Security overview
This page summarises how we protect Mark My Tests. It does not replace a signed DPA for your trust — request one through your procurement or information governance route.
Encryption and transport
Browser traffic uses TLS. Object storage and database connections use provider-managed encryption at rest. Service Role keys and secrets are never exposed to browsers; marking runs on trusted workers, not in client-side JavaScript.
Tenant isolation
Mark My Tests uses Postgres Row Level Security so signed-in users only access their organisation’s data. Anonymous marking sessions use scoped tokens and isolated system rows until you claim the run into your account.
AI processing
We call Google Vertex AI under enterprise-style configuration: customer content submitted to the marking API is not used to train Google’s public foundation models. Operational logs are minimised and monitored; Sentry receives redacted error events only.
Monitoring and incidents
We monitor application health and security events. If we become aware of a breach affecting personal data, we will notify affected controllers without undue delay and document remediation. Responsible disclosure: contact your account security liaison via your organisation — public unsolicited vulnerability reports may not reach an on-call owner.