Security & trust

A small public website still needs clear security boundaries and a transparent data story.

EdTechLab keeps the public website intentionally narrow in scope: static public pages, limited observability on approved domains, and a server-side contact route rather than a larger account or transaction surface. This page explains the current trust posture as it exists on 11 March 2026.

Scope

Public information website

No public user accounts, payments, or self-serve customer data layer.

Core stack

Vercel + Resend

Hosting, server-side form handling, aggregate observability, and transactional email.

Current control posture

Traffic is served over HTTPS through the hosting platform.
Website enquiries are posted to a server-side endpoint rather than a client-only mail flow.
Public third-party script use is intentionally limited to essential analytics and performance tooling.
Contact-form submissions include lightweight spam controls and validation checks.
No advertising cookies or third-party profiling are used on the public site.

What is and is not claimed

This page describes the current website implementation honestly. It does not imply certifications that have not yet been awarded or institutional deployments that do not yet exist. The current posture is a transparent early-stage trust baseline, not a claim of mature enterprise accreditation.

Infrastructure and data handling

Provider footprint, minimised collection, and a documented response path.

The public website is hosted on Vercel. The contact form is handled through a server-side endpoint in the same deployment and notification emails are delivered through Resend. On approved live or preview domains, the site may also use Vercel Web Analytics and Speed Insights for aggregate usage and performance information.

EdTechLab aims to collect only what is needed to operate the site, respond to enquiries, and maintain basic observability. The website does not currently offer end-user accounts, behavioural advertising, or a broader application database through the public site layer.

Provider	Function	Relevant data	Current notes
Vercel	Static hosting, asset delivery, serverless contact endpoint, aggregate observability.	Technical request metadata, IP address, performance data, and contact-form request metadata.	Provider trust documentation is published publicly; routing may involve global edge delivery.
Resend	Transactional delivery of enquiry notifications.	Sender and recipient email details, message content, and delivery metadata.	Sending domains can be configured in multiple regions, including Ireland and North Virginia.

Incident handling

If a security issue affecting the public site is identified, the initial response is to confirm scope, contain exposure, rotate relevant credentials or access where needed, and assess whether notification duties arise under contract or data-protection law.

Compliance posture

UK GDPR and ICO guidance shape the public-site privacy baseline.
WCAG 2.2 AA is the accessibility target for public pages.
Public trust claims are kept narrower than the current evidence allows.
Any certification claims will only be published once they are formally awarded.

Related policies

Privacy, accessibility, and direct contact routes stay visible.

Security and trust are documented across the public website rather than buried in a legal footer alone.