Trust & security
One page that gives your security, legal, and procurement teams everything they need: regulatory mapping, data-processing terms, sub-processor register, encryption architecture, SSO setup, and our responsible-disclosure policy. Every claim links to the underlying evidence.
Last reviewed: 2026-05-13 · Owner: Engineering Lead · Questions: [email protected]
UK GDPR, DPA 2018, Children's Code, KCSIE 2025, and the DfE Generative AI Product Safety Standards, mapped to specific platform controls with code-path evidence.
Where your data lives, who processes it on our behalf, and the legal mechanisms protecting every transfer. Sub-processor changes are notified at least 30 days in advance.
AES-256-GCM at rest with HSM root key, per-tenant and per-user envelope encryption, crypto-shredding for right-to-erasure, two-tier authorisation enforced by CI. Every decryption is recorded in a tamper-evident transparency log anchored externally to Sigstore Rekor, verifiable without trusting us.
Production SAML 2.0 and OIDC for enterprise SSO; SCIM 2.0 for directory sync; argon2id + HIBP for passwords; TOTP and WebAuthn passkeys for MFA; HMAC-chained immutable audit log for every privileged action. Microsoft Entra is supported via the standard SAML/SCIM integration; Okta is supported via SCIM with SAML or OIDC; Microsoft Graph platform integration ships as a multi-tenant app for one-click admin consent.
Found a security issue? We respond to good-faith reports within 2 working days and commit not to pursue legal action against research consistent with our policy.
Individuals can export their data, request erasure, and object to processing. Institutional admins can do the same on behalf of users they control. We respond within 30 days; most exports complete within 72 hours.
Email [email protected] with your standard form (CAIQ, SIG, vendor-specific) and we will return it within 5 working days. We do not insist on our own form; we complete yours.
For pre-procurement conversations, ask for our compliance pack, it bundles the DPA, sub-processor register, cryptography policy, security model, DPIAs, incident response runbook, and the enterprise compliance roadmap so your team can read everything in one sitting.