Why Us?
Contact
Workplace Readiness I'm a Parent
For IT Teams

Data Protection & IT Integration Pack

Technical summary of our platform architecture, security measures, and data handling practices to support IT due diligence in schools.

Jump to:

Architecture Security Authentication Data Sovereignty DPIA Template Contacts

Architecture Overview

Our platform uses modern web technologies with an emphasis on security and scalability. Built on a stateless, token-based model that integrates seamlessly with existing school systems.

Component Details
Hosting Netlify with Cloudflare edge protection
Frontend React and Vite
Authentication JWT session-based access
Backend Supabase (hosted Postgres)
Edge Functions Secure server-side logic
Data Security Row-Level Security, SSL/TLS encryption
Data Location EU-based servers

Key Security Measures

No Stored Passwords

Users authenticated via short-lived signed tokens. No password database to compromise.

Row-Level Security

Strict RLS rules scoped by user identity. Users can only access their own data.

HTTPS Encryption

All traffic encrypted via TLS 1.3. No data transmitted in plain text.

Isolated Functions

Server-side edge functions for sensitive operations. Separate dev and production environments.

No cookies or analytics without explicit consent. We don't track students beyond what's necessary for the platform to function.

Authentication Model

How It Works

Schools' trusted student portals issue single-use JWTs. These tokens are appended to launch URLs and verified server-side.

https://student.enterpriseskills.co.uk?token=eyJhbGciOi...

Session Flow

1

Student clicks launch link with embedded token

2

JWT decoded and verified via Supabase Edge Function

3

App extracts: student_id, access_id, school_code

4

Session initialised for the tool (15-30 minute validity)

5

Token discarded immediately after verification

Token Contents - Privacy by Design

  • Minimal and secure - only what's necessary
  • No passwords, names, or email addresses
  • Only internal, non-PII identifiers
  • Encrypted and signed with private JWT_SECRET

What is a Student ID?

The student_id is a randomised UUID, not personally identifiable information:

fb8a65ed-1557-4c24-82c2-f102bfd4fe9d

This allows session and progress management without revealing student identity. The ID cannot be reverse-engineered to identify a student.

Data Sovereignty

EU-Based Data Processing

All data is processed and stored within the European Union, complying with both UK GDPR and EU GDPR standards. No data is transferred outside the EU/UK.

Processor vs Controller Roles

Enterprise Skills Ltd typically acts as:

Data Processor

On behalf of schools as Data Controllers (most common)

Joint Controller

For public pilots or standalone platforms

We can provide a Data Processing Agreement (DPA) or Joint Controller Agreement as required.

Data Protection Impact Assessment

Pre-filled DPIA Template

We provide a DPIA template that's approximately 80% pre-completed for your data protection officer. This covers our platform architecture, data flows, and security measures.

Contact us to request the latest version of our DPIA template.

Request DPIA Template

Data Security Summary

End-to-end encryption (HTTPS/TLS 1.3)
Row-Level Security enforcement
Short-lived, single-use JWTs
No password storage
Isolated dev/production environments
EU-based data storage

Support Contacts

Data Controller

CS

Chris Simmance

[email protected]

For data protection queries, DPA requests, and compliance questions.

Technical Support

[email protected]
Available upon request

For integration support, technical documentation, and implementation queries.

Data Protection Officer: Not formally appointed. Data protection responsibilities are overseen directly by the Controller (Chris Simmance).

Need more information?

Get in touch with our team to discuss your specific requirements or request additional documentation.

Contact Us