Protecting access and learning records.
A public summary of current controls—not a map of sensitive internal configuration.
Current controls
- Encrypted HTTPS connections across the website and portal.
- Supabase authentication for named user accounts.
- Role-based access for learners, seniors, managers and administrators.
- Organisation checks on manager-level server actions.
- Server-side protection for privileged administration, registration and content-import routes.
- Cloudflare environment secrets for sensitive service credentials.
- Signed GoCardless webhook verification before paid licences are applied.
Operating responsibilities
- Customers control who receives staff registration codes.
- Users must keep credentials private and use their own named account.
- Managers should remove access when staff leave or no longer require the service.
- Suspected incidents should be reported promptly to Dragonfly.
- Security controls are reviewed as the service and threat environment evolve.
