Skip to content
FRA Flow
Menu
SoftwareBS 9792AppPricingAssessorsToolsDocs
Try FRA Flow freeTalk to usLog in

Data residency and GDPR

Where FRA Flow stores your data, which sub-processors handle which step, and what GDPR rights apply.

By Richard Pryce·Last updated

FRA Flow is built for UK housing contractors handling data about real residents in real buildings. The standard a fire risk assessment carries is the safety bar; the data the tool handles needs to clear the GDPR bar too. This page is the short reference for where the data lives, who touches it, and what rights apply.

Where the data lives

The default storage region is the European Union. Concretely:

  • The database. Hosted in the EU. Property records, observations, paragraph slots, audit metadata, sign-offs, user accounts.
  • Photo and audio storage. Hosted in the EU.
  • Voice transcription. Hosted in the EU. Audio bytes are uploaded to the transcription service, processed, and the text result is returned. Audio is retained per the transcription service's processing terms.

A small part of the AI pipeline is more nuanced and is covered below.

Sub-processors

The full sub-processor list is published at fraflow.com/legal/sub-processors. At time of writing the categories are:

  • Hosting: a major EU cloud region for the application servers, database, and object storage.
  • Authentication: a managed authentication provider with EU-resident session storage.
  • Transcription: an EU-resident speech-to-text service for voice notes.
  • AI for paragraph generation: pre-pilot, a model gateway hosted in the United States. We are aware of the implication and are migrating to a direct EU-resident AI deployment before the first paying customer. Pre-pilot, no production user data flows through this path at scale; design-partner data is covered by an explicit data-processing addendum.

What gets sent to the AI

Three categories of content land in the prompt to the AI:

  • Property metadata (address, building type, storey count, unit count). Identifies the building. Not personal data about residents.
  • Observations and recommended actions the assessor captured. Not personal data unless the assessor names a resident in a description, which the prompts discourage.
  • House-style brief. Practice-level configuration, no personal data.

What does NOT get sent:

  • Photos. Photos stay in the storage layer. The AI is asked for paragraph prose; photo-classification (a separate step) is the only AI action on photos and produces only a category tag.
  • Voice recordings. The transcript text is sent, not the audio.
  • User account data. Identifiers travel with the request for audit purposes, but no PII (email, phone, address) goes to the AI.

Retention

Default retention windows pre-pilot:

  • Live reports: kept indefinitely while the workspace is active.
  • Soft-deleted data: retained for 90 days, then hard-deleted unless an export request is in flight.
  • Voice audio: kept for the audit period agreed in your data-processing addendum (typically 7 years).
  • Audit metadata (paragraph fingerprints, model versions, evidence lists): kept for the same 7-year audit period to meet the FSO 2005 evidence-trail expectation.

Custom retention windows are negotiable on Enterprise tier.

GDPR rights

Two practical paths most often invoked:

  • Right of access. A resident in a building you assessed can ask the dutyholder for the data held about them. If FRA Flow holds any (e.g. their name in a description), the dutyholder routes the request through your practice; we support the export end-to-end via Settings → Compliance → Subject Access.
  • Right to erasure. Same routing. Erasing personal data embedded in observation descriptions is a redaction (we keep the observation, redact the personal data) rather than a delete; the underlying audit trail must persist for the FSO 2005 evidence requirement, but the redaction is visible in the report.

Pre-pilot caveats

  • The full sub-processor list lives under /legal/sub-processors and is the canonical reference. If the page above goes stale, the legal page wins.
  • The AI provider migration to EU is in progress. Until it lands, the AI step is the one US-resident hop in the pipeline. Design-partner data is explicitly covered by a data-processing addendum that documents this; no production data flows through the US path at scale.
  • DPA signing. Pre-pilot we run a single template DPA per customer; the version on file with us is canonical.

Where to go next