Reference

Data model

The shape of the entities behind the Bedrock API. Sourced from packages/db/prisma/schema.prisma.

These tables describe the public-facing entities. Internal control-plane tables (webhook delivery logs, SLA monitor state, Bedrock staff admin records, etc.) are intentionally omitted — they are not part of the API contract and may change without notice.

Every type name in the tables below is a link: named enums go to the enums reference, and named entities link back to their own section on this page. Primitive types (String, Int, DateTime, Json, Boolean) are rendered as plain text.

Firm

A regulated entity. The unit of tenancy — every other record is scoped to a firm.

Field	Type	Note
`id`	`String`	uuid
`name`	`String`
`frnNumber`	`String`	FCA Firm Reference Number, unique
`plan`	`FirmPlan`
`webhookSecret`	`String`	HMAC secret for webhook signatures
`enforceImpactAssessments`	`Boolean`	When true (default), jobs declaring a modelProvider/modelVersion are gated on a matching APPROVED ImpactAssessment. Toggling emits FIRM_SETTINGS_UPDATED.
`createdAt`	`DateTime`
`updatedAt`	`DateTime`

User

A human with access to one firm. Covers firm admins, reviewers, and lead reviewers.

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`name`	`String`
`email`	`String`	unique
`fcaRef`	`String?`	Individual Reference Number (IRN)
`qualifications`	`ReviewerQualification[]`
`role`	`UserRole`
`cognitoUserId`	`String?`	unique; populated after first sign-in
`isAvailable`	`Boolean`
`specialistVulnerability`	`Boolean`	FG21/1 specialist flag
`invitedAt`	`DateTime`
`activatedAt`	`DateTime?`
`deactivatedAt`	`DateTime?`
`activeJobId`	`String?`
`createdAt`	`DateTime`

ApiKey

A programmatic credential scoped to a firm. The raw key is never stored — only its SHA-256 hash.

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`keyHash`	`String`	sha256 of the full key, unique
`lastFourChars`	`String`	e.g. "a8c4", for display in the settings UI
`name`	`String`	human-assigned label
`createdAt`	`DateTime`
`lastUsedAt`	`DateTime?`
`revokedAt`	`DateTime?`

LedgerRecord

A single entry on the firm’s hash chain. Append-only: once written, never updated or deleted.

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`sequenceNumber`	`Int`	monotonic per firm, unique with firmId
`eventType`	`LedgerEventType`
`actorId`	`String`	user id, api key id, or "system"
`actorName`	`String`
`actorFcaRef`	`String?`
`documentHash`	`String`	sha256 of the event-specific document snapshot
`documentMetadata`	`Json`
`previousHash`	`String`	chainHash of the previous record, or GENESIS_HASH
`recordHash`	`String`	sha256 of the canonicalised record
`chainHash`	`String`	sha256(previousHash + recordHash)
`timestamp`	`String`	ISO 8601
`signature`	`String`	ECDSA P-256 signature over recordHash
`publicKey`	`String`	base64 signing key used for this record
`reviewJobId`	`String?`	FK → ReviewJob, where applicable

ReviewJob

A job moving through the Principal review workflow. One per submitted advice record.

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`documentReference`	`String`	firm-assigned stable identifier
`documentType`	`DocumentType`
`documentUrl`	`String`
`documentHash`	`String`	sha256 of the original upload
`clientReference`	`String`	firm-assigned client id (not a name)
`factFindSummary`	`Json`
`vulnerabilityFlags`	`VulnerabilityFlag[]`	FG21/1 drivers
`requiresSeniorSignOff`	`Boolean`	auto-true when any vulnerability flag set
`clientSegments`	`Json`	anonymised categories for bias monitoring
`modelProvider`	`String?`	e.g. "openai"
`modelVersion`	`String?`	e.g. "gpt-4o-2024-08-06"
`modelConfiguration`	`Json`
`submittedAt`	`String`	ISO 8601
`slaDeadline`	`String`	ISO 8601
`status`	`ReviewStatus`
`priority`	`ReviewPriority`
`assignedReviewerId`	`String?`	FK → User
`assignedAt`	`String?`
`completedAt`	`String?`
`outcome`	`ReviewOutcome?`
`outcomeReason`	`String?`
`modifications`	`String?`	verbatim reviewer modifications
`certificateId`	`String?`	FK → Certificate, unique

ReviewAction

A captured reviewer interaction with a job — every click, scroll, and annotation.

Field	Type	Note
`id`	`String`
`reviewJobId`	`String`	FK → ReviewJob
`reviewerId`	`String`	FK → User
`actionType`	`ReviewActionType`
`metadata`	`Json`
`timestamp`	`String`	ISO 8601

Certificate

A thin envelope around a LedgerRecord. Polymorphic: any compliance-relevant ledger event can carry a certificate. Cryptographic proof (hashes, signature, public key) lives on the linked record. Event-specific content captured at issue time lives in the metadata blob, projected from the record by an event-typed assembler.

Field	Type	Note
`id`	`String`
`ledgerRecordId`	`String`	FK → LedgerRecord; unique (1:1)
`firmId`	`String`	FK → Firm
`firmName`	`String`	denormalised for offline verification
`firmFrnNumber`	`String`	denormalised
`issuedAt`	`String`	ISO 8601
`verificationUrl`	`String`	public verify.bedrockcompliance.co.uk URL
`pdfUrl`	`String`
`pdfStorageKey`	`String`	S3 key inside the certificate bucket
`metadata`	`Json`	event-specific snapshot — eventLabel, optional statusPill, sections of labelled fields. Shape determined by the assembler that produced it.

WebhookEndpoint

A firm’s subscription to ledger events. Delivery is recorded in WebhookDelivery (internal, not documented).

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`url`	`String`
`secret`	`String`	HMAC secret for signature header
`events`	`LedgerEventType[]`
`isActive`	`Boolean`
`createdAt`	`DateTime`

ImpactAssessment

A Consumer Duty impact assessment for an AI use case. Approval anchors a hashed snapshot to the immutable ledger as IMPACT_ASSESSMENT_APPROVED. APPROVED and SUPERSEDED rows are immutable.

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`useCase`	`String`	short title (e.g. 'GPT-4 fact-find summariser')
`description`	`String`
`modelProvider`	`String?`	optional; pair with modelVersion to feed the impact-assessment enforcement gate
`modelVersion`	`String?`
`templateVersion`	`Int`	currently 1
`outcomes`	`Json`	four PRIN 2A outcome responses
`status`	`ImpactAssessmentStatus`
`createdById`	`String?`	FK → User
`signedOffById`	`String?`	FK → User; LEAD_REVIEWER or FIRM_ADMIN
`signedOffAt`	`DateTime?`	server-stamped on transition to APPROVED
`createdAt`	`DateTime`
`updatedAt`	`DateTime`

Incident

An operational or compliance incident logged against the firm. Anchored to the immutable ledger via INCIDENT_LOGGED / INCIDENT_RESOLVED events.

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`title`	`String`
`description`	`String`
`severity`	`IncidentSeverity`
`category`	`IncidentCategory`
`status`	`IncidentStatus`
`reportedAt`	`DateTime`
`reportedById`	`String?`	FK → User
`resolvedAt`	`DateTime?`	server-controlled on transition to RESOLVED / CLOSED
`rootCause`	`String?`
`affectedReviewJobIds`	`String[]`
`affectedLedgerRecordIds`	`String[]`
`metadata`	`Json`

IncidentRemediation

A remediation action attached to an Incident. Multiple remediations can live under one incident.

Field	Type	Note
`id`	`String`
`incidentId`	`String`	FK → Incident, cascade on delete
`description`	`String`
`status`	`RemediationStatus`
`ownerName`	`String?`	free-text; not linked to User yet
`dueAt`	`DateTime?`
`completedAt`	`DateTime?`
`createdAt`	`DateTime`

Report

An audit-trail entry for every generated compliance report (currently just Consumer Duty outcome reports). The PDF itself is rendered on demand; this row records that a report existed at a given point in time.

Field	Type	Note
`id`	`String`
`firmId`	`String`	FK → Firm
`type`	`ReportType`
`periodFrom`	`DateTime`
`periodTo`	`DateTime`
`generatedAt`	`DateTime`
`generatedByUserId`	`String?`	FK → User
`metadata`	`Json`	headline metrics snapshot at generation time