# CyberSight Forensics — Pre-Launch Build Checklist (for the design & build team) **Privileged & confidential** · BTC-CS2026-OW-LG-IN-0001-PreLaunchBuildChecklist_A1-C01.md · **A1-C01 — PUBLISHED** 12 June 2026 · SEC3 SENSITIVE Companion to **ON-0001 (opinion, A1-C02)**. This is the build-phase instruction set: it tells you what to build now and what must be true before the site goes public. Verbatim policy/claim copy is supplied separately in **WD-0001** (to follow); the form-backend requirements are in **SP-0001** (to follow). Where this checklist and ON-0001 differ, ON-0001 governs. ## How to use this - **Build everything to the compliant spec now.** Nothing here stops the build. The constraint is on **going public**, not on building. - **Go-live is gated.** The site does **not** launch to the public until every **BLOCKER** in the Go-Live Gate (end of this document) is cleared and signed off by Themis. The Principal has directed: nothing goes live until compliance is in place. - **Status flags** on each item: **[BUILD NOW]** do it during build · **[WORDING: WD-0001]** exact copy comes in the wording annex · **[FACT NEEDED]** waiting on a fact from the Principal (see ON-0001 Facts Schedule) · **[HOLD-LIVE]** must be true before public launch. - **Grades** mirror the brief: **BLOCKER** / **REQUIRED** / **ADVISED**. --- ## 01 · Corporate identity (footer) **1.1 Trading-disclosure footer — BLOCKER · [BUILD NOW] [HOLD-LIVE]** Build the footer legal block to render on **every page** with: registered company name · "registered in England & Wales" · company number **15312330** · registered office address · the trading-name line. **The name to publish depends on the rename:** - **Until** the change of name is registered at Companies House → use **"Phishermans Ltd"**, with: *"CyberSight Forensics is a trading name of Phishermans Ltd."* - **After** the certificate of incorporation on change of name issues → swap to **"Managed Cybersecurity Services Ltd"** and update the trading-name line. - Company number **15312330 is unchanged** throughout. Build the name + registered office as a single config value so the swap is one change, not a rebuild. **Do not publish the new name before the rename is registered** — that is a false trading disclosure. [FACT NEEDED: registered office address; rename status/date.] Exact string in WD-0001. **1.2 VAT line — REQUIRED · [FACT NEEDED]** If VAT-registered, render the VAT number in the footer. If not, omit. [FACT NEEDED: VAT number or "not registered".] ## 02 · Data protection **2.1 ICO registration line — BLOCKER · [BUILD NOW]** Footer ICO line = **ZA → ZC098139** (registration carries over the rename; same company number). Renewal 24 Feb 2027. Replace the `[ZA000000]` placeholder. [FACT NEEDED: confirm ZC098139 description covers website enquiries; update registered name on the ICO entry after the rename.] **2.2 Privacy Policy page — BLOCKER · [WORDING: WD-0001] [HOLD-LIVE]** Build the `/privacy` page and link it in the footer. **No enquiry data may be captured until this page is live.** Lawful basis = legitimate interests (Art 6(1)(f)), with contract (6(1)(b)) where the enquiry precedes a service engagement; retention = 12 months for non-engaged enquiries (confirm). Full text in WD-0001. Keep the "do not submit case-sensitive data" warning on the form — wording to be tightened in WD-0001. **2.3 Form backend — REQUIRED · [BUILD NOW per SP-0001]** Wire the form to a backend meeting: UK/EEA data residency (or approved IDTA/Addendum); Art 28 processor contract with the form/email vendor; encryption in transit and at rest if enquiries are retained; least-privilege access; retention aligned to 2.2. Requirements memo = SP-0001. [FACT NEEDED: form/email vendor + residency.] **2.4 Cookies / PECR — REQUIRED · [BUILD NOW]** **No consent banner required as built** — the two `localStorage` strings (theme, language) are user-requested preferences (PECR reg 6(4) exemption). Keep it that way for launch. Build the `/cookies` page documenting the two preferences (text in WD-0001). **If analytics or any non-essential storage is added later, a PECR consent banner must ship first** — flag to Themis before adding. ## 03 · Advertising claims **3.1 Certification badges — BLOCKER · [BUILD NOW] [HOLD-LIVE]** **Remove the ISO 9001, ISO 27001 and Cyber Essentials Plus badge artwork** from the footer strip. Do not display any certification mark the company does not currently hold — it is misleading (DMCCA 2024) and, for Cyber Essentials, a breach of IASME's licence. Replace with a **text-only** line, no logos: **"Working towards: ISO 27001 and Cyber Essentials Plus."** For any certification **actually held now**, you may show the official badge **and** make it click-through to the issuer's register. [FACT NEEDED: list of certifications actually held, with numbers + dates.] **3.2 Service-level claims — BLOCKER · [BUILD NOW] [HOLD-LIVE]** Apply per-claim (final wording in WD-0001): - "4-hour emergency response" / "respond within 4 working hours" → keep the word **"target"/"aim"** and scope to **retainer clients** (see 3.3). Not an open SLA. - "24–48h pilot intake turnaround" → keep as a **target**. - "100% documented chain of custody" → reword to a process statement: **"a documented chain of custody for every exhibit we handle."** - "24/7 rapid-response availability" → only if literally true; otherwise **"24/7 on-call incident line for retainer clients."** [FACT NEEDED: the company must hold evidence for each target before launch — CAP 3.7.] **3.3 Emergency-response scope — BLOCKER · [BUILD NOW] [HOLD-LIVE]** Emergency triage is retainer-only. Qualify all **four** public-facing locations so no member of the public reads a public 24/7 emergency service: the stats strip, Process step 01, the contact line, and FAQ answers 1 & 5. Indicative (final in WD-0001): contact line → **"For urgent incidents, retainer clients can reach our incident line at any hour."** FAQ 1 & 5 + Process step 01 → state emergency triage is for clients on a retainer; everyone else uses the enquiry form. **3.4 Forensic-standards claims (Compliance section) — BLOCKER · [BUILD NOW] [HOLD-LIVE]** The FSR Act 2021 statutory Code applies to forensic work for criminal proceedings. Until accreditation is held: - "to ISO 27001 and ISO 17025 standards" → **"working towards ISO 17025 accreditation"** (don't imply current accreditation). - "CREST accreditation … / NCSC-recognised training in progress" → keep "in progress" only where literally true; "NCSC-recognised" must be accurate and must not imply NCSC endorsement of the company. - "court-ready" / "prosecution-grade" / "expert witness testimony" → replace with the defensible process statement: **"We produce reports and maintain chain-of-custody designed to support use in legal proceedings; we are working towards formal ISO 17025 accreditation and align our work with the Forensic Science Regulator's Code of Practice."** Build these as the **Tier-1** wording (see the claims ladder below). [FACT NEEDED: which FSR-listed activities; ISO 17025/CREST/NCSC status.] ### Claims ladder — build the claim components so they swap on milestone (do not re-clear each time) | Tier | Goes live when (actually true) | Swap in | |---|---|---| | **1 — Launch** | Now | "Working towards…/aligned with FSR Code"; process statements; **no badges, no "court-ready", no expert-witness-as-capability** | | **2 — Qualified staff in post** | Named person actually engaged | Individual-capability wording ("our forensic lead holds [qualification]"; "expert witness testimony through our [role]") | | **3 — Org accredited** | Company holds ISO 17025 / CE Plus / CREST | Accreditation claims + official badges (click-through to register); "court-ready" becomes defensible | Each tier change is a wording swap that **must be re-confirmed by Themis** before it renders (cheap if built as discrete copy blocks). Tier 2/3 copy will be supplied when the milestone is reached. **3.5 Government affiliation — REQUIRED · [BUILD NOW]** Keep the non-affiliation disclaimer; ensure it renders **site-wide** (footer on every page). No crowns/crests/"gov" styling (already clean). Final disclaimer wording confirmed in WD-0001. Ensure the "NCSC-recognised" claim (3.4) is accurate so it doesn't imply government endorsement. ## 04 · Statutory & policy pages - **Privacy Policy** — BLOCKER · [WORDING: WD-0001] [HOLD-LIVE] — must exist + be linked before any capture (2.2). - **Cookie Policy** — REQUIRED · [WORDING: WD-0001] — documents the two localStorage preferences (2.4). - **Terms & Conditions** — REQUIRED · [WORDING: WD-0001] — website terms of use: liability, acceptable use, IP in site content, governing law England & Wales. - **Accessibility Statement** — ADVISED · [WORDING: WD-0001] — WCAG 2.2 AA conformance statement, **dated to the supplied audit**, published only once the audit is confirmed. Send the WCAG audit so Themis can finalise the wording. - **Modern Slavery Statement** — ADVISED · [FACT NEEDED: keep/remove] — not mandatory (turnover under £36M); recommend keep a short **voluntary** statement for procurement credibility, clearly labelled voluntary. Confirm keep or remove. ## 05 · IP & brand - **Trade mark** — ADVISED · [FACT NEEDED] — recommend a UK IPO clearance search + filing on "CyberSight Forensics" (word) and the logo, classes 9/42/45, before significant marketing spend. Deferred scope unless you want it actioned. Does not gate launch. - **Font licences** — ADVISED · **confirmed, no action** — Space Grotesk, Source Sans 3, IBM Plex Mono are SIL Open Font Licence: self-hosting + commercial use permitted. - **"Website by Managed Services" credit** — ADVISED · [FACT NEEDED: keep/amend/remove] — fine to keep; after the rename the natural form is the new company name. Principal's call. ## 06 · Welsh language **EN/CY picker — ADVISED · [BUILD NOW]** — the picker may ship without full Welsh content, **provided a Welsh selection does not 404** — show *"Cymraeg yn dod yn fuan / Welsh coming soon."* No direct obligation on a private supplier, but Welsh public-sector contracts can pass Welsh-language duties through. [FACT NEEDED: any Welsh public-sector contract requiring Welsh at launch — if yes, commission translation served at `/cy/` before relying on those contracts.] --- ## GO-LIVE GATE — all must be TRUE before public launch **BLOCKERS (hard gate):** 1. ☐ Footer shows the **currently-registered** company name (Phishermans Ltd, or the new name only if the rename is registered) + number 15312330 + registered office + E&W (item 1.1). 2. ☐ ICO line shows ZC098139 (item 2.1). 3. ☐ Privacy Policy live and linked **before** any enquiry capture is enabled (2.2/04). 4. ☐ All uncertified certification badges removed; only held certs shown (with register link); "Working towards" text-only line in place (3.1). 5. ☐ Service-level claims revised per 3.2 **and** the company holds the substantiating evidence. 6. ☐ Emergency-response wording qualified in all four locations (3.3). 7. ☐ Forensic-standards claims at Tier-1 wording (3.4); no "court-ready"/badges/expert-witness-as-capability. 8. ☐ Themis EC-equivalent sign-off (this gate) recorded. **REQUIRED (at/before launch):** ☐ VAT line resolved (1.2) · ☐ form backend meets SP-0001 (2.3) · ☐ Cookie Policy live (2.4) · ☐ Terms live (04) · ☐ gov-affiliation disclaimer site-wide (3.5). **ADVISED:** ☐ accessibility statement (audit-dated) · ☐ Modern Slavery decision · ☐ Welsh "coming soon" state · ☐ trade-mark clearance · ☐ "Website by" credit confirmed. **Sign-off before public launch** | | Name / role | Date | |---|---|---| | Build complete to this checklist | [design/engineering] | | | Legal go-live sign-off (Themis) | [Themis — on BLOCKER clearance] | | | Principal authorisation to launch | [Sanju Varkey] | | *Themis will re-review against the **live** build before sign-off (live-surface check), as the exact copy for items 3.2–3.4 is confirmed against the rendered pages. Return completed items to Themis quoting the numbers above.* --- *Themis Legal · 12 June 2026 · IN-0001 · A1-C01 · SEC3 · Privileged & confidential. Build-phase instruction set; WD-0001 (wording) and SP-0001 (form memo) to follow.*