Security Overview

Assayed is designed for use by NHS trusts, local authorities, and government departments. Security is a core requirement, not an afterthought. This page describes the technical and organisational measures we use to protect your data.

If you require additional security documentation for procurement purposes, contact us at hello@assayed.co.uk. We can provide completed security questionnaires and Data Protection Impact Assessments on request.

Assayed operates a multi-tenant architecture with strict data isolation between organisations. Isolation is enforced at the database level using PostgreSQL Row-Level Security (RLS) policies.

• Database-level row security policies enforce tenant isolation for all user-scoped queries.
• RLS policies are enforced by the database engine, not the application layer.
• Assessment data, user records, and billing information are all scoped to individual organisations.

User authentication is handled by Supabase Auth, which provides:

• Email and password authentication with bcrypt password hashing
• OAuth integration (Google) for organisations that prefer single sign-on
• PKCE (Proof Key for Code Exchange) for secure OAuth flows
• Session tokens with automatic rotation and expiry
• Password reset flows with time-limited, single-use tokens

Enterprise plans support SAML-based single sign-on (SSO) for integration with your organisation's identity provider.

The platform implements role-based access control (RBAC) with the following roles:

All role assignments are managed by organisation admins through the platform settings. Role changes take effect immediately.

• Database: Supabase Cloud (PostgreSQL), hosted in EU data centres with automated backups.
• Application: Vercel (Edge network), with server-side rendering in EU/UK regions.
• AI Processing: Google Cloud Vertex AI, processing in the europe-west2 (London) region.
• Assessment API: Dedicated VPS in EU/UK, firewalled with access restricted to the application layer.

No customer data is stored on developer workstations or local environments. All development uses anonymised test data.

We maintain an incident response plan that covers detection, containment, investigation, and communication. In the event of a data breach:

• Affected users will be notified within 72 hours, as required by UK GDPR.
• The Information Commissioner's Office (ICO) will be notified where required.
• A post-incident report will be produced and shared with affected organisations.
• Corrective measures will be implemented and verified before resuming normal operations.

The platform maintains audit logs for security-relevant events:

• User authentication events (login, logout, password changes)
• Assessment generation and access
• User and role management changes
• Data export and deletion requests
• Billing and subscription changes

Audit logs are retained for 12 months and are available to organisation admins through the platform settings. Enterprise plans include extended log retention and export capabilities.

We are committed to ongoing security testing and improvement:

• Dependency scanning: Automated scanning for known vulnerabilities in third-party dependencies.
• Code review: All code changes are reviewed before deployment.
• Penetration testing: Third-party penetration testing is planned for Q2 2026. Results and remediation actions will be documented.
• Infrastructure monitoring: Real-time monitoring of infrastructure health, error rates, and anomalous access patterns.

If you discover a security vulnerability in the Assayed platform, please report it responsibly by emailing security@assayed.co.uk.

Please include a description of the vulnerability, steps to reproduce, and the potential impact. We will acknowledge receipt within 48 hours and provide regular updates on remediation progress.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

For security-related questions or to request security documentation for procurement purposes, contact us at hello@assayed.co.uk.