Skip to content

Security

Security built for robust education.

Your data stays in the UK, is encrypted end to end and every decision is recorded in a tamper-evident audit trail.

UK data residency TLS 1.3 and AWS KMS Append-only audit trail

Our security principles

Six commitments behind every qualification.

UK data residency

Your data is stored in UK AWS regions. Hosting and storage stay within the United Kingdom.

Encryption everywhere

Encrypted at rest with AWS KMS and in transit with TLS 1.3, across every part of the platform.

Isolation by default

Row-level security enforces strict isolation between organisations. No tenant can see another tenant’s data.

Append-only audit trail

Every action is logged to a tamper-evident trail that can only be added to, retained for at least seven years.

Human oversight of AI

No qualification reaches approval without documented review and sign-off by a named person.

UK GDPR alignment

Qualitect operates as your data processor under UK GDPR. A Data Processing Agreement is available.

Data and encryption

Stored in the UK, encrypted end to end.

Your source materials, qualifications and audit records are stored in UK AWS regions and protected with strong, industry-standard encryption at every layer.

Your organisation

TLS 1.3

Source files and review decisions travel over TLS 1.3, the current transport-security standard.

UK AWS region

AWS KMS

Stored in the UK and encrypted at rest with AWS KMS. Row-level security keeps every organisation strictly isolated.

Append-only audit

7 years

Every action is sealed to a tamper-evident log, retained for a minimum of seven years and tested on every release.

Responsible AI

AI does the drafting. People stay accountable.

Qualitect uses AI to draft, never to decide. Generation runs on Anthropic Claude with an automatic fallback and every output is grounded in the sources you provide. All providers are listed below.

Read the AI Use and Transparency Policy

Documented human review

No qualification can be approved without your sign-off. Final approval is recorded against a named reviewer, with a declaration and timestamp.

Your content is never used to train models

Source materials stay within your project and are used only to generate your qualification. They are not used to train any AI model and are shared only with the processors listed below, solely to deliver the service.

Grounded, not invented

Where your sources do not cover a topic, the platform flags the gap rather than inventing material to fill it. Every output traces back to a source you can verify.

Data protection and your rights

You stay in control of your data.

Qualitect acts as the data processor on your behalf under UK GDPR, so you remain the controller of your data and how it is used.

Data Processing Agreement

An Article 28 controller-processor DPA is available to customer organisations on request.

Subject access requests

Requests from individuals to see the data held about them are supported directly through the platform.

Your data is portable

Every item you create, with its sources, audit trail and revision history, is yours to export at any time.

Sub-processor transparency

The third parties we rely on.

We keep our supply chain deliberately small. The providers below process data on our behalf to deliver the service.

Sub-processorData location
Amazon Web Services (AWS)Cloud hosting, compute and encrypted storageUnited Kingdom (London region)
AnthropicAI generation (Claude language models), primary providerUnited States
OpenAIAI generation (fallback language model) and evidence embedding generationUnited States
CohereReranking of retrieved evidence chunks before generationUnited States

Storage and hosting are in the UK. AI generation requests are processed by Anthropic. Any international transfer relies on an approved UK transfer mechanism, with details in our Data Processing Agreement.

Due diligence questions? We are ready for them.

We are happy to walk security, procurement and compliance teams through our controls and documentation.