Skill Readiness

Trust

Security and Data

A concise summary of how we protect customer workspaces, assessment data, and platform operations.

Effective Date

April 25, 2026

Last Updated

April 25, 2026

WAHLU LABS PTY LTD

ACN 696 304 140 · ABN 99 696 304 140 · Governing law: New South Wales, Australia

Skill Readiness is built for organisational assessment workflows where participant data, reviewer notes, reporting outputs, and workspace administration records need to be handled carefully. This page summarises the current control environment at a practical level.

Platform hosting and storage

  • The authenticated app and marketing site run on managed Google Cloud infrastructure.
  • Primary application data is stored in MongoDB Atlas.
  • Workspace assets are stored in managed cloud object storage.
  • Transactional platform email is delivered through Amazon Simple Email Service.
  • Payment processing, where used, is handled through Stripe.

Access controls

  • Workspace access is membership-based and role-based.
  • Customers control member invitations, workspace roles, and participant access.
  • Protected application routes and API procedures require authenticated access.
  • Participants access assessment workflows through invite-bound links and matching email identity checks.

Authentication

Skill Readiness uses passwordless email-based authentication for the core platform. Session controls, rate limits, browser security headers, and protected API boundaries are used to reduce common account and application risks.

Application security

  • Transport is encrypted over HTTPS in production.
  • Runtime secrets are kept out of the repository and resolved from deployment configuration.
  • The authenticated app is configured to avoid search engine indexing of internal pages.
  • Security headers and a public vulnerability contact path are published for the public surfaces.
  • Key workspace and delivery events are recorded in the product audit history.

Backups, export, and deletion

We use managed infrastructure and database backup capabilities to support service continuity. Customer data export, return, and deletion requests are handled in line with the relevant customer agreement, our Data Processing Addendum, and legal obligations. Backup deletion may lag live-system deletion where immediate erasure is not technically practical, but backup data remains subject to the same protection expectations while retained.

Incident response

If we identify a confirmed incident affecting customer personal data, we will investigate, contain the issue where possible, and notify affected customers without undue delay. For customer-specific contractual notice periods, the signed customer agreement will apply.

Current assurance posture

We are a small company and do not currently publish SOC 2, ISO 27001, or equivalent external audit certifications. We can provide reasonable security information for customer diligence under appropriate confidentiality conditions.

Further information

Related legal and data handling information is available in our Privacy Policy, Data Processing Addendum, and Subprocessors list.