Trust and Security

How we handle your data.

Honest answers about GDPR compliance, data residency, authentication, payment handling, and who has access to what. No boilerplate. Plain English.

verified_user

GDPR Compliant

All data processing complies with UK GDPR and the Data Protection Act 2018. We are registered with the ICO. A Data Processing Agreement (DPA) is available on request.

location_on

UK and EU Data Residency

Your data is stored in UK and EU regions only. We do not transfer personal data outside the UK/EEA without standard contractual clauses in place.

lock

Encrypted in Transit and at Rest

All data encrypted in transit with TLS 1.2 or higher. Data at rest encrypted using AES-256. API credentials stored encrypted, never in plain text.

security

Row-Level Security

Your data is isolated at the database level using row-level security policies. No customer can access another customer's data, even in the event of an application bug.

keyAuthentication

Account authentication is handled by Supabase Auth, which uses industry-standard email/password flows with bcrypt hashing. Multi-factor authentication (TOTP) is available and recommended for all accounts.

Admin access to your account requires a separate admin credential set. FatArrow staff access your data only when you have opened a support case and explicitly granted access. All staff access is logged.

API keys for integrations (Xero, Shopify, etc.) are stored encrypted using AES-256 at the infrastructure level. Keys are never logged or exposed in application output.

paymentsPayments

Subscription billing is handled by Stripe. FatArrow does not store card details on our infrastructure. Card data is tokenised and handled entirely by Stripe, which is PCI DSS Level 1 compliant.

We store only: your Stripe customer ID and subscription status. No card numbers, CVV codes, or expiry dates ever touch our servers.

You can cancel, upgrade, or downgrade your subscription at any time from your dashboard. Billing disputes should be directed to support@fatarrow.io.

gavelYour Rights Under UK GDPR

Right to Access

Request a copy of all personal data we hold about you. We will respond within 30 days.

Right to Erasure

Request deletion of your account and all associated personal data. Completed within 30 days.

Right to Portability

Export your data in machine-readable format (JSON or CSV) from your account dashboard at any time.

Right to Rectification

Correct inaccurate personal data from your account settings, or contact support@fatarrow.io.

corporate_fareSubprocessors

The following third-party services process customer data on FatArrow's behalf. We have Data Processing Agreements in place with each.

Provider
Purpose
Data Location
SupabaseDatabase, auth, storageEU (Frankfurt)
StripePayment processingUK/EU
AnthropicAI pipeline processingUS (zero data retention)
VercelApplication hostingEU edge
TwilioWhatsApp messagingEU

For AI processing via Anthropic, we use zero data retention settings. Conversation data is not stored or used for model training.

workspace_premiumCompliance Status

check_circleUK GDPR
Compliant
check_circleICO Registration
Registered
scheduleCyber Essentials
In Progress
scheduleSOC 2 Type 1
Year 2 Roadmap

Security or compliance questions?

If you have a security disclosure, compliance question, or need a DPA for your organisation, contact us directly. We respond within 1 business day.

mailsecurity@fatarrow.io