OMNIA Inclusion — Data Residency One-Pager
For school procurement, DPOs, and IT leads. Last updated 1 June 2026.
Where is our data held?
All pupil, parent, and staff personal data entered into OMNIA Inclusion
is stored in AWS Europe (Ireland), region eu-west-1, on managed
PostgreSQL provided through Lovable Cloud (Supabase).
The application itself runs on Cloudflare Workers at the edge. Request bodies are processed in memory only and are not persisted at the edge — every write lands in the Ireland database.
Is this lawful for a UK school?
Yes. Ireland is part of the European Economic Area. Transfers from the UK to the EEA are covered by the UK's adequacy regulation for the EEA (UK GDPR), so no International Data Transfer Agreement (IDTA), Standard Contractual Clauses, or transfer-impact assessment are required for the hosting leg. Our master DPA and security overview document the controller / processor relationship.
Is this lawful for a UAE school (e.g. Brighton College Abu Dhabi)?
Yes. The UAE Data Office's accepted-list for cross-border transfers under the Federal PDPL (Art. 22) includes EU member states. Our DPA adds the contractual safeguards required to instruct the transfer and to flow obligations through to sub-processors.
What about AI features?
Standard mode. When OMNIA uses a large language model (for example, to summarise a specialist report), the request goes through our server-side PII scrubber before it leaves our infrastructure. The scrubbed payload is then routed via the Lovable AI Gateway to Google (Gemini) or OpenAI in EU regions where available. We do not opt in to model training.
BYOK mode (Connected tier opt-in). Schools may activate Bring Your Own Key to route AI traffic to their own provider tenancy instead of the Lovable AI Gateway. Supported providers and example regions:
| Provider | Example regions | Notes |
|---|---|---|
| Anthropic | Per Anthropic's published regions | School holds the contract |
| Azure OpenAI | uksouth, uaenorth, plus any region the school's Azure tenant offers | School chooses region; uaenorth is outside the UK / EEA |
PII scrubbing applies to BYOK traffic too. The school is the controller of its provider relationship and accepts the residency decision in its DPA. API keys are AES-256-GCM encrypted at rest; the plaintext key is never returned to the browser.
Encryption
- In transit: TLS 1.2+ on every connection (browser → edge → database).
- At rest: AES-256 disk encryption on the managed Postgres and object storage provided by AWS / Supabase.
- Backups: taken inside the same EU region; not replicated outside the EEA.
Sub-processors
A full, current list is maintained at /legal/sub-processors. The
infrastructure sub-processors that touch pupil data are:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase (via Lovable Cloud) | Managed Postgres, object storage, auth | AWS eu-west-1, Ireland |
| Cloudflare | Edge compute, CDN, DDoS protection | Globally distributed; nothing persisted at edge |
| Lovable AB | Application hosting / CI / deploy | EU |
We give schools at least 30 days' written notice before adding or replacing any sub-processor that processes pupil data.
Paperwork available on request
- Data Processing Agreement (master DPA).
- International Data Transfer Addendum (UK IDTA + EU SCCs by reference).
- UAE Jurisdiction Addendum (PDPL-aligned) for Abu Dhabi / Dubai schools.
- DPIA template covering the platform's core processing activities.
- Security overview and breach notification SOP.
Contact
privacy@omnia-inclusion.com for the DPA, transfer addenda, security questionnaire responses, or any data-residency clarification.