Security and Data Protection

Protecting the data and privacy of our users, mentors and commissioning partners is a core responsibility. This page provides an overview of the security measures and data protection practices we have in place. For procurement and due diligence purposes, additional detail can be provided during contracting.

The Unlocked platform is hosted on Amazon Web Services (AWS) in the EU (eu-west-1, Ireland). AWS provides enterprise-grade physical security, network protection and compliance certifications including ISO 27001 and SOC 2.

Our infrastructure includes:

• AWS App Runner for application hosting with automatic scaling and patching
• AWS RDS (PostgreSQL) for database services with automated backups
• AWS S3 for secure file storage
• All data encrypted at rest and in transit using industry-standard encryption

User authentication is managed through AWS Cognito, which provides:

• Secure Remote Password (SRP) protocol — passwords are never transmitted in plaintext
• Multi-factor authentication (MFA) support
• Email verification for all accounts
• Secure token-based session management

Passwords are never stored in plaintext and are never visible to the Unlocked team.

All payment processing is handled by Stripe, an independently audited PCI Level 1 payment processor. Payment card data is processed entirely by Stripe and is never stored on, transmitted through or accessible from Unlocked servers. Mentor payouts are processed through Stripe Connect with equivalent security standards.

Video sessions are delivered through Twilio, which provides encrypted, enterprise-grade video infrastructure. In-platform messaging is transmitted over encrypted connections. Transactional emails are sent through Resend with TLS encryption.

EB Unlocked Limited is the data controller for personal data processed through the platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our data protection practices include:

• Data processing agreements in place with all sub-processors
• User rights to access, rectify, erase and port their data
• Data retention policies aligned with legal and operational requirements
• Appropriate safeguards for international data transfers, including the UK Extension to the EU-US Data Privacy Framework and Standard Contractual Clauses

Full details of our data processing are set out in our Privacy Notice.

Access to production systems and user data is restricted to authorised personnel on a need-to-know basis. Administrative access is protected by multi-factor authentication.

Our cloud infrastructure provider (AWS) holds ISO 27001, SOC 1, SOC 2 and SOC 3 certifications. Our payment processor (Stripe) holds PCI DSS Level 1 certification.

EB Unlocked Limited is committed to achieving Cyber Essentials certification as part of our procurement readiness programme.

We maintain procedures for identifying, reporting and responding to security incidents and data breaches. In the event of a personal data breach, we will notify the Information Commissioner's Office and affected individuals as required by the UK GDPR.

For commissioning organisations, programme partners and procurement teams, we can provide:

• Data Processing Agreement (DPA)
• Sub-processor list
• Data Protection Impact Assessment (DPIA) where required
• Security questionnaire responses
• Insurance certificates
• Additional technical security information under NDA

Please contact partnerships@unlockedexpertise.com to discuss your requirements.

If you believe you have found a security vulnerability in the Unlocked platform, please report it to support@unlockedexpertise.com with the subject line “Security”. We will acknowledge your report and investigate promptly.