review starts before the eight-week clock runs out.
SRA CCS 8.2–8.4
Continuous Supervision Evidencing
Per-matter supervisor sign-off, 1:1 records and error logs captured continuously as fee-earners work — not reconstructed in a panic the week before audit.
SRA Code 3.5 / 3.6
AI-Use Governance Audit Trail
Every AI output your firm uses is logged with prompt hash, model, output type and outcome — attributable to the person who used it and reviewable by your COLP without trusting the AI vendor’s own logs.
SRA AI Guidance + ICO AI accountability
Verifiable Compliance Records
Critical compliance events are cryptographically anchored to four independent public infrastructures so any regulator, auditor or counterparty can verify a record — with zero trust in Cognik. See the deep-dive below.
SRA Accounts Rules + MLR 2017 reg 40 + UK GDPR Art 5(2)
Wellbeing Operational Signals
Opt-in · off by defaultOptional. Surfaces burnout risk from working-pattern signals plus an anonymous monthly pulse. Off by default. Firms must complete a DPIA, an internal privacy notice and staff consultation before enabling.
SRA Code 1.5 + HSE management standards
One matter, start to finish — compliance falls out of the work.
You don’t open a separate “compliance app.” You do the matter. The evidence the SRA, MLR and UK GDPR want already exists by the time you close the file.
New client walks in.
You open a client in the 4-tab wizard. Identity capture, source-of-funds, and AML risk rating happen inline — not on a separate form weeks later. Sanctions and PEP screening fire as you save. CDD attestation is its own permissioned step, so “verified” means a person actually verified.
MLR 2017 reg 28 + sanctions + PEP
You open a matter.
Conflict check runs across every client, party and counterparty — semantic search catches aliases and corporate groups, not just exact name matches. Engagement letter is generated; supervisor is assigned. The matter starts with a clean conflict declaration on file.
SRA CCS 6.1 / 6.2 + 3.5
You work the file.
Time entries, notes, documents, client messages — each one is captured against the matter and audit-logged. AI used to summarise a bundle or draft a letter? The prompt hash, model and outcome are written to the AI governance log automatically. The supervisor signs off at the right stages.
SRA Code 3.5 + AI Guidance
You close the file.
Three-way reconciliation, complaints register, retention clock and continuing-competence reflection are already up to date because they were built up as you worked. The compliance health score reflects today’s reality. The day the SRA asks, you click Export.
SRA Accounts Rules + CCS 8 + Continuing Competence
Built for the way modern UK firms actually work.
Four commitments that shape every product decision we make.
Every action your firm takes — open a matter, raise an invoice, send a client email — generates the audit trail you’d need at SRA inspection. No separate compliance task at month-end.
Your data is hosted in the UK, on UK infrastructure, under UK law. No US data transfers, no foreign-discovery exposure. With bring-your-own SharePoint, the document bytes never leave your tenant at all.
Critical compliance events are anchored to four public infrastructures. The SRA, your insurer, opposing counsel — anyone — can verify a record is untouched and dated correctly, with zero trust in Cognik.
Engaged with the SRA Innovate programme. Our compliance-score methodology is published openly so firms (and the SRA) can scrutinise it. We’d rather build with the regulator than work around them.
UK-hosted. Tenant-isolated. Audit-ready by default.
Six specific, verifiable controls — not generic badges. Each claim below maps to an implementation file you can read.
Tenant isolation by query
Every query against a firm-scoped model is auto-scoped via a Prisma Client extension. A compromised admin account or SQL-injection bug cannot read another firm’s data — the wrapper rejects cross-tenant reads at the ORM layer.
src/lib/database/secure-client.ts
HKDF + AES-256-GCM storage encryption
OAuth refresh tokens, SharePoint credentials and API keys are encrypted per-firm via HKDF-SHA256 key derivation and AES-256-GCM. Plaintext never lands in the database; rekeying is a rewrap operation.
src/lib/storage/token-crypto.ts
SSO-only sign-in + MFA-gated platform admins
Firm staff sign in via Microsoft Entra ID (or Google Workspace); platform admins additionally require MFA, gated by an SSO `amr` claim. Credentials login is disabled by default, settable per-firm under SaaS-admin override.
src/lib/auth.ts
Quad-witness evidence anchoring
Compliance records can be anchored to Bitcoin (OpenTimestamps), Ethereum L2 Base, Sigstore Rekor, and a Cognik EdDSA witness. Any auditor can verify a record’s authenticity and date without trusting us.
src/lib/evidence/witnesses/*
End-to-end audit trail
Every client onboarding, matter action, AI call, payment and compliance event writes to SystemLog, AiCall, or a dedicated *Event table — with timestamps, user attribution, and (for anchored events) immutable record hashes.
AiCall · SystemLog · MlroReview · *Event
UK South data residency
All client data resides in Azure UK South — private Postgres endpoint (no public network access), Container Apps in a VNet-integrated environment, encrypted backups. No transatlantic data transfers; SRA Accounts Rules data residency is met by infrastructure, not policy.
terraform/ · Cognik-LAW-UK-Test
Tamper-evident records any regulator can verify — without trusting us.
Cognik’s critical compliance events are rooted in public infrastructure outside our control. A regulator, auditor or opposing counsel can verify a record exists, and existed on a given date, using public tools. They don’t need a Cognik account — or to take our word for anything.
The world’s oldest, most-secure proof-of-work chain. Daily Merkle root anchored via Linux Foundation calendar servers.
The append-only Merkle log securing Kubernetes, npm and PyPI supply chains. Open-source, independently audited.
Cognik’s own EdDSA signature of the daily Merkle root, verifiable with our published public key. We bear witness to ourselves.
Smart-contract-ready EVM chain rooted in Ethereum security. Each daily root committed as an on-chain transaction.
What this means in practice
- Every AI-assisted document, CDD attestation, reconciliation sign-off and supervision evidence pack is anchored within 24 hours.
- Anyone — the SRA, ICO, your insurer, opposing counsel — can verify a record was anchored on a given date using public tools. No Cognik account required.
- Tamper-evident by design — altering a record after anchoring is mathematically detectable.
- Four independent witnesses means losing any one of them — or even three — does not break the proof.
Paste any Cognik content hash and see its anchoring proofs across all four witnesses.
Don’t take our word for it.
Our positions are public, our methodology is open, and our records are independently verifiable. Four ways to check us before you trust us.
Public research & transparency
Our compliance research, regulator submissions and engineering rationale are published openly on /research. Anonymised platform-wide metrics with k≥10 anonymity so no individual firm is identifiable.
Read /research →SRA Innovate engagement
We engage with the SRA Innovate programme on AI-assisted legal work and continuous AML monitoring — building with the regulator, not around them.
Read more →Open compliance-score methodology
How the Cognik Compliance Health Score is computed — which regulations, which weightings, which evidence — is documented in the open. Audit it. Disagree. Suggest changes.
View methodology →Verifiable compliance records
Every critical compliance event is anchored to four independent public infrastructures. Paste any record hash into our verifier and check it — no Cognik login required.
Try the verifier →See Cognik run a real matter end-to-end.
Book a 30-minute walkthrough. We’ll run your firm’s most common matter type through Cognik and show you the compliance trail it leaves behind.