ISO 27001
Controls aligned
Information security management practices are designed and audited against ISO 27001 controls, covering access management, incident response, data classification and supplier risk.
View policy
Trust and Security
Data you can account for
Opportunity Platform stores resident data with care: masked by default, accessed by audit trail, and tied to explicit consent at every step. Every S106 evidence record is designed to withstand council and developer scrutiny.
Standards
Compliance and alignment
The platform is designed to meet the standards that matter to local government procurement teams. Where a standard is shown as "Controls aligned" rather than "Certified", that reflects our honest current position. We will update badge status when certification is formally obtained.
Statuses reflect our current position. "Compliant" means a legal obligation we actively meet. "Controls aligned" means our practices are designed to match the standard; formal third-party certification is not yet held. Badge status will be updated when certification is obtained.
Data protection
How we protect your data
The following controls are built into the platform and active on every deployment. They are not aspirational: each corresponds to shipped, tested code.
Encryption in transit and at rest
All data travels over TLS 1.2 or higher. Documents and files are stored in Cloudflare R2 object storage, encrypted at rest. No plaintext credentials are stored in the application database.
Time-limited signed document access
Uploaded evidence files (CVs, contractor documents, S106 evidence packs) are stored in private object storage. Access URLs are generated on demand, expire after a short window, and are never stored in the database.
PII masked by default with access logging
Personally identifiable information is masked in the admin portal by default. Any staff member who reveals a masked field triggers an entry in the audit log, capturing the user, timestamp and field accessed. The full log is available to super-administrators at /dashboard/admin/audit.
Single-use, expiring evidence upload links
Evidence upload requests are issued as single-use, time-limited tokens. A link cannot be reused after the first successful submission, and expired tokens are rejected at the server. This prevents unauthorised re-submission.
Affirmative consent captured at submission
Every evidence submission records an explicit consent timestamp and the exact consent text shown to the submitter. This creates a defensible record that data was provided with informed consent, meeting UK GDPR Article 7 requirements.
Data-subject access and right to erasure
The platform supports data-subject access requests (SARs) and right-to-erasure requests, managed through the admin portal at /dashboard/admin/sar. Erasure is handled by a dedicated anonymisation function that replaces personal data with pseudonymous tokens while preserving aggregate audit records.
Role-based access control
Every dashboard section is gated by a role check. Super-admins, council officers, delivery staff, employers and residents each have a defined permission set. Access is evaluated server-side on every request; client-side rendering cannot bypass it.
Audit-grade S106 evidence chain
S106 planning obligation commitments, evidence uploads, consent records and access logs form a connected, timestamped chain. Councils and developers can verify that reported outcomes are backed by original evidence, not reconstructed after the fact.
UK data residency for AI processing
CV reading is deterministic and runs on our own UK-hosted servers, with no third-party AI involved. Resident CVs and personal data are never sent to AI services outside the UK. Where AI assists (for example short, anonymised match rationales) the input carries no personal identifiers.
A note on honesty
Certifications reflect current status
This is a government-facing product and every claim on this page must be accurate and defensible. Standards shown as "Controls aligned" have not yet been through formal third-party certification. ISO 27001 certification requires an accredited external audit; we are working toward that. We will not mark a standard as "Certified" until the certificate is in hand.
For data protection enquiries, security questions or to request a copy of our data processing register, contact: connect@opportunityplatform.co.uk