Skills Reloaded Logo
Back to Sign-in

Skills Reloaded data security

Here’s a description of our technical and organisation security measures that we use to secure Skills Reloaded and protect your personal data.

Cyber Essentials accredited

Cyber essentials is a set of baseline technical controls laid out by the UK government. The requirements are specified under five technical control themes:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Security update management

We are, and always will maintain this certification as a baseline for our IT controls.

Data location

Skills Reloaded is hosted on Amazon Web Services platform. This places your data in their European data centres. At the time of writing we use both their 'eu-west-1' zone located in Ireland.

Encryption of personal data

Your data is encrypted at rest using Transparent Data Encryption.

Protecting data during transmission

Data moving through Skills Reloaded services is encrypted in transit using an appropriate encryption technology.

When data is moving between you and Skills Reloaded, everything is encrypted and sent securely using HTTPS. HTTPS is enforced with HSTS and we utilise HSTS so that the initial request to Skills Reloaded is also secure.

Internal access controls

Our team doesn't have a reason to access or process customer data on a day to day basis. Processing is fully automated. It's only if there's a problem with an account or to help resolve a customer support question that we might need to access personal data.

All our team members have signed confidentiality undertakings and undergo GDPR training in respect of their roles.

We use role based access controls for staff and use two-factor auth on both internal apps and external services.

Resilience and availability

Skills Reloaded is geographically spread and load balanced across multiple availability zones. It comes with extensive application and infrastructure monitoring. We maintain redundancy throughout our infrastructure in order to minimise the risk of low or slow availability or loss of data.

We use web application firewalls, rate limiting & DDOS protection to provide resilience and ongoing availability.

Managing availability

Skills Reloaded is hosted and load balanced across multiple availablity zones. This setup provides continuous availability in case of an outage or issue  in either data centre. The database is replicated between these regions, and backed up, to give us full resilience.

Physical security

Skills Reloaded is hosted within data centres provided by Amazon Web Services. As such, we take advantage of their physical, environmental and infrastructure controls.

Amazon Web Services is accredited to ISO 27001 which covers and accredits their physical security controls.

User identification and authorisation

Passwords for signing in are hashed and salted using an PBKDF2-based function in line with the recommendations of the UK’s National Cyber Security Centre.

We suggest all users set up two-factor authentication in Skills Reloaded to protect their account and data.

We also offer Single Sign-On (SSO) to access Skills Reloaded with any of the main identity providers, including Google Workspace.

Only you, the client, can invite and remove users and apply permission levels in your account.

Testing, evaluating and assessing the measures

We automate a lot of tests that monitor our infrastructure to make sure it’s up and running 24/7.

We complete the Cyber Essentials accreditation each year as well as periodic penetration tests and are happy to work with security researchers.

Event logging

All events are recorded in log files, therefore it’s possible to review when and by who personal data was entered, altered or deleted. We provide access to this information in the form of downloadable CSV files in Skills Reloaded.

Data transfers

We use sub-processors to help deliver Skills Reloaded, and sometimes this means transferring your data to a 3rd party, with data centres outside of the UK or EEA.

In all cases we make sure that an adequate level of data protection exists by assessing their security and having in place contracts based on the EU SCCs.

Data minimisation and retention

An important factor in data protection is to make sure we don’t collect and store any more data than needed to provide you with Skills Reloaded. Every piece of data we collect and store must be backed up with a justifiable reason.

If personal data is no longer required it is deleted, either by you, the client, or by automated script when data hits its maximum retention period.

As an example, we only store customer support data for 12 months, an automated script deletes tickets that are 12 months old.

Data quality

All of the data processed is provided by you (the data controller) or your end users (the data subjects). You'll find reporting tools within Skills Reloaded to help you understand, validate, and if necessary correct the data.

Data portability and deletion

Skills Reloaded has built-in backup and reporting tools that allow you to download your data, and, if appropriate, permanently erase data.

We don't store debit/credit card information.

All our payments are processed through Stripe https://stripe.com/gb They are a PCI Service Provider Level 1 organisation. Using Stripe means we don't need to store your payment card details, they are sent encrypted direct to Stripe, we don't store them anywhere.

You can read more about security at Stripe here: https://stripe.com/docs/security/stripe

Reporting security problems

We're happy to work with security researchers, they're an important part of keeping the internet a safe place to work. We have a defined process for reporting security issues.

Security questions or concerns?

If anything here is unclear, gives rise for concern, or you just want to understand something, then please contact our support team.

Back to Sign-in