1. Data Residency

All client data is stored and processed within the European Union. Our primary data infrastructure is located in the AWS eu-west-1 availability zone (Dublin, Ireland). No client data is transferred to, or accessible from, any jurisdiction outside the European Economic Area.

2. Encryption

Data is encrypted at every stage:

• In transit: all connections use TLS 1.2 or above. Unencrypted HTTP requests are rejected.
• At rest: database storage is encrypted using AES-256. Backup volumes are encrypted with the same standard.
• Database connections: SSL is required for all database access. Plaintext connections are not permitted.

3. Data Isolation

Every client organisation’s data is logically isolated using row-level security (RLS) policies enforced at the database level. These policies ensure that:

• One organisation cannot read, write, or infer the existence of another’s data
• Application-level queries are filtered before execution, not after
• Database administrators cannot bypass RLS without explicit policy override

This isolation model is equivalent to the multi-tenancy standard used by enterprise SaaS platforms handling financial and healthcare data.

4. Access Controls

Access to client data is governed by role-based access controls (RBAC). Each user is assigned a role within their organisation. Roles determine read, write, and administrative permissions. Authentication is handled via Supabase Auth with secure session management.

Fixra personnel access to production data is limited to named individuals and requires multi-factor authentication. Access logs are retained.

5. Backups and Recovery

Automatic daily backups are performed with point-in-time recovery (PITR) capability. Backups are stored in the same EU region as production data, encrypted at rest. In the event of data loss or corruption, restoration can be performed to any point within the backup retention window.

6. AI Processing

Where AI-assisted features are available (document generation, analysis), processing is carried out exclusively by EU-hosted AI providers. Specifically:

• No client data is transmitted to US-based AI services
• No client data is used for the training or fine-tuning of AI models
• AI processing is stateless: input data is processed and discarded, not retained by the provider

7. GDPR Compliance

Fixra processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 and the Data Protection Acts 1988–2018. This includes:

• Documented lawful bases for all processing activities (Art. 6)
• Data Processing Agreements with all sub-processors (Art. 28)
• Technical and organisational security measures (Art. 32)
• Breach notification procedures (Art. 33, 34)
• Facilitation of data subject rights (Art. 15–21)

Full details are set out in our Privacy Policy.

8. Breach Response

In the event of a confirmed or suspected personal data breach:

• The breach is assessed, contained, and documented within 24 hours
• The Data Protection Commission is notified within 72 hours where required under Article 33 GDPR
• Affected data subjects are notified without undue delay where the breach poses a high risk to their rights, per Article 34
• A post-incident review is conducted and remedial measures documented

Comparison

For context, the following table compares the security posture of a typical spreadsheet-based workflow with the measures implemented by Fixra:

Infrastructure

The following third-party providers are engaged as data processors under written Data Processing Agreements in accordance with Article 28 GDPR: