Security and Compliance

A calm, honest summary of how MYQER protects data.

This page exists for school procurement officers, Data Protection Officers, and safeguarding leads who need to understand MYQER's security posture before sign off. It answers the questions a serious procurement review would ask, in plain English, with no jargon and no inflated claims.

```
Operator THREEVION Ltd
Companies House 16861658
ICO Registration ZC076886
Document Version v1.0 · May 2026

01Summary

MYQER and MYQER EDU are operated by THREEVION Ltd, a UK private limited company registered with Companies House (No. 16861658) and registered with the Information Commissioner's Office as a data controller (ZC076886). MYQER's purpose is to give authorised individuals fast, scan based access to a small set of emergency information that has been entered and controlled by the data subject or their parent or guardian.

The platform is built on the principle of minimum data, maximum availability. Only essential emergency information is collected. Only the person who entered the information can edit it. Only on a scan does the information surface, and only on the scanning device for the duration of the scan session. There is no behavioural tracking, no engagement scoring, no surveillance, and no AI based decision making anywhere in the platform.

UK GDPR Aligned ICO Registered ISO 27001 Hosted SOC 2 Type 2 Hosted No Behavioural Tracking No AI Decision Making

02What MYQER is and is not

MYQER is an emergency information access platform. It is the layer between information being recorded and information being reachable in seconds.

MYQER is

  • A parent controlled, school enabled emergency information access tool.
  • A QR card system that surfaces critical emergency information on a scan, without an app or login.
  • A small, focused profile per person, with a clear emergency view.
  • A read only display of the information the data subject has chosen to share.

MYQER is not

  • A medical device, diagnostic tool, or substitute for professional clinical judgement.
  • A replacement for emergency services, first aid training, or staff CPR or AAI training.
  • A replacement for a school's MIS, safeguarding platform, medical tracker, or Individual Healthcare Plans.
  • A surveillance tool, behavioural analytics platform, or engagement scoring system.
  • An AI decision making system. No automated decisions are made about the data subject.
Why this distinction matters

MYQER provides access to information that someone has voluntarily chosen to share for the purpose of an emergency response. It does not interpret that information, recommend an action, or replace the trained judgement of the person responding. Schools and adults using MYQER remain fully responsible for their own clinical, safeguarding, and emergency response decisions.

03What data MYQER holds

The information stored against a MYQER profile is the minimum required to support an emergency response, and is entered and controlled by the data subject or, in the case of a minor, by their parent or legal guardian. A typical profile contains:

  • Given name and a chosen identifier (often a first name and last initial).
  • Date of birth, where the parent chooses to include it.
  • Known allergies, with the parent's chosen level of detail.
  • Prescribed medications relevant to an emergency, such as adrenaline auto-injectors, asthma inhalers, or rescue medications.
  • Known medical conditions that the parent considers relevant to share.
  • Up to three emergency contacts with phone numbers.
  • Free text guidance the parent has chosen to include, for example "do not give nuts" or "asthma plan in school office."

MYQER does not collect

  • NHS numbers, GP details, or clinical records.
  • Behavioural data, location data, or device identifiers beyond what is needed for the platform to function.
  • School performance data, attendance, attainment, or pastoral records.
  • Special category data beyond what the parent has chosen to enter for emergency purposes.
Lawful basis

For data entered by adult data subjects, the lawful basis under UK GDPR Article 6(1)(a) is consent, and under Article 9(2)(a) for health information. For data entered by parents in respect of their children, the parent provides consent under the same articles and acts as the controller of their child's profile. MYQER, through THREEVION Ltd, operates as a joint controller for the platform's operational data and as a processor for the school in its emergency access role.

04Hosting and infrastructure

MYQER runs on cloud infrastructure that holds independently audited security certifications. We are transparent about which providers we use and what certifications they hold.

Application Hosting
Render
ISO/IEC 27001:2022, SOC 2 Type 2. UK and EU region.
Database & Authentication
Supabase
ISO/IEC 27001:2022, SOC 2 Type 2, HIPAA, PCI DSS, GDPR. EU region.
Data Region
European Union
Data resides within EU data centres. UK adequacy framework applies.
Operating Context
United Kingdom
THREEVION Ltd is the UK operator. ICO is the supervisory authority.
Honest statement about certification

THREEVION Ltd itself is not currently ISO 27001 certified. Independent certification is on our roadmap as MYQER scales. What we can confirm with verifiable evidence is that the infrastructure MYQER runs on holds those certifications, and that the security controls described on this page are implemented in the way modern certified platforms operate.

05Encryption

  • In transit. All data is transmitted over HTTPS using TLS 1.2 or higher. Plain HTTP requests are redirected to HTTPS at the edge.
  • At rest. The underlying database storage encrypts data at rest using AES-256, managed by the hosting provider.
  • Backups. Daily encrypted backups are retained by the hosting provider in accordance with their certified backup procedures.
  • Secrets management. Application secrets and API keys are stored in environment variables held by the hosting provider, not in source code or in publicly accessible storage.

06Access and authentication

For data subjects and parents

Access to the profile management area uses email based magic link authentication. Passwords are not used. Sessions are time limited.

For emergency scan access

A scan reveals only the emergency view, which is the read only information the data subject has chosen to share for the purpose of emergencies. The information surfaces on the scanning device for the duration of the scan session and does not persist on the device.

For THREEVION administrators

Internal administrative access is restricted to named THREEVION personnel, currently the founder. Access uses authenticated sessions to the admin interface, with all sensitive operations recorded in an append only audit log. Administrative access does not include the ability to view or export personal health information held in profiles, beyond what is necessary for support requests received from the data subject.

No school logins

MYQER is deliberately designed without school logins. Schools do not have user accounts on the MYQER platform. This reduces the surface area for credential related risk and removes one of the most common safeguarding incident vectors in education technology.

07Retention and deletion

  • While the profile is active. Data is retained for as long as the data subject or parent maintains the profile.
  • On request to delete. Profile data is deleted within thirty days of a verified deletion request, with backups expiring within ninety days under standard backup rotation.
  • On inactivity. If a profile has not been accessed by its owner for a period of twenty four months, MYQER will contact the registered email address before any retention action is taken.
  • Aggregated, non identifying operational data (for example, total scans per school per month) may be retained for service operation, billing reconciliation, and the school's monthly readiness report. This data does not identify individuals.

08Subprocessors

MYQER engages a small number of subprocessors to operate the platform. The current list is shown below and is updated when a subprocessor is added or removed. Schools entering a Data Processing Agreement with THREEVION Ltd are notified of material changes to this list.

Subprocessor Purpose Region Verification
Render Application hosting and web infrastructure EU render.com/compliance
Supabase Database, authentication, file storage EU supabase.com/security
Resend Transactional email delivery (invites, notifications) EU/US resend.com/legal/dpa
Cloudflare DNS, edge caching, TLS termination Global cloudflare.com/trust-hub

Each subprocessor operates under its own data processing agreement with THREEVION Ltd. Schools entering a DPA with THREEVION are deemed to have given general written authorisation for the engagement of subprocessors above, on the condition that THREEVION provides advance notification of any new subprocessor and that the school may object on reasonable grounds.

09Breach notification

In the event of a personal data breach affecting school or pupil data, THREEVION Ltd will:

  • Investigate and contain the breach without undue delay.
  • Notify the affected school's designated contact, in writing, within seventy two hours of THREEVION becoming aware of the breach.
  • Provide the school with the information needed for the school to discharge its own obligations to the Information Commissioner's Office, including the nature of the breach, categories of data and data subjects affected, likely consequences, and measures taken or proposed.
  • Notify the ICO directly where THREEVION's role as a joint controller for platform level data requires it, in accordance with UK GDPR Article 33.
  • Cooperate fully with the school's own incident response procedures and any subsequent regulatory enquiry.
Subprocessor incidents

If a security incident is reported by one of MYQER's subprocessors, THREEVION will treat it as a potential breach and notify schools using the same seventy two hour standard, even if THREEVION's own systems are not directly affected.

10Registrations

Companies House
THREEVION Ltd, 16861658
UK private company limited by shares, registered in England and Wales.
ICO Data Controller
ZC076886
Verifiable on the public ICO register at ico.org.uk.

11Documents we can share

The following documents are available to schools, DPOs, and procurement officers on request. We typically respond within two working days.

  • Data Protection Impact Assessment (DPIA). The structured assessment under UK GDPR Article 35 covering data flows, risks, and mitigations.
  • Data Processing Agreement (DPA). Draft for review and signature, aligned with UK GDPR Article 28.
  • Subprocessor list. The current list, as on this page, in a downloadable format.
  • Privacy Notice. The public privacy notice for parents and data subjects.
  • Pilot Agreement. Plain English terms covering the autumn 2026 pilot.
  • Sample Monthly Readiness Report. The operational readiness summary that pilot and live schools receive each month.
  • Subprocessor certificate references. Direct links and document references to Render and Supabase ISO 27001 and SOC 2 reports.
A note on certifications

If a school's procurement process requires sight of the actual ISO 27001 or SOC 2 certificates of our hosting providers rather than public verification links, we will request a copy from the relevant provider on the school's behalf, subject to the provider's NDA requirements.

Contact

If you are reviewing MYQER on behalf of a school and need anything not covered on this page, please contact us directly. We commit to responding to security and compliance enquiries within two working days.

Security and Compliance
security@threevion.com
MYQER EDU General
edu@threevion.com
Operator
THREEVION Ltd
Registered in England and Wales
Company No. 16861658
ICO Reg. ZC076886
This document
Version 1.0, May 2026
Reviewed: every six months, and after any material change.
threevion.com/security.html
```