Trust
Security Overview
Safeguards for sensitive education information
Evidence-led security information
This page summarises implemented design controls; it is not a certification statement. Detailed technical and organisational measures, evidence and any customer-specific commitments are supplied through the contracting and procurement process.
Identity and access
Microsoft sign-in, protected refresh cookies, role checks, tenant-scoped access and administrator controls support least-privilege access. Customers remain responsible for their tenant membership and Microsoft accounts.
Cloud and encryption
Primary application resources use managed Google Cloud services in London. Transport encryption protects network connections and managed services provide encryption at rest. Secrets are separated from application source.
Application controls
The service applies organisation scoping, input validation, restricted API routes and audit records. Sensitive AI workflows use data-minimisation and masking controls, with human review required because automated redaction is not infallible.
Operations and incidents
Logs and health signals support investigation. Access, supplier and change controls are reviewed according to risk. The incident process includes containment, evidence preservation, controller notification and post-incident action.
Resilience and deletion
Managed storage and backup capabilities support recovery. Individual consultations can be deleted. Contract-end deletion, backup expiry and evidence follow the approved retention schedule and customer DPA.
People and suppliers
Authorised personnel and suppliers are limited to service needs and confidentiality duties. Subprocessors are reviewed for purpose, security and transfer arrangements before use with customer data.
Report a security concern
Please send suspected vulnerabilities or incidents to security@sencoai.co.uk. Do not include pupil information in the initial email. For privacy matters, use privacy@sencoai.co.uk.