Applicant data storage and encryption
All applicant data stored in Puddin — including personal details, personal statement content, and writing process evidence — is encrypted at rest using AES-256 encryption. Data in transit between applicants, your admissions team, and Puddin’s servers is encrypted using TLS 1.2 or higher. Puddin’s infrastructure is hosted in ISO 27001-certified data centres. Logical separation between institutional accounts ensures that your applicant data is never accessible to users from other institutions.If your institution has specific data residency requirements — for example, a requirement that data is stored within the UK or EU — contact your Puddin account manager to confirm the hosting configuration available to you.
Access controls by role
Puddin enforces role-based access controls to ensure that each user can only see the data they need to do their job.
Applicants access only their own writing environment through a unique, single-use link. They cannot view any other applicant’s data.
GDPR and data protection compliance
If your institution is based in the UK or EU, or processes data relating to UK or EU applicants, Puddin’s processing of applicant data falls within the scope of UK GDPR and/or EU GDPR. Puddin acts as a data processor on your behalf; your institution is the data controller. As the data controller, your institution is responsible for:- Establishing the lawful basis for collecting and processing applicant personal data through Puddin.
- Informing applicants about how their data is processed — including that their writing process is recorded — through your privacy notice.
- Handling applicant requests to access, rectify, or delete their personal data.
- Maintaining records of processing activities as required by Article 30 UK GDPR / EU GDPR.
- A Data Processing Agreement (DPA) for your institution to countersign.
- Tools to export and delete applicant records on request (see below).
- A full audit log for accountability purposes.
Contact your Puddin account manager to obtain a copy of the Data Processing Agreement. This document should be in place before you begin processing applicant data through the platform.
Applicant data handling and consent
Applicants should be informed — before they begin writing — that Puddin will record their writing process as part of the authorship verification process. This disclosure is typically included in your institution’s application privacy notice and/or in the invitation email sent through Puddin. Puddin’s writing environment displays a brief notice to applicants when they first open it, confirming that their writing process is being recorded. This notice does not replace your institution’s obligation to inform applicants through your own privacy documentation.Retention periods and deletion policy
Puddin retains applicant data for as long as your institution requires, subject to a maximum retention period set in your agreement. Your institution is responsible for defining how long applicant records should be kept in line with your own data retention policy and applicable legal requirements. To delete applicant records:- Navigate to the applicant’s record in the relevant cycle.
- Select Delete Applicant Record from the actions menu.
- Confirm the deletion. This removes the applicant’s personal details, personal statement content, and writing process evidence from Puddin permanently.
Exporting applicant records
You can export applicant records for compliance, audit, or data subject access request purposes. Navigate to the relevant cycle, apply any filters you need, and select Export from the bulk actions menu. Exports include:- Applicant personal details (name, email address).
- Submission status and submission timestamp.
- Reviewer decisions and notes.
- Audit log entries relating to that applicant.
Audit logging for compliance
Puddin maintains a comprehensive audit log that records all significant actions taken within the platform. The audit log is available to Administrators under Settings → Audit Log. Logged events include:
The audit log is read-only and cannot be modified or deleted by any user. It is retained for a minimum of three years from the date of each entry.
Institutional data governance responsibilities
Puddin provides the technical controls described on this page, but the governance of applicant data is your institution’s responsibility. As a minimum, your institution should:- Designate a named Data Protection Officer or data protection lead responsible for Puddin-related processing.
- Ensure the Puddin Data Processing Agreement is countersigned and on file.
- Include writing process evidence collection in your admissions privacy notice.
- Establish and document a data retention schedule for applicant records held in Puddin.
- Train admissions staff on their obligations when handling applicant personal data.
- Review access permissions regularly and deactivate accounts for staff who no longer need access.
If you have questions about Puddin’s security certifications, sub-processors, or data residency options, contact your Puddin account manager or email the Puddin security team at the address provided in your onboarding documentation.