Security & Trust

We're the tool, not the filing cabinet.

CaseFlo helps you write documents faster — without ever becoming the place your agency's data lives.

About CaseFlo

CaseFlo Limited is a UK-registered company (Company No. 17181579), incorporated in England and Wales on 27 April 2026. Our registered office is 16 Kirchen Road, London W13 0TY. All data processed via CaseFlo is stored on UK-based servers in compliance with UK GDPR and the Data Protection Act 2018.

CaseFlo is a Data Processor — not a Data Controller

Under UK GDPR, your agency stays in control of every piece of information about the children and carers on your books. We only process the notes you give us to draft a document, then we hand that document back to you. We never own your data. We never build profiles of children or carers. We never become your system of record.

What this means in plain terms

Your data stays yours

If a birth parent submits a Subject Access Request, it goes to your agency, not to us. If your agency changes software providers, you don't have to extract years of case data from our servers — because we're not storing years of case data. We only hold what we need, for the time it takes to help you write one document.

Your work is safe while you're writing it

Your drafts save automatically as you work. If your browser crashes, your laptop dies, or you accidentally close the tab, your draft is still there when you log back in. You can't lose an assessment because of a technical problem at our end.

Zero-Retention mode — once it's done, it's gone

On our Scale tier, the voice recordings and working drafts you create are automatically deleted 24 hours after you export your final document to Word. Your agency keeps the final document on your own systems. CaseFlo keeps nothing.

Your agency's own storage — if you want it

On our Scale tier, exported documents can go straight into your agency's SharePoint, OneDrive, or shared drive. CaseFlo never stores the finished file. The only copy that exists is the one your agency has.

UK data protection

CaseFlo is designed for UK fostering practice and hosted entirely in the UK. All your data is stored on infrastructure in London — not sent to servers in the US or anywhere else.

We encrypt everything. Data travelling to and from your browser is protected by TLS 1.3. Data at rest on our servers is encrypted with AES-256. We log who accessed what, and when.

Our infrastructure providers (Supabase and Vercel, both London-hosted) hold ISO 27001 certification. We're working toward Cyber Essentials Plus for CaseFlo itself.

Who sees your data

A small, defined list of services help us run CaseFlo. Every one of them is GDPR-compliant and audited. Full list:

Provider	Purpose	Location
Supabase	Database and authentication	UK (London)
Vercel	Application hosting	UK (London)
Anthropic	AI drafting (does not store your inputs)	EU / US (processing only, no retention)
AssemblyAI	Audio transcription (batch upload, live streaming, and short-form voice notes)	USA (SCCs in place)
Sentry	Technical error monitoring only — no case content	EU (Germany)
CloudConvert	Document export and file conversion	Germany (EU adequacy)
Google Workspace	Internal communication and document collaboration	USA (SCCs in place)

Documents for your records

Before you use CaseFlo with real case data, we'll send you a signed Data Processing Agreement and help you complete your own Data Protection Impact Assessment. Request these from us directly.

Request DPA and DPIA template

If you have a specific data protection question this page hasn't answered, email cheyenne@caseflo.co.uk and Cheyenne or Ramayne will reply personally within one working day.