Your data is safe.
We can prove it.
SkillDrill was built from day one with security at its core. Every piece of data is encrypted, every tenant is isolated, and every conversation is protected.
Security in plain English
We know security jargon can be confusing. Here is what we do to protect your data, explained simply.
Everything is encrypted
Every name, email, skill, conversation, and note is encrypted before it is stored. Even if someone accessed our database directly, they would see scrambled data, not your information.
Technical detail
AES-256-GCM encryption with per-tenant derived keys using HKDF. Each organisation has its own unique encryption key derived from a master key, meaning one organisation's data cannot be decrypted with another's key.
Your data is completely separate
Each organisation on SkillDrill is completely isolated. Your people, skills, conversations, and settings cannot be seen or accessed by any other organisation, even if they are on the same platform.
Technical detail
Multi-tenant architecture with tenant-scoped database queries on every operation. Subdomain-to-session validation prevents cross-tenant session reuse. Each tenant runs on their own subdomain or custom domain.
UK data residency on AWS
Your tenant data is stored on Amazon Web Services (AWS) infrastructure in the United Kingdom and does not leave the country. AWS holds ISO 27001, ISO 27017, ISO 27018, and SOC 2 certifications. (Website visitor analytics on this marketing site are handled separately and disclosed in our DPA and Cookies page.)
Technical detail
Hosted on AWS eu-west-2 (London) with dedicated RDS database infrastructure. All backups remain within the same region. Enterprise-grade DDoS protection via AWS Shield and Cloudflare WAF at the edge. AWS infrastructure is ISO 27001 certified and SOC 2 audited.
Strong access controls
Every user has a role with specific permissions. Admins control who can see what. Two-factor authentication (2FA) adds an extra layer of protection. Sessions are held server-side in our encrypted database rather than in browser storage or flat session files on disk.
Technical detail
Role-based access control with per-route permission mapping. MFA via TOTP (authenticator app) or email codes. CSRF protection on all forms. Rate limiting on login (5 attempts/15 min) and API endpoints.
AI conversations are private
When your team talks to the AI, the conversation is encrypted and stored in your tenant. The AI does not learn from your data or share it with other organisations.
Technical detail
Conversations are encrypted with AES-256-GCM before storage. By default we route conversations to Anthropic via AWS Bedrock in the UK/EU region under a zero-retention agreement, so prompts and completions are not retained or used for training. Tenants who connect their own AI provider (for example, OpenAI on an Enterprise tier or a self-hosted model) are bound by that provider's retention terms; we document this in the DPA so procurement can verify before go-live. Server-side message storage ensures conversation history cannot be tampered with from the browser.
Welfare data is extra protected
If someone discloses a welfare concern during a conversation, it is flagged securely and only visible to designated administrators. Welfare alerts can trigger email notifications to safeguarding leads without revealing personal details.
Technical detail
Welfare flags are encrypted at rest. Notification emails contain no PII. Anonymity thresholds in reporting prevent identification of individuals in groups smaller than 5. Audit logging tracks all welfare data access.
Enterprise infrastructure
Built on the same cloud infrastructure trusted by banks, governments, and the NHS.
Encrypted at rest & in transit
AES-256-GCM with per-tenant keys, TLS 1.2+ on all connections
Tenant isolation
Every organisation's data is completely separated with unique encryption keys
Full audit trail
Every action logged with timestamps, exportable for compliance reporting
SSO & MFA
Microsoft Entra ID single sign-on, TOTP and email two-factor authentication
ICO Registered
Information Commissioner's Office data protection registration ZA046393
Cyber Essentials
UK government-backed scheme certifying our cyber security controls
GDPR Compliant
Full compliance with UK GDPR, EU GDPR, and the Data Protection Act 2018
UK Data Residency
All data stored in UK data centres by default, with EU and US options available
Compliance & certifications
- GDPR compliant - UK and EU data protection standards
- ICO registered data controller (reg. ZA046393)
- Cyber Essentials certified
- Hosted on AWS (ISO 27001, SOC 2 certified infrastructure)
- Working towards ISO 42001 (AI Management System), targeting H2 2026
- Data subject access requests and right to erasure supported
- Consent recording with timestamped audit trail
Your domain, your brand
- Custom domain support - run SkillDrill on skills.yourcompany.com
- Full white-label branding - your logo, colours, fonts
- SSL certificates managed automatically
- Microsoft SSO integration for seamless sign-in
Questions about security?
We are happy to discuss our security practices in detail. Get in touch for a technical deep-dive or to request our security documentation.