Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Database encryption uses provider-managed keys with customer-managed key options available on request for Enterprise tier.
Trust & Security
How we protect your data
Assessment data is sensitive. Proficiency scores, response patterns, and organisational benchmarks require the same protection as any enterprise-grade system handling personal data. This page documents our security architecture, compliance posture, and where we stand on the certifications that enterprise procurement requires.
PDPA compliantPDPO compliantWCAG 2.1 AA
Security Architecture
Enterprise security architecture
Data Residency
Primary infrastructure hosted on AWS (ap-southeast-1, Singapore). Data residency controls available for organisations with jurisdiction-specific requirements. No data is transferred outside your specified region without explicit consent.
Access Control
Role-based access control (RBAC) with three levels: employee, manager, and administrator. SSO via SAML 2.0 and OIDC available for Enterprise tier. Multi-factor authentication supported. All access events logged for audit.
Audit Logging
Comprehensive audit trail for all administrative actions, data exports, and access events. Logs retained for 12 months minimum. Available for export on request.
Business Continuity
Automated daily backups with 30-day retention. Documented disaster recovery plan with defined recovery objectives. Business continuity procedures tested and updated on a regular schedule.
AI Data Handling
Your assessment data is never used to train AI models. Prompt-writing responses are scored via the Anthropic API with a dedicated, isolated processing pipeline. Anthropic's data retention policy confirms that customer API data is not used for model training. No assessment data is shared with any third-party AI provider for training purposes.
Product Security
Security features built into the platform
- Single Sign-On (SSO) via SAML 2.0 and OpenID Connect — available for Enterprise tier on request
- Multi-factor authentication supported for all account types
- Role-based access control — managers see team aggregates only, not individual item responses
- Data export controls — administrators control what can be exported and by whom
- Session management — automatic timeout, concurrent session limits, forced logout capability
- Assessment integrity — unique forms per employee, response pattern analysis, timing monitoring, exposure control
- Data minimisation — only data required for assessment and reporting is collected and retained
- Deletion and portability — organisations can request full data export or deletion at any time, in standard formats
- Uptime commitment — 99.5% uptime commitment with contractual service credits for shortfalls. Infrastructure monitoring with alerting. Scheduled maintenance windows communicated in advance
- Incident response — documented security incident response plan with defined severity levels, escalation procedures, and breach notification within 3 calendar days (PDPA) or 72 hours (GDPR)
Compliance & Certifications
What we hold, what we are pursuing, and what we have planned
We are transparent about our compliance posture. Items marked as in progress have defined timelines. Items marked as planned are on our roadmap with committed investment.
Singapore PDPA
Compliant
Data Protection Officer appointed. Breach notification procedures established. Consent management for assessment data implemented. Transfer limitation controls in place for cross-border data flows.
Hong Kong PDPO
Compliant
Compliant with all six Data Protection Principles. Purpose limitation, data accuracy, and access/correction rights implemented. Monitoring proposed amendments including mandatory breach notification.
WCAG 2.1 AA
Targeted
Designed to WCAG 2.1 AA. Keyboard navigation for all interactive elements including drag-and-drop alternatives. Screen reader tested (NVDA, JAWS). Timing accommodations for timed assessments per SC 2.2.1. Independent conformance audit and VPAT in preparation.
AERA/APA/NCME Standards
Aligned
Assessment methodology developed in accordance with the Standards for Educational and Psychological Testing (2014). Content validity established through systematic expert review. Progressive validation programme in progress.
IMDA Model AI Governance Framework
Aligned
AI scoring processes designed consistent with IMDA's principles of Explainability, Transparency, Fairness, and Human-Centricity. Voluntary AI Verify self-assessment under way as an additional governance layer.
PCPD AI Model Framework (Hong Kong)
Aligned
Practices aligned with PCPD's Data Stewardship Values (Respectful, Beneficial, Fair) and seven Ethical Principles for AI use in personal data processing.
ISO 27001
In progress
Information Security Management System implementation underway. Certification targeted for Q4 2026. ISO 27001 is the primary security certification for APAC enterprise procurement.
SOC 2 Type I
In progress
Trust Service Criteria implementation leveraging significant control overlap with ISO 27001. SOC 2 Type I examination targeted following ISO 27001 certification. Note: SOC 2 is an attestation issued by a CPA firm, not a certification.
SOC 2 Type II
Planned
Type II observation period to begin following Type I completion. 3–12 month observation window evaluating operating effectiveness of controls over time.
GDPR
Compliant
Full GDPR compliance infrastructure in place. DPA available for all customers. Standard Contractual Clauses for cross-border transfers. Data subject rights (access, erasure, portability) implemented.
Assessment Data Handling
How proficiency data is collected, stored, and used
Assessment data is personal data. We treat it with the care and specificity that personal data requires.
What we collect: item responses, response times, proficiency scores, dimension-level estimates, confidence intervals, and session metadata. For prompt-writing items, we collect the text of the written response. For all items, we collect the response and its scoring outcome — not keystroke-level telemetry.
What managers see: team-level aggregate proficiency scores and dimension breakdowns. Managers do not see individual item responses, individual response times, or the content of prompt-writing answers. Individual proficiency profiles are visible only to the employee and to platform administrators.
What we never do: we never share individual assessment data with third parties. We never use assessment responses to train AI models. We never sell, licence, or monetise customer data in any form. Anonymised, aggregated benchmark data is used to generate industry comparisons — with a minimum threshold of 20 organisations per benchmark cohort to prevent re-identification.
Retention and deletion: assessment data is retained for the duration of the customer contract plus 90 days. Customers can request full data export (in standard CSV/JSON formats) or complete deletion at any time. Deletion requests are processed within 30 days and confirmed in writing.
Psychometric Standards
Assessment integrity and fairness
As an assessment platform, we are subject to professional standards beyond data security.
Methodology governance: assessment development follows practices consistent with the Standards for Educational and Psychological Testing (AERA, APA, & NCME, 2014) and the Principles for the Validation and Use of Personnel Selection Procedures (SIOP, 2018). Content validity was established through systematic expert review by subject-matter experts in AI proficiency and psychometric assessment design.
Fairness and bias: Differential Item Functioning (DIF) analysis is a planned component of our validation programme, consistent with AERA/APA/NCME Chapter 3 requirements. Item content is reviewed for cultural, linguistic, and demographic sensitivity prior to operational use. Assessment scenarios are field-neutral — they do not require domain-specific knowledge in law, accounting, medicine, or any other specialised area.
Professional affiliations: Genplify is a member of the Association of Test Publishers (ATP) and the Asia-ATP (A-ATP) division, participating in the professional community that governs test publishing standards, security, and interoperability.
Incident response for assessment integrity: sessions identified as potentially compromised through response pattern analysis, timing anomalies, or other detection methods are queued for human review before scores are released. Compromised sessions are invalidated with an opportunity for the employee to retake the assessment.
Documentation
Available for your evaluation
The following documents are available to support procurement, legal, and technical review.
Security Architecture Overview
Infrastructure, encryption standards, access controls, and network architecture.
Available on request
Privacy Policy
Full privacy policy covering data collection, processing, retention, and rights.
Data Processing Agreement (DPA)
PDPA and GDPR-compatible DPA template. Sub-processor list included.
Available on request
CAIQ Self-Assessment
Pre-completed Cloud Security Alliance Consensus Assessment Initiative Questionnaire. Registered on the CSA STAR Registry.
Available on request
Methodology Technical Summary
IRT model specification, scoring architecture, and validation approach for technical evaluators.
Penetration Test Report
Third-party penetration test by an independent security firm. Results will be shared under mutual NDA once completed.
Planned
Sub-Processor List
Complete list of sub-processors with their function, location, and data handling scope. Change notification process documented.
Available on request
For documents marked “available on request” or “available under NDA,” contact security@genplify.com or your account representative. We aim to respond to security documentation requests within two business days.
Questions about security or compliance?
Our team is available to walk through security architecture, discuss specific compliance requirements, or provide any documentation your procurement process needs.