Legal

WAIA Security Summary

Practical security measures Nineteen Point Two Limited uses to protect WAIA and customer data.

Last updated: 27 May 2026 Version: 1.0

This Security Summary explains the practical measures Nineteen Point Two uses to protect WAIA and customer data.

It is designed to provide commercial and procurement confidence. It does not represent a formal security certification.

1. Security approach

WAIA is designed around controlled access, role-based permissions, supplier-backed infrastructure and proportionate operational security.

The platform is intended to process ordinary workplace learning and adoption data. It is not intended to process special category data, highly sensitive HR casework, medical records, disciplinary records, financial account information or national identifiers.

2. Access controls

WAIA uses role-based access controls. Typical roles include:

  • platform administrator
  • organisation administrator
  • learner

Organisation administrators should only see users, settings, guidance and reporting connected to their own organisation.

Platform administrator access should be restricted to authorised Nineteen Point Two personnel and used only where necessary to operate, support or secure the service.

3. Authentication

WAIA uses authentication services provided through its configured platform and infrastructure providers.

Authentication configuration should be reviewed regularly to confirm:

  • only authorised users can access WAIA
  • administrator access is limited
  • inactive users can be removed
  • access is revoked when no longer required
  • production credentials are not exposed in code or public repositories

4. Data segregation

WAIA is designed as a multi-tenant platform. Customer data should be logically separated so that organisation administrators and learners access only the records appropriate to their organisation and role.

Row-level security and database access rules should be maintained and tested where supported by the database provider.

5. Infrastructure

WAIA uses third-party infrastructure providers for application hosting, database, authentication, storage, deployment and related services.

Current providers include Lovable Cloud and Supabase, with GitHub used for code hosting and website deployment where relevant.

Nineteen Point Two relies on these providers for parts of the underlying security model, including physical security, core infrastructure security, encryption capabilities and service availability.

6. Encryption

WAIA should use HTTPS for data in transit.

Encryption at rest depends on the relevant hosting, database and storage providers. Provider documentation should be retained for procurement review.

7. Logging and monitoring

WAIA and its providers may generate technical logs for security, troubleshooting, reliability and performance.

Logs may include IP addresses, user identifiers, device information, timestamps, error details and request metadata.

Log access should be limited to authorised personnel and retained only as long as reasonably required.

8. Backups and recovery

Backup and recovery arrangements depend on the configured infrastructure providers.

Nineteen Point Two should confirm and document:

  • whether production data is backed up
  • backup frequency
  • backup retention
  • restore process
  • who can access backups
  • how deleted data is handled in backups

9. Supplier security

Nineteen Point Two uses suppliers to operate WAIA. Suppliers that process Customer Personal Data should be covered by data processing terms or equivalent contractual commitments.

Supplier security documentation should be reviewed and retained where available.

10. Incident handling

Nineteen Point Two will investigate suspected security incidents and take reasonable steps to contain, assess and remediate confirmed issues.

Where a confirmed personal data breach affects Customer Personal Data, Nineteen Point Two will notify the affected customer without undue delay in line with the Data Processing Agreement.

11. Customer responsibilities

Customers are responsible for:

  • choosing appropriate organisation administrators
  • removing users who no longer need access
  • keeping login credentials secure
  • using WAIA in line with internal policies
  • avoiding upload of unnecessary sensitive data
  • deciding how WAIA records are used internally

12. Security contact

For security questions, contact ben@nineteenpointtwo.com.