DevBot and ambivalence are built with public sector procurement in mind. UK/EU-hosted, UK GDPR-compliant, aligned to recognised frameworks — and plainly documented, because "trust us" is not an answer an information governance team accepts.
All ambivalence platform data — learner progress, credential assertions, analytics, tenant configuration — is hosted on IONOS infrastructure in the UK and Germany, which keeps data within the UK and European Economic Area. No learner personal data leaves UK/EU jurisdiction as part of normal operation. For institutional customers with strict residency requirements, we can scope deployment to a single region on request.
We process personal data in line with the UK GDPR and the Data Protection Act 2018. We minimise what we collect, retain only what's necessary to operate the service, and support the full set of data subject rights (access, rectification, erasure, portability, restriction, objection). For institutional licensees, a Data Processing Agreement is provided as standard as part of the licensing pack — no legal wrangle required to get started.
Our security practices are aligned to the NCSC 14 Cloud Security Principles and benchmarked against ISO 27001 and the NHS Data Security and Protection Toolkit (DSPT). Standard practices include: HTTPS everywhere, encryption in transit and at rest, secure credential storage, principle-of-least-privilege access, structured logging and monitoring, and pre-deployment timestamped backups with documented rollback procedures. Payment card data is not stored on our infrastructure; licensing is invoiced.
Open Badges 3.0 credentials issued by ambivalence are cryptographically signed using Ed25519 (eddsa-rdfc-2022 cryptosuite). Each assertion lives at a permanent verify URL and can be validated independently — any employer or institution can confirm a credential's authenticity without contacting us, without an account, and without a subscription. Credentials do not expire when a licence does.
We use IONOS for primary hosting — a long-established European provider with ISO 27001-certified data centres in the UK and Germany. Email delivery for transactional and marketing identities is routed through established UK/EU SMTP providers; we do not rely on unregulated third-country relays.
For procurement, information governance, or security review, we can share:
For security questionnaires, DPAs, data residency clarifications, or specific compliance questions, email hello@dev-bot.co.uk with "Security & Trust Enquiry" in the subject. We aim to respond within two working days.