Trust & Security

How we protect your data

Assessment data is sensitive. Proficiency scores, response patterns, and organisational benchmarks require the same protection as any enterprise-grade system handling personal data. This page documents our security architecture, compliance posture, and where we stand on the certifications that enterprise procurement requires.

PDPA compliantPDPO compliantWCAG 2.1 AA (targeted)
Security Architecture

Enterprise security architecture

Multi-Layer Tenant Isolation

Genplify enforces tenant isolation through five independent defence layers. Each layer catches a different class of mistake:

Layer 1 — Static Analysis. ESLint rules detect any database query against tenant-scoped tables that omits the organisation filter, blocking such code at build time.

Layer 2 — Runtime Query Guard. Every database operation is inspected at execution time by a Prisma extension. Queries missing the organisation filter throw before reaching the database. Any deliberate exemption requires an explicit bypass flag with documented justification.

Layer 3 — Authentication Guards. Every authenticated route resolves the user's organisation context through a typed guard before any data access. Routes without a guard cannot compile.

Layer 4 — Database Row Level Security. Postgres Row Level Security policies are deployed on 39 tenant-scoped tables. Each policy verifies row ownership against the active organisation context.

Layer 5 — Session-Scoped Tenant Context. On every authenticated request, the active organisation ID is bound to the database session via SET LOCAL. This binding is what activates the Layer 4 policies, deployed across 89 code paths in the application (routes, background jobs, and external webhooks).

No single layer is a guarantee. Together, they ensure that a bug in one layer is intercepted by the others before tenant data can leak across organisations.

Encryption

All data encrypted in transit (TLS 1.3). Sensitive personal data encrypted at rest with AES-256-GCM at the application layer, with provider-managed disk encryption protecting the underlying database storage.

For data retained beyond account deletion in support of psychometric calibration (anonymised for research and quality improvement under GDPR Recital 26), Genplify uses HMAC-SHA256 blind indexes with a dedicated cryptographic key separate from the encryption key. Blind indexes are cryptographically irreversible — given a blind index, there is no computational procedure to recover the original identifier — and the key separation prevents a compromise of one key from unlocking the other. Retained data is grouped by month rather than by date or user, further reducing re-identification risk.

What Genplify Staff Can Access

Genplify staff cannot directly view your organisation's assessment responses, scoring detail, or identifying user data in normal operation. Database access is restricted to encrypted personal data, scoped by tenant context. For product development and assessment quality work, Genplify staff work only with anonymised statistical data — pseudonymised responses grouped by month, with no direct or indirect link to user identity, organisation identity, or exact assessment date.

Genuine production support (such as investigating a customer-reported bug) requires explicit administrator authorisation, an audited access window, and a recorded business justification. All such access is logged in the tamper-evident audit chain described below.

Data Residency

Primary infrastructure hosted on AWS (ap-southeast-1, Singapore). Data residency controls available for organisations with jurisdiction-specific requirements. Primary database infrastructure is hosted in your specified region. Some processing sub-processors operate in other jurisdictions as disclosed in our sub-processor list, with appropriate transfer safeguards (Standard Contractual Clauses and EU-US Data Privacy Framework) in place.

Access Control

Role-based access control (RBAC) with three levels: employee, manager, and administrator. SSO via SAML 2.0 and OpenID Connect — available for Enterprise tier on request, provisioned through our authentication partner Clerk. Setup requires a configuration session with our team. Multi-factor authentication supported. All access events logged for audit.

Audit Logging

Comprehensive audit trail for all administrative actions, data exports, and access events. Audit logs retained for 24 months. Available for export on request.

Each audit log entry is linked to its predecessor through a SHA-256 hash chain. Modifying any historical entry would require recomputing every subsequent hash — a property that makes silent tampering cryptographically detectable. The chain is enforced at the database level by a trigger that runs on every insert.

After 24 months, audit log entries are not deleted but are cryptographically anonymised — actor and target user identifiers are replaced with non-reversible hashes while the action timestamp, type, and resource are preserved. This ensures legitimate audit trail integrity while honouring the data minimisation principle of GDPR Article 5(1)(c).

Business Continuity

Automated daily backups with 30-day retention. Documented disaster recovery plan with defined recovery objectives. Business continuity procedures tested and updated on a regular schedule.

AI Data Handling

Your assessment data is never used to train AI models. Prompt-writing responses are scored via the Anthropic API with a dedicated, isolated processing pipeline. Anthropic's data retention policy confirms that customer API data is not used for model training. No assessment data is shared with any third-party AI provider for training purposes.

Product Security

Security features built into the platform

  • Single Sign-On (SSO) via SAML 2.0 and OpenID Connect — available for Enterprise tier on request, provisioned through our authentication partner Clerk. Setup requires a configuration session with our team
  • Multi-factor authentication supported for all account types
  • Role-based access control — managers see team aggregates only, not individual item responses
  • Data export controls — administrators control what can be exported and by whom
  • Session management — automatic timeout, concurrent session limits, forced logout capability
  • Assessment integrity — unique forms per employee, response pattern analysis, timing monitoring, exposure control
  • Data minimisation — only data required for assessment and reporting is collected and retained
  • Deletion and portability — organisations can request full data export or deletion at any time, in standard formats
  • Incident response — documented security incident response plan with defined severity levels, escalation procedures, and breach notification within 3 calendar days (PDPA) or 72 hours (GDPR)
Compliance & Certifications

What we hold, what we are pursuing, and what we have planned

We are transparent about our compliance posture. Items marked as in progress have defined timelines. Items marked as planned are on our roadmap with committed investment.

Singapore PDPA
Compliant
Data Protection Officer appointed. Breach notification procedures established. Consent management for assessment data implemented. Transfer limitation controls in place for cross-border data flows.
Hong Kong PDPO
Compliant
Compliant with all six Data Protection Principles. Purpose limitation, data accuracy, and access/correction rights implemented. Monitoring proposed amendments including mandatory breach notification.
WCAG 2.1 AA (targeted)
Targeted
Designed to WCAG 2.1 AA. Keyboard navigation for all interactive elements including drag-and-drop alternatives. Screen reader tested (NVDA, JAWS). Timing accommodations for timed assessments per SC 2.2.1. Independent conformance audit and VPAT in preparation.
AERA/APA/NCME Standards
Aligned
Assessment methodology developed in accordance with the Standards for Educational and Psychological Testing (2014). Content validity established through systematic expert review. Progressive validation programme in progress.
IMDA Model AI Governance Framework
Aligned
AI scoring processes designed consistent with IMDA's principles of Explainability, Transparency, Fairness, and Human-Centricity. Voluntary AI Verify self-assessment under way as an additional governance layer.
PCPD AI Model Framework (Hong Kong)
Aligned
Practices aligned with PCPD's Data Stewardship Values (Respectful, Beneficial, Fair) and seven Ethical Principles for AI use in personal data processing.
ISO 27001
In progress
Information Security Management System implementation underway. Certification targeted for Q4 2026. ISO 27001 is the primary security certification for APAC enterprise procurement.
SOC 2 Type I
In progress
Trust Service Criteria implementation leveraging significant control overlap with ISO 27001. SOC 2 Type I examination targeted following ISO 27001 certification. Note: SOC 2 is an attestation issued by a CPA firm, not a certification.
SOC 2 Type II
Planned
Type II observation period to begin following Type I completion. 3–12 month observation window evaluating operating effectiveness of controls over time.
GDPR
Compliant
Full GDPR compliance infrastructure in place. DPA available for all customers. Standard Contractual Clauses for cross-border transfers. Data subject rights (access, erasure, portability) implemented.
Assessment Data Handling

How proficiency data is collected, stored, and used

Assessment data is personal data. We treat it with the care and specificity that personal data requires.

What we collect: item responses, response times, proficiency scores, dimension-level estimates, confidence intervals, and session metadata. For prompt-writing items, we collect the text of the written response. For all items, we collect the response and its scoring outcome — not keystroke-level telemetry.

What managers see: team-level aggregate proficiency scores and dimension breakdowns. Managers do not see individual item responses, individual response times, or the content of prompt-writing answers. Individual proficiency profiles are visible only to the employee and to platform administrators.

What we never do: we never share individual assessment data with third parties. We never use assessment responses to train AI models. We never sell, licence, or monetise customer data in any form. Anonymised, aggregated benchmark data is used to generate industry comparisons — with a minimum threshold of 20 organisations per benchmark cohort to prevent re-identification.

Retention and deletion: Customer Data is retained for the duration of the customer contract. Following termination, Customer Data is available for export for 30 days, after which it is permanently deleted. Backup copies are purged within 30 days of deletion. Self-service account deletion is processed immediately. Manual deletion requests submitted via email to legal@genplify.com are processed within 30 days of receipt.

Comprehensive deletion: when you delete your account, the system executes a 25-step deletion cascade covering every table that holds a reference to your data — including assessment responses, scoring sessions, learning progress, consent records, audit log actor references, invitation history, and notification records. Records that cannot be deleted for legitimate audit or legal-defence reasons (such as access log entries) are cryptographically anonymised in place rather than retained as identifiable data.

Aggregate statistics — such as team-level completion rates — are computed in real time from current data. Genplify does not maintain cached aggregate stores. When a user is deleted, team statistics naturally adjust on the next page load without any backfill or recomputation step.

Psychometric Standards

Assessment integrity and fairness

As an assessment platform, we are subject to professional standards beyond data security.

Methodology governance: assessment development follows practices aligned with the Standards for Educational and Psychological Testing (AERA, APA, & NCME, 2014) and the Principles for the Validation and Use of Personnel Selection Procedures (SIOP, 2018). Content validity was established through systematic expert review by subject-matter experts in AI proficiency and psychometric assessment design.

Fairness and bias: Fairness review protocol applied to all assessment items prior to release. Item content is reviewed for cultural, linguistic, and demographic sensitivity prior to operational use. Assessment scenarios are field-neutral — they do not require domain-specific knowledge in law, accounting, medicine, or any other specialised area.

Incident response for assessment integrity: sessions identified as potentially compromised through response pattern analysis are flagged for review. High-risk sessions are held pending human review by a Genplify administrator before scores are made visible. Sessions with lower-risk flags have scores released to the user immediately while the flag is reviewed by the administrator. Compromised sessions are invalidated with an opportunity for the employee to retake the assessment.

Documentation

Available for your evaluation

The following documents are available to support procurement, legal, and technical review.

Security Architecture Overview
Infrastructure, encryption standards, access controls, and network architecture.
Available on request
Privacy Policy
Full privacy policy covering data collection, processing, retention, and rights.
View online
Data Processing Agreement (DPA)
PDPA and GDPR-compatible DPA template. Sub-processor list included.
Available on request
CAIQ Self-Assessment
Pre-completed Cloud Security Alliance Consensus Assessment Initiative Questionnaire. Registered on the CSA STAR Registry.
Available on request
Methodology Technical Summary
IRT model specification, scoring architecture, and validation approach for technical evaluators.
Available on request
Sub-Processor List
Complete list of sub-processors with their function, location, and data handling scope. Change notification process documented.
Available on request

For documents marked “available on request” or “available under NDA,” contact support@genplify.com or your account representative. We aim to respond to security documentation requests within two business days.

Questions about security or compliance?

Our team is available to walk through security architecture, discuss specific compliance requirements, or provide any documentation your procurement process needs.

Contact Security TeamSchedule a Consultation →