Walkthrough

Platform walkthrough: from sign‑up to SAR delivery

This short walkthrough shows how Fisar works in practice - from creating an organisation and securely connecting your systems, through to running a Subject Access Request, reviewing redactions, and delivering the final files.

00:00

/

00:00

FAQ

Everything you need to learn about Fisar

Common questions about our platform, security measures and how we help schools manage Subject Access Requests efficiently and compliantly.

Show More
  • 01

    What is Fisar?

    Fisar is an enterprise data governance, discovery and compliance platform that automates Subject Access Requests (SARs) from end to end. It connects to your existing systems, finds the personal data held about an individual, applies AI-assisted review and redaction, and delivers a secure, audit-ready disclosure package - turning a process that traditionally takes weeks into one that can be completed in well under a day.

  • 01

    What problem does Fisar solve for schools?

    Schools typically spend 20-30 hours processing each SAR manually, pulling teachers and administrators away from teaching and operational duties and creating pressure around ICO deadlines. Fisar removes this burden through intelligent automation, so staff can focus on education rather than paperwork.

  • 01

    What problem does Fisar solve?

    Organisations often spend 20-40+ hours manually searching email, cloud storage, collaboration tools and MIS systems to answer a single SAR, creating compliance risk, missed statutory deadlines and significant operational disruption. Fisar removes that burden through intelligent automation, consistent redaction and a defensible, fully auditable workflow.

  • 01

    Which school systems does Fisar integrate with?

    Fisar connects with major MIS and safeguarding platforms used in education, including Bromcom, Integris and CPOMS, as well as Microsoft 365 and Google Workspace for email, files and messages. Additional school systems can be added on request.

  • 01

    Who is Fisar designed for?

    Fisar is built for any organisation that regularly handles personal data and must respond to Subject Access Requests. It is purpose-built for the UK education sector - schools, colleges, universities and multi-academy trusts - and also supports healthcare, government, corporate and NGO organisations through configurable sector templates.

  • 01

    How does Fisar work?

    You connect your existing systems, then raise a SAR from the dashboard. Fisar verifies the requester's identity, gathers relevant data through read-only API calls, removes duplicates and checks relevance, then uses AI to identify and redact third-party information. Your Data Protection Officer reviews the result before Fisar delivers a secure, password-protected disclosure package to the requester.

  • 01

    How quickly can a school go live?

    Most schools are operational within 1-2 weeks but the process can be completed quicker if necessary. Fisar manages the technical setup and provides clear onboarding so staff can begin using the platform almost immediately.

  • 01

    How is Fisar different from processing SARs manually?

    Manual SARs rely on staff searching system by system, copying files and redacting by hand. Fisar automates discovery across all connected systems, applies consistent AI-assisted redaction with human review, and produces a complete audit trail - reducing processing effort by up to 99% while improving consistency and defensibility.

  • 01

    Is Fisar aligned with DfE and GDPR requirements?

    Yes. Fisar is designed to meet UK GDPR obligations and to align with DfE digital and safeguarding standards. The platform provides encrypted storage, per-school data isolation and full audit trails.

  • 01

    How is Fisar different from other privacy or GDPR tools?

    Fisar is UK education-native and combines MIS and cloud-productivity integrations in a single platform. Key differentiators include unified discovery across Microsoft 365, Google Workspace and school MIS systems; an explainable AI pipeline with human-in-the-loop review; trust-level governance; confidence-scored file selection before disclosure; and schema-per-tenant data isolation.

  • 01

    How is third-party pupil information protected in a disclosure?

    When a document references a pupil other than the data subject, Fisar's AI identifies that third party and redacts their information before disclosure. Your DPO reviews the redacted files before anything is released, helping you avoid disclosing information about other pupils.

  • 01

    How much time and effort can Fisar save us?

    Organisations typically see a 60-80% reduction in manual SAR handling effort, with many complex requests completed in under a day rather than weeks. Time savings come from automated cross-system discovery, de-duplication, AI-assisted redaction and a single review-and-approve step for your DPO.

  • 01

    How does Fisar identify the correct pupil?

    Fisar verifies identity using the records and metadata from your connected school systems, and separates exact matches from partial ones using confidence scoring. Where a pupil is not present in a connected system, your DPO verifies identity manually before the SAR proceeds.

  • 01

    What systems does Fisar connect to?

    Fisar connects to Microsoft 365 and Google Workspace today, alongside education MIS platforms such as Bromcom. More than a dozen further integrations are on the roadmap and can be prioritised on request, and bespoke, on-demand integrations can be built for your specific systems.

  • 01

    What data sources and repositories can Fisar search?

    Within connected systems, Fisar can search OneDrive and SharePoint, Google Drive and Shared Drives, Exchange Online and Gmail mailboxes, Microsoft Teams chats, Google Chat, and Google Calendar - covering the email, files and messages most relevant to a SAR.

  • 01

    Can multi-academy trusts use Fisar across multiple schools?

    Yes. Fisar supports MAT structures with secure data separation for each school while allowing central oversight where appropriate, giving trusts trust-wide visibility of SAR volumes and compliance.

  • 01

    Does Fisar integrate with Microsoft 365 and Google Workspace?

    Yes. Both integrations are direct and use single sign-on (SSO) - no middleware is required. Once an integration is available in Fisar, connecting your environment typically takes only a few minutes.

  • 01

    Can Fisar search Microsoft Teams and other collaboration tools?

    Yes. Fisar can search Microsoft Teams chats and shared files where the appropriate licences, scopes and user consent are in place. Additional collaboration platforms are on the roadmap and can be prioritised on request.

  • 01

    How quickly can a new integration be added?

    If an integration is already available in Fisar, it can usually be connected in 1–2 minutes via SSO. For a new or bespoke integration, setup typically takes 2–4 days, depending on how quickly API keys and the necessary platform documentation are provided.

  • 01

    How is data collected from connected systems?

    Fisar uses read-only, scoped API calls to retrieve only the data needed for a specific SAR. Data is fetched as a byte stream into a temporary processing pipeline - it is not copied or accessed in place - and is removed once the SAR is complete. This minimum-privilege approach supports full auditability and GDPR/DPA compliance.

  • 01

    How does Fisar handle duplicate records across systems?

    Fisar automatically de-duplicates files and data as it collects them from connected systems, so reviewers are not working through the same content multiple times.

  • 01

    What is the end-to-end SAR workflow?

    A SAR moves through acknowledgement, identity verification, data gathering, data transformation (de-duplication and relevance checks), AI-assisted review and redaction, and secure response delivery. The order adapts slightly for organisational versus individual requests, and your DPO reviews everything before disclosure.

  • 01

    How does Fisar find the right information?

    Fisar looks up the subject by name or email through connected directory APIs, queries the relevant systems for that identity within the SAR date range, and checks extracted text for the subject's name, email or phone number. Files are confidence-scored as high or low to guide human review, and AI classifies named entities as the subject or third parties for redaction.

  • 01

    What does the AI actually do?

    The AI supports discovery and disclosure by detecting named entities, classifying them as the data subject or third parties, scoring file relevance and confidence, and applying redaction to third-party information. De-duplication and encryption run alongside. Every SAR includes human review by your DPO before disclosure.

  • 01

    What is automated and what stays under human control?

    Discovery, relevance scoring and redaction are automated. Creating the request, verifying the requester and approving the final disclosure remain firmly under your DPO's control - nothing is sent without human review.

  • 01

    Is there human review before disclosure?

    Always. Your DPO reviews the gathered and redacted files and explicitly approves both the requester's identity and the accuracy of the response before Fisar delivers the disclosure package.

  • 01

    How are statutory deadlines tracked?

    Every SAR is set against the 30-day statutory clock from its creation date. Fisar shows the deadline on the SAR page, surfaces approaching deadlines on the dashboard, and notifies your DPO as the deadline nears or is exceeded, with SLA compliance tracked for each DPO.

  • 01

    How is the final disclosure delivered to the requester?

    Once your DPO approves, Fisar bundles the redacted files into a password-protected ZIP archive and emails the requester a secure download link. The password is shared with the data subject separately through a different channel, and the SAR is then marked complete.

  • 01

    Is Fisar secure and GDPR compliant?

    Yes. Fisar is designed from the ground up for UK GDPR and DPA 2018 compliance. Personal data is processed on a read-only basis and is not retained beyond the SAR lifecycle. The platform uses encryption, strict access controls, per-tenant data isolation and complete audit trails.

  • 01

    Where is our data stored and processed?

    All data is hosted in the AWS EU-West-2 (London) region - it is not processed or stored outside the UK/EEA. Files are held only temporarily in secure storage during the SAR lifecycle, and data residency is enforced at the infrastructure level.

  • 01

    What happens to our data, and how long is it kept?

    Personal data processed during a SAR is retained only for the duration of that SAR. On completion, processed files are purged from the pipeline and storage. Organisational records such as your account details and audit logs are retained for the life of your subscription.

  • 01

    How is our data kept separate from other organisations' data?

    Fisar uses a schema-per-tenant isolation model. Each organisation operates in a logically isolated database schema with no shared storage between organisations, so your data is never commingled with anyone else's.

  • 01

    How is data encrypted?

    Data is encrypted in transit with TLS and at rest using AES-256 within AWS. Disclosure packages are additionally protected with a password that is shared with the data subject through a separate, out-of-band channel.

  • 01

    How is access to the platform controlled?

    Access is governed by defined permission roles and multi-tenant schema isolation, so users only see what their role allows. Authentication uses secure tokens, with an additional internal service key protecting system-to-system communication.

  • 01

    How is customer data protected on AWS?

    Fisar uses AWS-native security controls including VPC isolation, least-privilege IAM policies, S3 encryption, audit logging and threat detection - all within the EU-West-2 (London) region.

  • 01

    What policies support compliance?

    Fisar maintains a Data Processing Agreement, Privacy Policy, Information Security Policy and Acceptable Use Policy. These are available to enterprise customers as part of the procurement pack.

  • 01

    Why was a document included in or excluded from a disclosure?

    A document is included when it contains information relating to the data subject - their name, email, phone number or clearly related details. Documents with no relevant connection are excluded, and partial matches are surfaced as low-confidence for human review rather than included automatically.

  • 01

    How does Fisar protect third-party information?

    When a document mentions someone other than the data subject, Fisar's AI identifies that third party and redacts their information before disclosure. Your DPO reviews the redacted output before anything is sent.

  • 01

    How does Fisar identify the correct individual?

    Fisar verifies identity using the records and metadata from your connected systems, and can append email-based searches to each identity to separate exact matches from partial ones. Where an individual is not present in a connected system, your DPO verifies identity manually before the SAR proceeds.

  • 01

    Why was a redaction applied?

    Redactions are applied where a document contains third-party personal information. The AI detects those entities and masks them, leaving the data subject's own information intact, with your DPO reviewing before disclosure.

  • 01

    How long does implementation take?

    Once your subscription is confirmed, you’ll be able to book an onboarding call - typically within 3–10 days. We’ll guide your team through the dashboard and configure the relevant integrations so you can start using Fisar with minimal disruption. If there’s an urgent SAR or deadline, schools using existing live integrations can often be set up within 24 hours. New integrations usually take 24–48 hours once API keys have been supplied.

  • 01

    What support is available?

    Fisar provides UK-based support via email ticketing during UK business hours (Monday to Friday), alongside documentation and onboarding guidance. Most queries are resolved quickly to minimise operational disruption.

  • 01

    What uptime does Fisar provide?

    Fisar targets 99.5% platform availability, measured monthly and excluding scheduled maintenance. Uptime is monitored continuously and can be shared with enterprise prospects during due diligence.