Trust

Security Overview

Safeguards for sensitive education information

Evidence-led security information

This page summarises implemented design controls; it is not a certification statement. Detailed technical and organisational measures, evidence and any customer-specific commitments are supplied through the contracting and procurement process.

Identity and access

Microsoft sign-in, protected refresh cookies, role checks, tenant-scoped access and administrator controls support least-privilege access. Customers remain responsible for their tenant membership and Microsoft accounts.

Cloud and encryption

Primary application resources use managed Google Cloud services in London. Transport encryption protects network connections and managed services provide encryption at rest. Secrets are separated from application source.

Application controls

The service applies organisation scoping, input validation, restricted API routes and audit records. Sensitive AI workflows use data-minimisation and masking controls, with human review required because automated redaction is not infallible.

Operations and incidents

Logs and health signals support investigation. Access, supplier and change controls are reviewed according to risk. The incident process includes containment, evidence preservation, controller notification and post-incident action.

Resilience and deletion

Managed storage and backup capabilities support recovery. Individual consultations can be deleted. Contract-end deletion, backup expiry and evidence follow the approved retention schedule and customer DPA.

People and suppliers

Authorised personnel and suppliers are limited to service needs and confidentiality duties. Subprocessors are reviewed for purpose, security and transfer arrangements before use with customer data.

Report a security concern

Please send suspected vulnerabilities or incidents to security@sencoai.co.uk. Do not include pupil information in the initial email. For privacy matters, use privacy@sencoai.co.uk.