Trust & security

Enterprise-grade trust for regulated learner data

Journey holds your apprentices' special-category data, the evidence behind your funding claims and your audit trail. We protect it with externally-audited standards, defence-in-depth engineering and a security model designed for multi-tenant scale.

Independently certified

Journey is built and operated by TechGeek, a UK company certified to ISO 9001, ISO 27001 and Cyber Essentials — the same externally-audited standards expected of enterprise software.

Citation ISO Certification — ISO 9001:2015 and ISO 27001:2022 registered, certificate no. 523362026

ISO 9001 & ISO 27001

  • ISO 9001:2015Quality Management
  • ISO 27001:2022Information Security

An externally-audited Integrated Management System governs how Journey is designed, built and supported, and how your learners' special-category data is protected end to end.

Cyber Essentials certified — UK government / NCSC-backed scheme

Cyber Essentials

  • Cyber EssentialsNCSC-backed scheme

Independently certified under the UK government and NCSC scheme that verifies our defences against the most common internet-based cyber attacks.

How we protect your data

Security is built into the architecture, not bolted on. These are the controls that protect every tenant.

Hard tenant isolation

Every read is filtered and every write is stamped with your tenant. Cross-tenant access is impossible by design — a request for another provider's data returns nothing.

Role-based access control

Permissions are catalogue-defined and granted per role. Staff and learners see only what their role allows, and sensitive PII is gated behind specific permissions.

Append-only audit log

Every significant action is recorded in a tamper-evident, append-only log — who did what, when. History cannot be rewritten, even by administrators.

UK / EU hosting & encryption

Data is hosted in the UK / EU, encrypted in transit and at rest, with encrypted backups. We do not sell personal data, ever.

Governed AI

AI prompts are scrubbed of personal data and scoped to your tenant, every call is metered, and features degrade safely if a model is unavailable.

Funding-safe by construction

Funding, gateway, EPA and ILR figures are computed server-side against versioned DfE/ESFA rule packs, with concurrency-safe state machines.

Policies & documents

Everything we publish, in one place. Need a signed DPA, a security questionnaire completed or evidence for your due diligence? We are ready.