Skip to main content
Get started
Trust centre

Honest security, privacy and AI facts for intle.

This centre states what is implemented today, what is verified, and what is still being confirmed. We do not present planned audits or certifications as completed.

Last updated: 12 June 2026

Verified EU data layer

Supabase database, authentication and storage are verified in eu-west-1. Sentry is verified in its EU region in Germany.

AI inference split

AI inference is processed outside the UK/EU by default. We rely on DPAs, API no-training defaults, retention limits, and human review before publication.

Still being confirmed

Vercel function region, Resend, Upstash, Inngest, Stripe, Cloudflare, and AI workspace data-control settings remain marked as being confirmed until dashboard checks are complete.

Security controls implemented today

  • Supabase/Postgres row-level security on app tables, with May 2026 policy hardening.
  • Burst rate limits on AI generation, editing, uploads, tracking, hosted-session responses, and contact routes.
  • Magic-byte upload verification, extension/signature mismatch rejection, and OOXML decompression-bomb caps.
  • SSRF guards for user-supplied URLs: HTTP(S) only, no credentials, no private/internal/metadata hosts, redirects rechecked, and 5 MB cap.
  • CSRF Origin/Sec-Fetch checks on state-changing API routes, excluding signed server-to-server webhooks.
  • HMAC-signed hosted-session participant cookies for participant track, respond, and finish endpoints.
  • Sentry redaction drops request bodies, strips sensitive headers, redacts emails/JWTs/Stripe keys/UUIDs, and keeps sendDefaultPii disabled.
  • Hosted-session passwords are bcrypt-hashed; account authentication is passwordless magic-link/SSO rather than stored account passwords.

Compliance roadmap

ItemStatusTarget
Cyber Essentials PlusIn progressTarget window: July-Oct 2026
External penetration testPlannedTarget window: July-Oct 2026
WCAG 2.2 AA accessibility auditPlannedTarget window: July-Oct 2026
ISO 27001:2022 programmePlannedScope and target date to be confirmed after CE+/pen-test work

Trust documents

Sub-processors

Who helps provide the service, what data they touch, and which regions are verified.

AI transparency

Current model registry, what reaches AI providers, retention, and human review controls.

Accessibility

Current accessibility work, known limitations, feedback route, and audit roadmap.

LMS compatibility evidence

Evidence matrix for SCORM package checks and LMS validation status.

Privacy policyTerms of serviceCookie policy

Security questionnaires

For institutional due diligence, contact us with your questionnaire, procurement deadline, and any required DPA or security evidence.

Email admin@intle.co.uk