Security & Data
Protection

Last updated 1 April 2026

How Fixra protects your business data. Technical and organisational measures, infrastructure, and compliance. Read alongside our Privacy Policy.

Residency Encryption Isolation Access Backups AI GDPR Breach Comparison Infrastructure
01 Data Residency

All client data is stored and processed within the European Union. Our primary data infrastructure is located in the AWS eu-west-1 availability zone (Dublin, Ireland). No client data is transferred to, or accessible from, any jurisdiction outside the European Economic Area.

02 Encryption

Data is encrypted at every stage:

  • In transit: all connections use TLS 1.2 or above. Unencrypted HTTP requests are rejected.
  • At rest: database storage is encrypted using AES-256. Backup volumes use the same standard.
  • Database connections: SSL is required for all database access. Plaintext connections are not permitted.
03 Data Isolation

Every client organisation's data is logically isolated using row-level security (RLS) policies enforced at the database level:

  • One organisation cannot read, write, or infer the existence of another's data
  • Application-level queries are filtered before execution, not after
  • Database administrators cannot bypass RLS without explicit policy override

This isolation model is equivalent to the multi-tenancy standard used by enterprise SaaS platforms handling financial and healthcare data.

04 Access Controls

Access to client data is governed by role-based access controls (RBAC). Each user is assigned a role within their organisation. Roles determine read, write, and administrative permissions. Authentication is handled via Supabase Auth with secure session management.

Fixra personnel access to production data is limited to named individuals and requires multi-factor authentication. Access logs are retained.

05 Backups and Recovery

Automatic daily backups are performed with point-in-time recovery (PITR) capability. Backups are stored in the same EU region as production data, encrypted at rest. Restoration can be performed to any point within the backup retention window.

06 AI Processing

Where AI-assisted features are available (document generation, analysis), processing is carried out exclusively by EU-hosted AI providers:

  • No client data is transmitted to US-based AI services
  • No client data is used for the training or fine-tuning of AI models
  • AI processing is stateless: input data is processed and discarded, not retained by the provider
07 GDPR Compliance

Fixra processes personal data in accordance with the GDPR and the Data Protection Acts 1988–2018:

  • Documented lawful bases for all processing activities (Art. 6)
  • Data Processing Agreements with all sub-processors (Art. 28)
  • Technical and organisational security measures (Art. 32)
  • Breach notification procedures (Art. 33, 34)
  • Facilitation of data subject rights (Art. 15–21)

Full details are set out in our Privacy Policy.

08 Breach Response

In the event of a confirmed or suspected personal data breach:

  • The breach is assessed, contained, and documented within 24 hours
  • The Data Protection Commission is notified within 72 hours where required under Article 33
  • Affected data subjects are notified without undue delay where the breach poses a high risk
  • A post-incident review is conducted and remedial measures documented

Questions about our security?

We're happy to discuss our security practices in detail.

Get in touch →