Data Map

How personal data flows through Skills Hub

Overview

Last updated April 2026. Next review April 2027.

This document provides a transparent overview of how personal data flows through the Enterprise Skills platform, which includes Skills Hub for schools (free), and Skills Hub Workforce and the Employer Skills Audit for employers (paid). It describes what is collected, where it is stored, who can access it, and how it is protected. It is intended to support controllers' data protection obligations and due diligence processes.

Data Collection

Personal data enters the platform through two routes:

1. CSV upload

The controller uploads a CSV file containing first initial, surname, email address, and optionally a user ID. For workforce deployments this may also include job title, role, and department. This is performed by an authorised educator (schools) or an HR / L&D administrator (employers) through the admin portal. The controller retains full control over which users are provisioned.

2. SSO authentication

When a user signs in via Microsoft SSO or Google SSO, their name and email address are passed from the identity provider. Only the first initial of the first name is retained by the platform. Full first names are not stored.

Data Stored

The following personal data is held within the platform's database (Supabase, hosted in AWS eu-west-2, London, UK).

Data Where Stored Retention Access
First initial and surname Supabase database, UK Duration of licence. Email removed within 30 days of expiry. Full deletion within 90 days on request. User: own record. Educators / HR admins: own organisation.
Email address Supabase database, UK Removed within 30 days of licence expiry, or on request. Used for authentication only. Not exposed to other users.
User ID (optional) Supabase database, UK Duration of licence. Cross-reference with institutional MIS or HR system where provided.
Job title, role, department (workforce only) Supabase database, UK Duration of licence. HR / L&D admins: cohort segmentation only. Never used for automated decisions.
Simulation scores (HSI) Supabase database, UK Duration of licence. User: own scores. Educators / HR admins: cohort view. Org admins: organisation view.
Session data Supabase database, UK Duration of licence. Educators / HR admins: own organisation only.
Portfolio entries (schools only) Supabase database, UK Duration of licence. Student: own entries. Educators: after student submission.

Data in Transit

All data in transit is encrypted. The table below describes each data flow route.

Route Encryption Details
Browser to platform TLS 1.2+ HTTPS enforced by Cloudflare; HTTP redirected automatically.
Platform to database TLS 1.2+ Internal connection between Netlify and Supabase.
SSO authentication TLS 1.2+ OAuth 2.0 flow via Microsoft or Google.

Data at Rest

All data at rest is encrypted. Storage is confined to the UK.

Store Encryption Location
Primary database AES-256, AWS KMS AWS eu-west-2, London, UK
Database backups AES-256 AWS eu-west-2, London, UK

Third-Party Data Flow

The platform uses a small number of subprocessors. Personal data is not passed to any party beyond those listed below.

Service Personal Data Received Purpose
Supabase All personal data Database hosting and authentication
Netlify None at rest Application hosting (code only)
Cloudflare None at rest CDN, WAF, DDoS protection. Traffic in transit only.
Microsoft / Google SSO Authentication tokens Identity verification. No data stored by Enterprise Skills from SSO beyond first initial, surname, and email.

Data Not Collected

The platform does not collect any of the following. This list is exhaustive with respect to the categories below:

  • Full first names
  • Home addresses
  • Dates of birth
  • Medical information
  • Special Educational Needs (SEN) data
  • Free school meals status
  • Ethnicity or religion
  • Sexual orientation
  • Biometric data
  • Photographs
  • Any other special category data as defined under UK GDPR Article 9

Data Not Shared

Personal data is not shared with advertisers, analytics platforms, marketing services, or any third party beyond the subprocessors listed above. Personal data is not sold, licensed, or used to train machine learning models.

Enterprise Skills Ltd does not use identifiable personal data for any purpose other than delivering the service to the controller. Anonymised, aggregated HSI data is used to calibrate the Human Skills Index dataset under the terms of the school licence agreement and workforce data processing agreement.

Contact

For data protection queries, subject access requests, or deletion requests, contact our Data Protection Officer.

Data Protection Officer:
dpo@enterpriseskills.co.uk