We take data security very seriously
Only UK and Ireland data centres
User data and backups are only stored and processed in UK and Ireland data centres. All data is stored in accordance with the General Data Protection Regulation (GDPR) 2018. We are registered with the IoM Information Commissioner with registration reference R002884.
Servers sit behind multiple firewalls within a VPC. Only ports 80 and 443 are publicly accessible. The database server is not accessible outside the VPC and white-listed IP addresses.
All our servers and technology infrastructures are provided by Amazon Web Services. Only our lead developers and CTO have access to this environment. Servers are automatically updated on a weekly basis as security patches are released. Servers are all encrypted and the physical security is ensured by AWS.
User data and backups are encrypted at rest and in transit using 256-bit SSL/TLS1.3 protocols. In addition sensitive data such as passwords are hashed and can never be decrypted.
Backups are made daily with a retention period of 31 days automatically. Database logging and monitoring enabled.
Photos, videos, documents uploaded to our platform are encrypted and stored on AWS. Our storage gives files 99.999999999% durability, and we store all files within the UK region.
Layered access security
Administrators have limited access to student data, and only when strictly necessary. We use user-type appropriate password rules regarding password length, complexity, age, number of allowed failed logins and 2-step authentication.
Vulnerability assessments are performed regularly and at least annually, both manually and automatically by our developers. The platform has undergone Penetration Testing by an independent Cyber Security Consultancy.
CSP, Clickjacking and XSS
The platform uses a strong Content Security Policy (CSP) to help prevent Cross-Site Scripting (XSS), clickjacking and other attacks resulting from code injection. We recommend using a modern, up to date browser that supports the latest CSP specifications.
We insist on all our users having a strong password by including a mixture of uppercase, lowercase, numbers and special characters with a minimum of 8 characters.
Accounts lock out
Users are automatically logged out after a period of inactivity. Accounts are also disabled following 10 failed login attempts.
If users delete their account by accident, we can restore the account back again as long as we are alerted within one month.
Users are able to retain control over sharing their profile with others. Shared links can be invalidated and users can configure elements of their profile to remain private. Users can also hide their profile for a period of time if desired.
Our business continuity and disaster recovery plans are in place and are reviewed annually or a simulated exercise performed.
We are accredited with both Cyber Essentials and IASME Governance. We are also working towards achieving ISO27001.