Security & data protection

Engineered for the most sensitive data your HR team handles.

ConductPath processes conduct allegations, witness testimony, mitigating circumstances and protected-characteristic data. Our posture is structurally engineered to meet that bar.

Data protection posture

Non-negotiable defaults on every deployment.

UK-region hosting

Hosted on AWS eu-west-2 (London). No data transfer outside the UK without customer-specific consent.

UK GDPR by design

You are the data controller. ConductPath is your data processor under an Article 28 DPA executed at contracting.

Encryption

TLS 1.3 in transit and AES-256 at rest. Access on a least-privilege principle, logged and auditable.

Tenant isolation

Enforced at the application layer with per-request scoping. Logged access by ConductPath personnel is auditable.

No training on your data

Frontier-model API use governed by commercial DPAs with explicit no-training-on-customer-data clauses.

Export and deletion

Full customer-data export and deletion supported at termination per MSA Section 5.

Certification roadmap

On a defined path to the standards mid-market procurement expects.

Mid-Year 1
UK Cyber Essentials Plus

Standard baseline for UK public-sector-adjacent procurement.

End of Year 2
SOC 2 Type II

Target for scale-tier and enterprise procurement processes.

Ongoing
Annual DPIA + penetration test

Independent testing published to customers on request.