Is Claris FileMaker UK GDPR compliant?

FileMaker is software - no platform on its own makes you GDPR compliant. But a properly configured Claris FileMaker Server deployment can be built to meet UK GDPR obligations comfortably. The levers that matter: UK data residency, granular privilege sets, AES-256 encryption at rest, TLS 1.2+ in transit, audited access logs, encrypted backups, and a documented retention and deletion process. Compliance is roughly 20% platform and 80% configuration, process and documentation.

Where is FileMaker data stored?

It depends on your deployment model. A self-hosted Claris FileMaker Server stores data wherever you host it - typically UK cloud (AWS or Azure UK regions), a UK colocation facility, or on-premises. Claris FileMaker Cloud is AWS-hosted and offers an EU (Ireland) region, but as of 2026 there is no dedicated UK region. If you require strict UK data residency - common in public sector, healthcare and regulated finance - use FileMaker Server on UK infrastructure rather than FileMaker Cloud.

Is FileMaker data encrypted?

Yes. Data at rest can be encrypted with AES-256 using Encryption At Rest (EAR) on Claris FileMaker Server, and all client-to-server traffic is protected with TLS. Backups inherit the database encryption. For defence-in-depth at the field level, sensitive fields can additionally be wrapped with CryptAuthCode, CryptDigest, or base64-encoded blobs that require an application-level key to decrypt.

Does FileMaker meet ISO 27001 or Cyber Essentials?

FileMaker the software isn't accredited - certifications apply to the organisation operating the server. Claris FileMaker Cloud inherits AWS's SOC 2, ISO 27001 and PCI controls. Neptune Digital operates a Cyber Essentials-aligned managed FileMaker hosting environment in the UK, with backup encryption, MFA, patching SLAs and access reviews. If your buyer requires Cyber Essentials Plus or ISO 27001, have your hosting partner provide the evidence - not Claris.

How do I audit who changed what in FileMaker?

Claris FileMaker Server logs authentication and script events to Event.log, and account-level triggers can record logins and privilege changes. What FileMaker does not ship is a production-grade field-level audit log (who changed which field, from what, to what, when). Most serious deployments add a custom audit framework - we build these - that writes a before/after record to a dedicated Audit table on every commit of regulated fields. This is the single most common gap in inherited FileMaker systems.

What is a reasonable UK GDPR retention policy for FileMaker?

UK GDPR Article 5(1)(e) requires personal data to be kept no longer than necessary. Typical, defensible retention periods: operational business records 7 years (tax-aligned), CRM records 6 years after last contact, ex-employee HR records 6 years post-termination, marketing consent logs indefinitely, un-converted prospect data 12 months. Implement these as scheduled FileMaker Server scripts that anonymise or delete records past their retention threshold - don't rely on someone remembering to clean up manually.

Can I handle Data Subject Access Requests (DSARs) in FileMaker?

Yes - and UK GDPR requires you to respond within 30 days (extendable to 3 months for complex requests). A well-built FileMaker system centralises personal data behind a single Subject or Contact primary key, with scripted tooling to (1) export every field associated with a subject, (2) redact or delete on request, and (3) log that the DSAR was actioned. If your current system can't do any of these, building a DSAR toolkit is typically a 2–4 day engagement.

What about backups and disaster recovery?

At minimum: encrypted daily backups, geographically separated from the primary server, with a tested monthly restore drill. On the Neptune Digital managed platform we run hourly progressive backups, nightly full backups to encrypted UK cold storage, and quarterly full-restore drills - including restoring to an isolated environment to verify encrypted backups actually decrypt. A backup you've never restored is not a backup.

RESOURCES · SECURITY

FileMaker Security & UK GDPR - 2026 Buyer's Checklist

Data residency, encryption, audit logging, DSARs, retention, backup posture. The fourteen things to check before you trust a FileMaker system with regulated UK data.

Published 2026-04-17 · Written by Neptune Digital

This guide is for teams buying, inheriting or auditing a Claris FileMaker system that handles personal data in the UK. It is not legal advice - for that you need a qualified DPO or solicitor - but it is the checklist we use every time we onboard a new client or complete a FileMaker Health Check. If an inherited system fails on more than two or three of these, it needs remediation before it keeps carrying your data.

The UK GDPR basics that matter for FileMaker

UK GDPR (the Data Protection Act 2018, retained post-Brexit) sets out six data-protection principles. Translated into FileMaker engineering terms, they become:

Lawfulness / fairness / transparency: every record has a documented lawful basis; the system can explain what it stores and why.
Purpose limitation: fields and tables are scoped to the purpose you told the subject about.
Data minimisation: no legacy columns holding data you no longer need - a surprisingly common finding.
Accuracy: subjects can correct their data; the system supports amendment and versioning.
Storage limitation: automated retention and deletion, not manual cleanup.
Integrity & confidentiality: encryption at rest, encryption in transit, access control, audit logs.

The 14-point FileMaker security checklist

#	Control	What good looks like in 2026
1	UK data residency	FileMaker Server hosted in UK region; or contractual DPA with Claris Cloud (EU region).
2	Encryption at rest (EAR)	AES-256 EAR enabled on every hosted file; password vaulted, not in a README.
3	TLS in transit	Valid CA-signed cert, TLS 1.2+ enforced, weak ciphers disabled.
4	Authentication	External auth via Claris ID, Azure AD / Okta / Google Workspace (OAuth/OIDC) - ideally with MFA enforced.
5	Privilege sets	Role-based; no "Full Access" accounts for end users; dev accounts separated from prod.
6	Field-level access	PII fields protected with record-level calc predicates, not reliant on layout hiding.
7	Audit log	Custom before/after audit table on regulated fields; retained 7 years; tamper-evident.
8	Backups	Hourly progressive + nightly full; geo-separated; encrypted; restore-tested quarterly.
9	Patching	FileMaker Server + OS patched within 30 days of vendor release; CVE tracker in place.
10	Monitoring / alerting	Disk, CPU, connection count, failed login alerts routed to on-call; not just email.
11	Retention & deletion	Scheduled server scripts anonymise/delete records past documented retention thresholds.
12	DSAR tooling	One-click subject export; redaction flag; DSAR log retained.
13	Access reviews	Quarterly human review of accounts, leavers disabled within 24h of HR notification.
14	Documentation	ROPA entry for the system, DPA with hosting partner, IR runbook owned by a named person.

Self-host vs FileMaker Cloud - for UK buyers

The biggest architectural choice is where the server runs. As of 2026 there is no UK-native Claris FileMaker Cloud region - the EU region is Dublin (Ireland). For most commercial workloads that is fine; for public sector, healthcare, legal and defence-adjacent clients it usually is not.

Dimension	FileMaker Server (UK self-host)	Claris FileMaker Cloud
Data residency	UK-only (AWS UK, Azure UK, UK colo)	EU (Ireland) - no UK region
Encryption at rest	Configurable EAR + host-level disk encryption	Managed, always on
Patching	You (or your managed host)	Claris - good SLA
Accreditation inheritance	Cyber Essentials / ISO 27001 via hosting partner	AWS SOC 2, ISO 27001, PCI
Server-side plugins / Admin API	Full access	Restricted
Typical UK buyer fit	Public sector, healthcare, regulated, bespoke	SMEs, light compliance, fast start

The audit-log gap - and how to close it

Claris FileMaker does not ship a production-grade field-level audit log. The server logs authentication, and script-level triggers exist, but neither gives you a "who changed field X from A to B, when, from which client" record that regulators expect. The usual fix is a shadow audit framework: a single Audit table, populated via OnRecordCommit script triggers, with immutable rows keyed to the edited record, the editing account, a timestamp and the before/after values. Done right, it adds under 5% overhead and gives you defensible evidence in an ICO investigation.

DSAR tooling - the 30-day clock

UK GDPR gives you 30 calendar days to respond to a Data Subject Access Request (extendable to three months if complex). If your FileMaker system has personal data scattered across half a dozen tables with no central Subject key, that clock will beat you. What good looks like:

A central Subject (or Contact) primary key every PII-bearing record points to.
A "Export Subject" script that collates every field from every table for a given subject into a single PDF / JSON bundle.
A "Redact Subject" script that either anonymises (safer) or deletes (sharper) with an audit trail of what was done.
A DSAR log - which subject, which request type, who actioned, when, outcome.

We typically build this as a 2–4 day engagement on an existing system, often alongside a FileMaker Health Check.

Common red flags in inherited systems

Every user logs in as "Admin" with Full Access privileges (no personal accountability).
Encryption at rest disabled because "it slows backups down".
A single shared password in a README or onboarding doc.
Backups on the same physical server as the live database.
No retention policy - customer records from 2012 still sitting in production.
Hosting provider gives you no DPA and can't tell you which data centre your data is in.
Leavers are still enabled weeks after HR-announced departures.
No field-level audit - you can see a record was changed, but not what was changed or by whom.

What good looks like in 2026

A 2026-grade FileMaker deployment looks roughly like this: UK-hosted FileMaker Server on encrypted disks, EAR on all hosted files, SSO via Azure AD / Okta / Google Workspace with MFA, role-based privilege sets with no end-user Full Access, a shadow audit framework on regulated fields, hourly encrypted backups to geo-separate UK storage, quarterly restore drills, a documented ROPA entry, a signed DPA with the hosting partner, and a DSAR toolkit that has actually been used at least once in anger.

This is the Neptune Digital managed hosting baseline. If you are assessing a different partner, ask them to evidence each of the 14 controls in the table above - not "yes we do that", but a screenshot, log export, or policy document per control. Good partners will have them ready.

FAQs

FileMaker security & UK GDPR FAQs

Worried about an inherited FileMaker system?

Our FileMaker Health Check covers all 14 controls on this checklist and produces a written report you can share with your DPO, auditors or board. Book a free 30-minute scoping call to see whether it's the right fit.

Book a call