Let's talk about what happens to your documents when you upload them to an audit platform. Because at most providers, the honest answer is: they keep them. Indefinitely. On servers you don't control, in jurisdictions you probably haven't checked, with retention policies buried on page 14 of a terms of service document nobody reads.
For a school, that's a problem. You're not uploading holiday photos. You're uploading financial statements, staff contracts, safeguarding reports, governance minutes, enrolment data. Documents that contain personal information about children, families, and employees. Documents that your data protection officer would rightly lose sleep over if they knew where they were sitting.
IRIS5 was built from the start to work differently. Not because privacy is a good marketing angle, though it is, but because there was no justification for building it any other way.
Who Can See Your Data? Not Even Us.
This is worth stating clearly: by design, PGC administrators — the people who built and run IRIS5 — cannot see your school's reports unless you let them. Access requires the account owner's explicit, revocable authorisation. There is no silent support override: without a grant from the owner, a staff member cannot open your results, and every access that does happen is logged and visible to you. If you have not authorised access, your data is inaccessible to us — we have built the system so that we cannot simply decide to look.
This is different from a platform that holds data centrally and protects it with role-based access controls that their own administrators can override at will. Here, staff access is gated on your consent: the system blocks it unless you have granted it, you can revoke it at any time, and every access is recorded. The privacy commitment is enforced by the system, not left to internal policy.
Documents In, Diagnostics Out, Nothing Stored
Here's how it works. You upload a document. The AI analyses it, extracting the relevant metrics, identifying patterns, flagging risks, and generating scores. Then the document is deleted. Not archived. Not moved to cold storage. Deleted.
What stays is the structured diagnostic output. The scores. The RAG ratings. The specific findings. The recommendations. A finding may quote a short supporting sentence from a document as evidence, but the outputs never contain the documents themselves. You couldn't reconstruct a financial statement from a diagnostic score any more than you could reconstruct a patient's blood sample from a test result.
This is a deliberate architectural choice. It would be easier for us to keep everything. We'd have richer datasets to train on, more context for follow-up analyses, fewer edge cases to handle when a school comes back six months later. But "easier for us" is the wrong design principle when you're handling school data.
Why This Matters More Than You Think
Data breaches in education are not theoretical. The UK education sector saw a sharp increase in ransomware attacks over the past three years. Schools are attractive targets because they hold sensitive data, are often under-resourced on IT security, and face strong pressure to pay to get their systems back because they cannot afford to close.
The safest way to protect sensitive documents is to not have them. You can't breach what doesn't exist.
If an audit platform stores your documents and that platform gets breached, your school's financial records, staff salary data, and safeguarding reports are now in someone else's hands. And you'll be the one explaining it to the ICO, to parents, and to your governing body.
IRIS5's approach reduces that attack surface dramatically. If systems were compromised, there would be no document cache to steal, because no cache exists. What persists is the analysis — metrics, findings and, at most, short quoted snippets kept as evidence — never your source documents. That is a fundamentally different risk profile.
EU-Hosted Infrastructure
Everything IRIS5 stores lives on EU-region servers: the database in Ireland, the application served from Paris. Your account, questionnaire responses and diagnostic results never sit on US storage.
There is one deliberate exception, and it is worth stating plainly because your DPO will ask. During a deep audit, document content is processed by Anthropic's Claude API in the United States — under a data processing agreement, with no model training on your data, and with only a limited retention window on Anthropic's side. The mitigation is architectural: IRIS5 never stores your documents anywhere, so the transfer is transient processing, not US data storage. Your documents do not live on a server in Virginia; they pass through one, briefly, and are gone.
For UK schools post-Brexit, the storage picture still matters. The UK GDPR mirrors the EU regulation closely, and UK adequacy decisions with the EU mean data can flow between the two.
What This Means for Your DPIA
If you are doing a Data Protection Impact Assessment, and any school considering a platform that processes school data should be, IRIS5's architecture simplifies things considerably.
The questions your DPO will ask:
- What personal data is processed? Documents are processed during analysis but not retained. Only the extracted diagnostic outputs persist — scores, findings, key facts and short supporting quotes — never the source documents.
- Where is data stored? EU-region servers (database in Ireland, application in Paris). The one transfer outside the framework is transient: document analysis by Anthropic's Claude API in the US, under a data processing agreement, with nothing stored beyond a limited retention window.
- How long is data retained? Documents: IRIS5 keeps them only for the duration of analysis (minutes, not months); the AI provider retains API inputs briefly under its retention policy and never trains on them. Diagnostic outputs: retained in your account until you delete them, plus up to 7 days in encrypted disaster-recovery backups (which never contain your source documents — those are never written to the database).
- What happens if the processor is breached? No document archive exists to be compromised. The diagnostic outputs hold the analysis and short quoted excerpts, not your source documents, so there is no bulk personal-data store to exfiltrate.
Compare that with a platform that stores your uploaded documents for 12 months, or "for the duration of the service relationship," or worse, does not specify. A DPIA becomes significantly harder when the retention question cannot be clearly answered.
The Trade-offs
It is worth being honest about what this approach costs, because nothing is free.
If you want to re-run an analysis six months later, you will need to upload your documents again. There is no cache to retrieve them from. That is a minor inconvenience in exchange for a significant architectural win for data protection, and it is the right trade.
Longitudinal document analysis across multiple time periods also requires you to provide the documents each time. A platform that stored everything could automatically compare this year's accounts to last year's. IRIS5 requires you to upload both. That takes an extra two minutes. Your data protection posture is worth two minutes.
And because IRIS5 does not retain documents, they cannot be used to improve its AI models. Other platforms might use uploaded content in that way. Check their privacy policies carefully, because many reserve the right to do so. If your school's safeguarding reports are being fed into a training dataset, even in anonymised form, that should concern you.
What to Ask Any Audit Platform
Whether you choose IRIS5 or something else, here are the questions your DPO should be asking any platform that processes school documents:
- Where are servers physically located? Get a specific region, not a brand name.
- How long are uploaded documents retained after analysis?
- Can you delete all my data immediately if I ask? How long does that actually take?
- Are uploaded documents used for AI model training?
- What happens to my data if your company is acquired or goes insolvent?
If the answers are vague, that tells you everything you need to know.
Ready to see where your school stands?
IRIS5 processes your documents for analysis and deletes them immediately. Only structured diagnostic outputs are retained. Never raw files.
Start Assessment