Security and trust

Pathway Skills is hosted in the EU on Vercel (London lhr1 edge) and Neon Postgres (AWS Europe West 2, London). The application is configured to serve UK and EU customers from inside the EU regulatory boundary.

A Data Processing Agreement is available on request, with sub-processor and country-of-processing list. If your procurement team needs to confirm exact-region residency in writing before signing, the DPA carries that detail.

Multi-factor authentication is available on every account. Session cookies are signed (HS256, jose) with an 8-hour time-to-live. Sign-in events, password resets, and impersonation actions are written to the audit log.

Organisation-wide MFA enforcement is on the roadmap (see What’s still in progress below).

We provide a Data Processing Agreement on request, including the sub-processor list and country-of-processing detail. A DPIA summary suitable for inclusion in your procurement file is available on the same request.

Dr Clive is powered by Anthropic Claude (Anthropic API, EU-fronted via Vercel AI Gateway). Per-request Zero Data Retention is set on every Dr Clive call routed via Vercel AI Gateway, so learner inputs and model responses for these calls are not retained at the gateway layer. Anthropic’s standard commercial API terms also bind: learner inputs are not used to train Anthropic’s models.

Dr Clive is formative only. It asks adult learners questions rather than giving them answers, never marks summative work, never determines a learner’s level, and is always supervised by the learner’s tutor. Tutors and Quality Managers see every Dr Clive interaction in the audit log.

A Data Processing Agreement is available on request, including the sub-processor list and country-of-processing detail. We are working through the additional defence-in-depth steps listed in What’s still in progress below.

Every release walks our 3-light pre-ship gate: a real-user functional walk, an automated test suite, and a brand-fidelity review. Two of three is no-go. The platform you book a demo on this week is the platform your learners will sign into next week.

Database migrations are reviewed before deploy. Deploys that touch authentication, audit-log writes, or assessment scoring get an extra accessibility-and-pedagogy review pass before shipping.

We are working through Cyber Essentials. We will publish the certification number on this page once issued. ISO 27001 is not currently held; we will only claim it once held. SOC 2 is not in scope for our current customer base; if your procurement requires it, talk to us during the demo and we will document the path.

We do not list certifications we do not hold as marketing badges. Roadmap items live here, in prose.

We hold transparency on our security roadmap. Here’s what is shipping next, in priority order:

1. Team-level Zero Data Retention enforcement. Per-request ZDR is already set on every Dr Clive call (see Dr Clive — formative Socratic tutor above). The team-level dashboard toggle adds defence-in-depth so the configuration is enforced at the gateway team layer as well as per call. Tracked for confirmation this month.
2. Audit-trail evidence-pack export. Pathway Skills already writes an audit log of every settings change, authentication event, bulk action, and Dr Clive interaction. The next iteration will expose a one-click evidence-pack export for inspection day, drawing directly from this audit log. In active development.
3. Cyber Essentials certification. We are working through Cyber Essentials. We will publish the certification number on this page once issued. ISO 27001 is not currently held; we will only claim it once held.
4. Data Processing Impact Assessment summary. A DPIA summary suitable for inclusion in your provider’s procurement file is available on request alongside the Data Processing Agreement.

If a procurement deadline depends on any of these, tell us in the demo and we will share the current state in writing.

For security questions, vulnerability disclosure, or DPO-to-DPO correspondence, email help@pathway-skills.com. We aim to respond within 2 working days.

For accessibility-specific issues, see the Accessibility Statement.

Some apprentices on Pathway Skills are aged 16 or 17. The ICO Age Appropriate Design Code (the Children’s Code) applies to any service likely to be accessed by under-18s, and we follow it.

Best interests first. Pathway Skills is paid for by the training provider, not by the learner. There is no advertising, no in-app purchasing, and no algorithm designed to keep a learner on the platform longer than their study plan requires. Design choices that benefit the learner — clarity, calm, no surveillance framing — also benefit the provider buying the service.

No detrimental use. We do not use learner data for targeted advertising, engagement-exploitation profiling, or any purpose shown to be detrimental to learner wellbeing. Dr Clive is positioned as a Socratic tutor support, not a substitute for the tutor (see section 7 above).

One standard for everyone. We apply the AADC’s privacy-protective posture uniformly to every learner rather than only switching it on when a date of birth has been provided. When date of birth is collected by your training provider — typically at enrolment — we apply additional defaults specifically for under-18s (functional notifications stay on; engagement notifications default off; progress-sharing opt-in rather than opt-out).

Our full AADC self-audit covering all 15 standards is available on request alongside the DPA.

We uphold our published policies. Where we deviate from a control we have committed to — for example a temporary operational exception during onboarding — we log it in an internal exception register with a remediation date and a named owner.

Our published policies you may want to read alongside this page: the Privacy Policy, the Accessibility Statement, and the cookie-consent surface presented on first visit.

The ICO Age Appropriate Design Code asks services not to use nudge techniques to lead or encourage children to provide unnecessary personal data, turn off privacy protections, or extend their use of the service.

Pathway Skills uses pedagogically grounded engagement signals only. Study reminders are tied to a learner’s actual session schedule. Mock-exam unlock notifications surface a genuine next step on the learner’s plan. We do not use countdown timers on consent dialogs, “are you sure?” double-confirms on privacy-reducing actions, or dark-pattern friction designed to discourage learners from changing a setting. Streaks and gamification are formative tools designed with the learner’s tutor in the loop, not a hook to drive daily-active time.

When date of birth is captured, push notifications and weekly engagement digests default off for under-18 learners — the functional notifications (session reminders, mock unlock, tutor messages) stay on because they support the contracted educational service.

Pathway Skills is a web platform. We do not ship connected toys, smart devices, wearables, or any hardware. The Age Appropriate Design Code standard 14 is therefore not applicable to us. If we ever introduce a paired hardware component — we have no plans to do so — we will re-run the AADC self-audit before launch and update this section.

You can exercise any of your data protection rights under the UK GDPR at any time. The current route is to email our DPO at help@pathway-skills.com. An in-product “Your data” tool that surfaces these routes inside the learner settings page is on our roadmap — see What’s still in progress above.

• See your data. A subject access request returns a copy of the personal data we hold about you. We respond within one calendar month.
• Correct your data. If something is wrong, ask your tutor or email us directly. Self-disclosed fields like your name or contact details can be updated in your profile.
• Delete your data. You can ask us to delete your data. Where your records are kept under a funding-rule legal obligation — typically while your training is live and for a retention period after — we will explain what we can delete now and what we are required to keep, with the reason in writing.
• Take your data with you. You can request a copy of the data you provided to us in a structured machine-readable format.
• Object or restrict. You can object to certain kinds of processing or ask us to restrict what we do with your data while a question is being worked through.
• Complain to the regulator. If we have not handled your data well, you can complain to the ICO at ico.org.uk/make-a-complaint.

See the Privacy Policy for full detail of what we hold, why, for how long, and with whom we share it.