Security
Security built for robust education.
Your data stays in the UK, is encrypted end to end and every decision is recorded in a tamper-evident audit trail.
Our security principles
Six commitments behind every qualification.
UK data residency
Your data is stored in UK AWS regions. Hosting and storage stay within the United Kingdom.
Encryption everywhere
Encrypted at rest with AWS KMS and in transit with TLS 1.3, across every part of the platform.
Isolation by default
Row-level security enforces strict isolation between organisations. No tenant can see another tenant’s data.
Append-only audit trail
Every action is logged to a tamper-evident trail that can only be added to, retained for at least seven years.
Human oversight of AI
No qualification reaches approval without documented review and sign-off by a named person.
UK GDPR alignment
Qualitect operates as your data processor under UK GDPR. A Data Processing Agreement is available.
Data and encryption
Stored in the UK, encrypted end to end.
Your source materials, qualifications and audit records are stored in UK AWS regions and protected with strong, industry-standard encryption at every layer.
Your organisation
TLS 1.3Source files and review decisions travel over TLS 1.3, the current transport-security standard.
UK AWS region
AWS KMSStored in the UK and encrypted at rest with AWS KMS. Row-level security keeps every organisation strictly isolated.
Append-only audit
7 yearsEvery action is sealed to a tamper-evident log, retained for a minimum of seven years and tested on every release.
Responsible AI
AI does the drafting. People stay accountable.
Qualitect uses AI to draft, never to decide. Generation runs on Anthropic Claude with an automatic fallback and every output is grounded in the sources you provide. All providers are listed below.
Read the AI Use and Transparency PolicyDocumented human review
No qualification can be approved without your sign-off. Final approval is recorded against a named reviewer, with a declaration and timestamp.
Your content is never used to train models
Source materials stay within your project and are used only to generate your qualification. They are not used to train any AI model and are shared only with the processors listed below, solely to deliver the service.
Grounded, not invented
Where your sources do not cover a topic, the platform flags the gap rather than inventing material to fill it. Every output traces back to a source you can verify.
Data protection and your rights
You stay in control of your data.
Qualitect acts as the data processor on your behalf under UK GDPR, so you remain the controller of your data and how it is used.
Data Processing Agreement
An Article 28 controller-processor DPA is available to customer organisations on request.
Subject access requests
Requests from individuals to see the data held about them are supported directly through the platform.
Your data is portable
Every item you create, with its sources, audit trail and revision history, is yours to export at any time.
Sub-processor transparency
The third parties we rely on.
We keep our supply chain deliberately small. The providers below process data on our behalf to deliver the service.
| Sub-processor | Data location |
|---|---|
| Amazon Web Services (AWS)Cloud hosting, compute and encrypted storage | United Kingdom (London region) |
| AnthropicAI generation (Claude language models), primary provider | United States |
| OpenAIAI generation (fallback language model) and evidence embedding generation | United States |
| CohereReranking of retrieved evidence chunks before generation | United States |
Storage and hosting are in the UK. AI generation requests are processed by Anthropic. Any international transfer relies on an approved UK transfer mechanism, with details in our Data Processing Agreement.
Due diligence questions? We are ready for them.
We are happy to walk security, procurement and compliance teams through our controls and documentation.