IT and security review

SkillProof security and supplier review pack.

Use this page to review SkillProof domains, data categories, infrastructure providers, third-party services and security controls before approving access or starting a pilot.

What is SkillProof?

Workforce training and compliance records, not patient records.

SkillProof is used to manage workforce training, evidence, registrations, renewals, reminders, reports and audit-ready compliance records.

It is not a patient record system. Review teams should use fake/test data during supplier checks, pilots and workspace setup before adding real staff records.

www.skillproof.uk

Public marketing website, trial requests, demo requests, partner information and trust/legal pages.

skillproof.uk

Apex domain used for brand access and canonical redirect handling.

app.skillproof.uk

Customer application for login, workforce training records, development records, actions, evidence, reports and billing access.

Data handled

Staff names and work contact details

Job roles, sites, departments and manager relationships

Training records, renewal dates and compliance statuses

Appraisal records, CPD records and development action records

Evidence and certificates uploaded by customer organisations

Assessments, checklists, declarations and sign-offs

Professional registrations, licences and role-specific checks

Reports, exports and audit pack records

Security controls

HTTPS/TLS for public website and app access

Organisation-level data separation

Role-based access controls

Private evidence storage linked to workforce records

Audit and activity logging where implemented

Controlled user access and invite-based customer setup

Secure Stripe billing with no card numbers stored by SkillProof

Data export support for customer records

Infrastructure providers

Established providers, honest certification wording.

SkillProof uses established infrastructure providers. Their security programmes support the SkillProof supply chain, but this does not mean SkillProof itself is independently certified.

SkillProof does not currently claim ISO 27001, SOC 2, Cyber Essentials or NHS accreditation unless separately confirmed.

Vercel - hosting, deployment and application delivery
Cloudflare - DNS, SSL, routing and security layer
Supabase - database, authentication and file storage
Stripe - payments, subscriptions, invoices and billing portal
Web3Forms - public website form delivery
Google Analytics - consented, sanitised server-side analytics event delivery
Resend - email delivery if enabled for application emails

Third-party domains

External services used by SkillProof.

These domains may appear in website form delivery, analytics, billing or application email flows. They should be reviewed alongside the primary SkillProof domains where local filtering tools require supplier details.

api.web3forms.com
api.stripe.com
checkout.stripe.com
billing.stripe.com
www.google-analytics.com
api.resend.com

Network and IT allowlisting

Domains for review.

Organisations may need their IT or security team to review or allowlist these domains if local web filtering blocks new or uncategorised SaaS domains.

SkillProof is a staff training and compliance platform.

SkillProof is not a patient record system.

Supplier review and onboarding testing should use fake/test data first.

The public website does not load third-party browser analytics, advertising, retargeting, session replay or heatmap tags. Consented first-party events are sanitised and sent through SkillProof's server.

https://www.skillproof.uk

Public website, legal pages, trust information, trial requests and demo requests.

https://skillproof.uk

Apex brand domain that redirects to the canonical public website.

https://app.skillproof.uk

Customer application for authorised users managing workforce records and reports.

Security contact: Contact SkillProof support. Privacy and supplier review questions can also be sent to Contact the privacy team.