Six visible stages. One signed bundle. Every decision on paper.

Raw SAR letter, document export from housing systems, identity-of-requester documents.

Bundle assembled. Identity-of-requester verified. Scope of request clarified in writing with the requester before the statutory clock anchors.

Verified bundle, scope statement, intake checklist.

Verified bundle and the scope statement.

Resolves the data subject across the bundle: name variants, addresses, tenancy and reference numbers. Ambiguous matches are marked needs-review — never silently assumed.

Subject map with confidence per match. Review queue for ambiguous matches.

Bundle plus subject map.

Walks every passage. For each one, recommends release-or-redact against the versioned ruleset (TP-PII, NOT-REL, LPP, MGMT-NEG in MVP). Every recommendation cites the ruleId and the reason in plain English.

Per-passage recommendations with ruleId, reason, and confidence.

Agent 2's recommendations.

A red-team agent challenges every classification. Disagreements are escalated to the reviewer's queue with both positions logged. Agreement is not silenced; it is recorded.

Audit verdicts (concur / dissent / escalate) for every passage.

Bundle, classification draft, audit verdicts.

Reviewer applies the statutory test. They accept, override, or escalate each recommendation. Overrides require a reason. Sign-off is name-attributed and timestamped.

Final redaction plan, signed in the reviewer's name.

Signed redaction plan.

Bundle exported. Evidence ledger written: every passage decision with its ruleId, reasoning, audit verdict, reviewer name, and timestamp — hash-chained. Export is gated on integrity verification.

Defensible bundle for the requester. Evidence pack for the ICO if challenged.