Information Security
How we protect your data
Overview
Last updated March 2026. Next review September 2026.
Platform Architecture
The Skills Hub is a browser-based web application. There are no native apps, no software downloads, no browser plugins, and no local installations required. Users access the platform through a standard web browser on any device.
The platform operates two portals:
- Student portal - my.enterpriseskills.co.uk
- Educator/admin portal - admin.enterpriseskills.co.uk
Both are single-page applications built with Next.js, deployed via Netlify, served through Cloudflare's CDN and WAF, and backed by a Supabase PostgreSQL database hosted in the UK.
Infrastructure
| Component | Detail |
|---|---|
| Application framework | Next.js (React) |
| Hosting | Netlify Pro plan, continuous deployment from GitHub |
| CDN and WAF | Cloudflare Pro plan with WAF, DDoS mitigation, and bot management |
| Database | Supabase PostgreSQL 15.8, hosted on AWS eu-west-2 (London, UK) |
| Authentication | Supabase Auth with Microsoft SSO (OAuth 2.0), Google SSO, and email/password |
| DNS | Cloudflare DNS with full SSL mode |
| Source control | GitHub private repositories with branch protection |
| Data region | United Kingdom, AWS eu-west-2 (London). No personal data (student or employee) leaves the UK. |
Encryption
| Layer | Standard | Detail |
|---|---|---|
| In transit | TLS 1.2+ | All connections use HTTPS, enforced by Cloudflare. HTTP is automatically redirected. HSTS headers are applied. |
| At rest (database) | AES-256 | Supabase encrypts all data at rest using AES-256 via AWS KMS. |
| At rest (backups) | AES-256 | Database backups are encrypted to the same standard. |
Authentication and Access Control
The platform supports Microsoft SSO (OAuth 2.0), Google SSO, and email/password authentication. Two-factor authentication is deferred to the institution's identity provider where SSO is in use.
| Role | Access |
|---|---|
| Student | Own simulation results, own Human Skills Index scores, and own portfolio entries only |
| Educator | Student progress dashboards, cohort analytics, intervention alerts, and export tools for their own institution only |
| Admin | Institutional configuration, user management, and all educator capabilities for their own institution |
Institutional Data Isolation
Each institution's data is isolated at the database level using Supabase's Row Level Security (RLS) policies, enforced by PostgreSQL.
Even if application-level logic were to fail, one institution's users could not access another institution's data. This is a hard constraint enforced at the database engine level, not solely at the application layer.
Network Security
Cloudflare provides WAF, DDoS mitigation, bot management, rate limiting, and full SSL mode across all platform domains.
No special firewall rules, port changes, or VPN configurations are required for institutions or users. Standard HTTPS (port 443) only.
Communication Features
The platform contains no chat, messaging, forums, social features, or any form of user-to-user communication. This is by design. Users (students and employees) interact only with the simulation environment and their own records. There is no mechanism by which one user can contact another user through the platform.
Security Certifications
| Certification | Status |
|---|---|
| Cyber Essentials | Certified |
| Supabase SOC 2 Type II | Certified (Supabase) |
| AWS ISO 27001 | Certified (AWS eu-west-2) |
| Cloudflare SOC 2 Type II | Certified (Cloudflare) |
Security Updates
- Cloudflare WAF rules are updated continuously by Cloudflare's threat intelligence team
- Supabase manages PostgreSQL security patches and database engine updates
- Netlify handles infrastructure and runtime patching at the hosting layer
- Application dependencies are monitored via GitHub Dependabot with automated pull requests for security updates
Incident Response
Our incident response process covers the following stages:
Detection
Cloudflare analytics, Supabase logs, and application error tracking
Assessment
Severity classification within 4 hours of detection
Containment
Revoke access tokens, disable affected accounts, isolate the affected scope
Notification
Institution notified within 72 hours per UK GDPR Article 33
Remediation
Root cause analysis, patch deployment, and confirmation of resolution
Documentation
Full incident log retained for audit and regulatory purposes
Backup and Recovery
Automated daily database backups with point-in-time recovery are maintained. All backups are encrypted (AES-256) and stored within the UK (eu-west-2).
Application code is version-controlled in GitHub with full commit history, enabling rollback to any previous state.
Contact
For security-related queries, vulnerability disclosures, or to request additional information about our security posture, please contact:
Email: dpo@enterpriseskills.co.uk