Security & Data Handling

Your case data — documents, analysis results, checklist items — can either be stored encrypted at rest in our European cloud storage (EU infrastructure) or kept only in your browser’s local cache. You choose at registration via a single “Save my cases to the cloud” checkbox (default ON), and you can flip the choice at any time from Settings.

• Cloud sync ON (default). Each cloud-stored case is encrypted under AES-256-GCM with a per-application data key (DEK). The DEK is wrapped under an organisation-scoped key (KEK) held in a managed EU key service, software-protected (FIPS 140-2 Level 1). KEK material lives only inside the key service and the runtime application identity is granted only Encrypt/Decrypt against it — never the right to export, list, or destroy key material. DocuFlagCAN decrypt under your authenticated session (so password reset works normally), and every key-service Decrypt call is logged to both the key service’s audit stream and our own application audit log. Disabling cloud sync from Settings wipes the cloud copy and schedules cryptographic erasure of the organisation’s key (30-day reversible window).
• Cloud sync OFF. No server-side copy of any case is kept. Documents still transit our EU analysis server in-memory for AI processing — they are processed in-memory only and never written to disk by the analysis pipeline or the AI provider — but only your browser’s local cache holds the persistent copy. Clearing browser data or switching devices will lose your cases. Re-enable cloud sync from Settings at any time to upload the cases currently in your local cache.

A local browser cache (IndexedDB) is kept on each device for fast page loads. With cloud sync ON, clearing browser data or switching devices is safe — the cloud copy re-hydrates on next sign-in. With cloud sync OFF, the local cache is the only copy.

When you analyze a document, it is sent from your browser to our EU-hosted analysis server, which forwards it to our AI provider’s EU endpoint. Documents are processed in-memory only — never written to disk by the analysis pipeline, not by our analysis server, and not by the AI provider. The AI provider operates with zero data retention— your document is not stored, logged, or used for AI training. After analysis: if cloud sync is on, the case bundle (documents + structured results) is written to our encrypted EU storage as described in the section above. If cloud sync is off, the analysis result returns to your browser and no copy is kept on our servers.

Storage and processing of your data take place in EU regions: EU regions for our AI provider and managed key service, EU infrastructure for our compute and object storage, and EU edge locations for our CDN. Backups are also stored in an EU region. The application data never leaves the EU at rest.

• EU-hosted processing infrastructure
• Zero data retention at the AI provider — documents are not stored after analysis
• A Data Processing Agreement with the AI + key-service provider, with retention controls configured at project level
• API data is never used for model training

About transfers to US-headquartered companies. Some of our sub-processors are US-headquartered with EU operating subsidiaries. Even with EU regional pinning, the parent corporation can in principle be compelled (US CLOUD Act / FISA 702) to disclose data its EU subsidiary processes. We address this with the standard UK/EU mechanisms: each processor’s Data Processing Agreement incorporates the EU Standard Contractual Clauses (Module 2) and the UK Addendum, and where applicable our US-based processors are certified under the EU-US Data Privacy Framework (UK Extension). For our CDN specifically, the edge does not cache authenticated routes so the personal-data exposure is limited to TLS-decrypted request metadata and bodies in transit. We maintain an internal Transfer Risk Assessment documenting the supplementary measures we rely on (managed key service with role-isolated key access, IAM least-privilege, EU region pinning, audit logging on every decrypt, optional cloud-sync-off mode that keeps case content out of server-side storage entirely). The canonical sub-processor list with names, roles, and locations is in the Data Processing Agreement. You can request a copy of the Transfer Risk Assessment at [email protected].

We use our AI provider’s EU endpoint for document analysis. Documents are forwarded from our EU-hosted analysis server. The AI provider operates with zero data retention — API requests and responses are not stored at rest. Your data is not used for model training. We have a a Data Processing Agreement with our AI provider with AI provider data retention controls configured at project level.

Cloud sync is a user-controllable toggle. At registration you tick or untick a single “Save my cases to the cloud” checkbox (default ON), and you can flip the choice at any time from Settings. Turning cloud sync off wipes the server-side copy and schedules cryptographic erasure of the organisation’s encryption key (30-day reversible window).

Individual self-help users process only their own personal data and do not need to obtain consent from anyone else. Enterprise customers acting as data controllers on behalf of visa applicants are responsible for ensuring the data subjects are informed and (where local law requires it) have consented to the processing. DocuFlag does not perform facial recognition, biometric matching, or identity verification — the analysis extracts structured text fields from documents for comparison against published consulate requirements. Where documents incidentally contain Article 9 special-category data (e.g. a marriage certificate showing religious ceremony, a faith-based employment letter), explicit consent under Article 9(2)(a) should be obtained before upload. Below is a notice template Enterprise customers can adapt:

“We use AI-assisted software (DocuFlag) to check your documents against published visa requirements. Your documents are sent to an EU-hosted analysis relay, which forwards them to an EU-hosted AI service for vision-model field extraction (passport number, names, dates — not facial recognition or biometric matching). During analysis, documents are processed in memory only and are not saved to disk — not by the analysis relay, and not by the AI provider (which operates with zero data retention). Where your application data is stored depends on your cloud-sync setting: when cloud sync is on (the default), the data is stored encrypted at rest in EU-hosted cloud storage under software-protected managed EU key-service keys; when cloud sync is off, no server-side copy is kept and the data lives only in the browser’s local cache. By providing your documents, you consent to this processing.”

Per-case deletion. Delete any case and its data at any time from the case page. The case is removed from the local browser cache immediately and the encrypted cloud copy is soft-deleted on the server and hard-purged from object storage 7 days later.

Account deletion (Article 17 right to erasure). From Settings → GDPR → Delete my account. The account is soft-deleted immediately and you are signed out everywhere. The account is permanently hard-deleted 30 days later by an automated cron — the 30-day window is the grace period to recover from accidental or unauthorised deletion (contact [email protected] within that window to cancel).

Cryptographic erasure (cloud sync). When your cloud-sync account is hard-deleted at the 30-day mark, the per-org key that wrapped your backup data keys is scheduled for destruction. The key service waits a further 24 hours before destroying the key material; after that the encrypted blobs are mathematically unrecoverable, even by us. This is the strongest erasure guarantee available short of physical- media destruction. Backup ciphertext that survives in disaster-recovery snapshots is rendered useless by the destroyed wrap key.

Data export before deletion. You can download a ZIP archive of everything we hold on you at any time from Settings → GDPR → Export my data — a structured archive (manifest, account record, audit log, decrypted cloud-sync backups) suitable for portability under Article 20.

• IAM least-privilege for our key service. Two service accounts: a runtime account that holds only Encrypt/Decrypt permission (used by every web request that decrypts a cloud-sync backup), and a separate admin account used only at provisioning time and at account deletion (key creation and scheduled destruction). The runtime account cannot create or destroy keys; the admin account is not used by the live web servers.
• Audit logging on every decryption. Every key-service Decrypt is logged in two independent streams: the key service’s audit stream (a separate Logging stream that DocuFlagengineers cannot delete) and our own application-side audit table. Cross- correlation between the two surfaces any decrypt that didn’t originate from a legitimate request path.
• Bulk-decrypt anomaly alerting. Our standing operational commitment is a Cloud Monitoring alert that fires when Decrypt rate for a single principal exceeds 60/minute sustained for 5 minutes; the alerting policy is provisioned by scripts/kms-alerting-bootstrap.sh against the production GCP project. Combined with the app-side rate limit on the download endpoint (30/minute/user), this caps the blast radius of a stolen runtime credential before any meaningful exfiltration could occur. Customers can request a copy of the latest alert-policy configuration at [email protected].
• Vulnerability scanning. Continuous dependency scanning via Dependabot; CI fails on known high-severity CVEs.
• Incident response. 72-hour ICO notification window for any personal-data breach (UK GDPR Article 33). Documented runbook covering detection, escalation, containment, regulator notification, and affected-individual notification (Article 34) where the breach is high-risk.
• Encrypted off-site backups. Nightly PostgreSQL backups encrypted with age under a key DocuFlag controls, uploaded to EU object storage. Monthly automated restore tests verify recoverability. Retention 30 daily + 12 monthly.