Apply Intelligence← Back to site
Last updated May 2026

Security

Notice to administrator: the controls below describe the intended posture; tighten or correct any item that doesn't match the live system before procurement teams read this. Have it reviewed by your security lead before public launch.

Apply Intelligence stores data that schools regard as sensitive: pupil records, parental contact, agent commercials, financial transactions. The controls below describe how we protect it.

Hosting

  • Cloud-native architecture: stateless application tier with managed Postgres, multi-tenant data isolation, and zero on-prem footprint.
  • UK-hosted on Cloud (London region) for the application, database and backups.
  • School-level data isolation: every record is scoped to a tenant identifier and queries are filtered server-side.
  • Daily encrypted backups; restore drills run on a schedule.

Authentication and access

  • Keycloak-backed authentication. SSO via SAML / OIDC available on the Enterprise tier.
  • Role-based access control with a minimum of four built-in roles (admin, registrar, agent-team, view-only) and per-tenant custom roles available.
  • Audit log of every record-changing action with actor, timestamp and source IP.
  • Apply Intelligence staff access to customer data is read-only by default, time-bounded and logged.

Data protection

  • TLS 1.2+ for all traffic in transit.
  • Encryption at rest using Google Cloud-managed keys.
  • Personal data minimisation: we collect only what the admissions workflow requires.
  • Special-category fields (medical, learning-support flags) are opt-in and access-restricted.

Operational controls

  • Production deploys go through code review and automated tests before release.
  • Secrets stored in Google Secret Manager, never in source.
  • Dependency scanning runs on every pull request; high-severity issues block merge.
  • Vulnerability disclosure: report security issues to security@applyintel.ai. We aim to acknowledge within 1 working day.

Compliance

  • UK GDPR compliant. DPA available on request and signed before kick-off (/dpa).
  • ISO/IEC 27001 alignment in progress; we will publish certification when complete rather than claim it now.

Continuity

  • Recovery point objective (RPO): 24 hours.
  • Recovery time objective (RTO): 8 hours.
  • Status and incident history published once we have at least one production tenant.

Contact

For security questions email security@applyintel.ai. For signed DPAs and procurement questionnaires email hello@applyintel.ai.