How do we protect your data?
This page explains how FairForm stores, protects, and handles your school's data.
Data storage
Database
Our database is hosted by Supabase. We use their UK data centre. Supabase automatically encrypts your data at rest — that means it cannot be accessed by third parties without our database credentials.
Our staff can see and review all data for technical assurance, troubleshooting, and compliance. However, we only access data when there is a clear business need, such as fixing a bug or dealing with a concern raised by a customer.
Our system uses row-level security to ensure that only authorised viewers can see any of your data. A set of automated tests are performed on every database update, which deliberately tries to access data it is not permitted to view. This ensures we do not accidentally introduce security bugs into our database.
Images
All images of student work are stored on Supabase Storage. Images can only be accessed via links created when the image is viewed. Our Supabase storage bucket is set to the UK.
Security
We do not currently hold formal security certifications. Our security controls include:
- Automated database tests which create different users with different permissions, and attempt to view and modify data. Code is automatically rejected if these tests fail.
- Regular use of automated tools to scan for vulnerabilities in packages or third-party software we use.
We review these controls regularly as the product grows.
Data in transit
All data is encrypted with TLS in transit.
Safeguarding
We take safeguarding extremely seriously.
- Only teachers are permitted to use the platform. You must be over 18 to use FairForm — no students log in directly.
- Schools can be locked by their administrators, so that only teachers with a registered school email address can link their account to the school.
- Users can only see student work after they have been explicitly added to a group by an administrator.
Image uploads
All images are screened by Google Safe Search, which automatically detects inappropriate content.
If we detect inappropriate content in an upload:
- The upload is blocked.
- If the content is high-risk (high probability of sexually explicit images or violence), the account that uploaded it is also suspended.
- We do not store blocked images, but do log the IP address and account that uploaded it. We may at our discretion notify the police or other appropriate authorities if accounts regularly attempt to upload inappropriate content.
Data protection
GDPR
We are registered with the Information Commissioner's Office, registration number ZC115824.
Data processor agreements
We send data to the following third parties:
Stripe
Stripe handles our payments. If you pay for FairForm subscriptions or credits, Stripe will hold:
- Your name
- Your email address
- Your payment details (held only by Stripe, never by us)
- The details of what you have purchased
Supabase
Supabase holds all data in our systems, including text data and images. We have a signed Data Processor Addendum with them.
Google Vision Safe Search is used to moderate all uploaded images. Google Gemini may be used if you choose to use our AI transcription or comparison features. We hold a signed Data Processor Addendum with Google.
OpenAI
If you choose to use OpenAI for image transcription or comparisons, your images will be sent to OpenAI. We use a paid service which does not use your data for training, and we have a Data Processor Addendum with OpenAI.
Data retention & deletion
Data is retained for as long as you have a FairForm account.
If you delete your account, the following deletions will occur:
- Work in groups where you are the only administrator: all work is deleted immediately.
- Work in groups where there is another administrator: all work is retained unless that administrator deletes it.
Inactive accounts
If you do not have an active subscription and do not log into the platform for a period of 12 months, we will delete your account and the above deletion behaviour will apply.
Payment history
We will retain your payment history and details on Stripe for up to 7 years, as required by UK law.
Data portability
You can extract all your judgements from the judging screen, as well as overall rankings. Other data can be exported via the API client using your login credentials.
Breach notification
In the event that we become aware of a data breach, we will alert schools as soon as practical, and in all cases within no longer than 72 hours from when we become aware of the breach.
Backups & recovery
Nightly backups occur on our hosting platform. These backups are encrypted at rest by our hosting provider. There is no ability to restore data if a user accidentally deletes it.
Access control & audit logs
For school-wide subscriptions, administrators can add or remove teachers and set which groups they are a member of. These changes are reflected immediately.
For individual subscriptions, any user can remove a member of a group they administer at any time.
We keep logs of all database actions for 7 days. These logs are accessible to our systems administrators.