Trust Centre

Overview

ExperimentOS is an experimentation programme management platform operated by Another Web is Possible(opens in new window) (AWIP), a UK-based company. We are committed to security and privacy by design. This page gives procurement and compliance teams the information needed to evaluate and approve ExperimentOS for use within their organisations.

What ExperimentOS is: A SaaS platform for planning, running and documenting A/B tests and experimentation programmes. It provides workflow, analysis and reporting, not client-side experimentation delivery.

What data we handle: Experiment configurations (hypotheses, variants, metrics, results), user accounts (email, name, authentication), and analytics metadata for our own product (e.g. anonymised usage). We do not collect or process end-user PII from your websites or apps. ExperimentOS does not run on your visitors’ devices; your team uses it to manage experiments.

Security

Infrastructure

The application and data are hosted on Supabase (PostgreSQL and related services). Supabase provides enterprise-grade infrastructure and is SOC 2 Type II compliant(opens in new window), assessed annually, and holds ISO 27001. We use Supabase in regions that meet our data residency requirements (e.g. UK/EU where applicable).

Encryption

Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). All traffic between clients and our services uses HTTPS.

Authentication and access controls

Authentication is handled via Supabase Auth. We support email and password (with secure hashing) and optional OAuth (Google, GitHub, LinkedIn). Access to data is enforced with row-level security (RLS) so users only see data for organisations they belong to. Role-based permissions restrict who can perform sensitive actions (e.g. billing, organisation settings).

Monitoring and logging

We use platform and application logging for operational and security purposes. Logs are retained in line with our retention policy and are used for incident response and debugging. We do not log sensitive credentials; authentication is handled by Supabase with industry-standard practices.

Privacy and GDPR

Our role

Where your organisation is the data controller (e.g. for your staff using ExperimentOS), we act as data processor. We process personal data only on your documented instructions and in accordance with our Data Processing Agreement (DPA) and applicable law, including UK GDPR.

Lawful basis

Processing is carried out for contract performance (providing the service) and, where relevant, legitimate interests (e.g. anonymised product analytics). We do not rely on consent for core service delivery; where we use optional analytics, we use privacy-preserving, cookieless methods.

Data subject rights

We support data subject rights (access, rectification, erasure, portability, objection, restriction) in line with UK GDPR. Requests can be submitted via the contact details below; we respond within the statutory timeframe.

Data residency and retention

Data is stored in regions offered by our infrastructure provider (e.g. UK/EU). Retention is defined in our Privacy Policy and DPA: we retain data only as long as necessary for the service, legal obligations or legitimate business purposes. Account and associated data are deleted in line with our retention policy upon request or account closure.

Sub-processors

We use the following third-party services that may process data on our behalf. We select providers with strong security and compliance postures and maintain appropriate agreements where required.

• Supabase: database, authentication, storage. Security documentation(opens in new window), SOC 2 compliance(opens in new window)
• Stripe: payment processing for subscriptions. We do not store card details; Stripe handles payment data and is PCI DSS Level 1 compliant. Security and compliance: Stripe security(opens in new window)
• Vercel: hosting and edge network. Analytics (cookieless, anonymised). Security: Vercel security(opens in new window)
• OAuth providers (Google, GitHub, LinkedIn): optional social login. We receive only email and name from the provider; their policies apply to the login flow.

We will update this list when we add or change sub-processors. For formal sub-processor notifications (e.g. under a DPA), contact us using the details below.

Compliance

We design our practices with UK GDPR and good security hygiene in mind. Our infrastructure provider (Supabase) is SOC 2 Type II compliant(opens in new window), audited annually, and holds ISO 27001. Their certification covers the environment where our data is stored (their Postgres, Auth, Storage and related services); Supabase makes their SOC 2 Type II report available to their Enterprise and Team customers for due diligence. Supabase’s SOC 2 does not transfer outside that boundary; our application layer is our responsibility, and we do not yet hold our own SOC 2 or ISO 27001.

Current status: We are a small team and are prioritising product stability and customer needs; formal certifications may be added as we scale and as customer demand requires.

If your organisation requires specific certifications or contractual terms (e.g. SOC 2, custom DPA, security questionnaire), please get in touch. We are happy to discuss what we can provide today and our roadmap.

Policies

• Data Processing Agreement
• Privacy Policy
• Terms of Service
• Cookie Policy

Contact

For security questions, compliance enquiries, data subject requests, or custom requirements (e.g. DPAs, questionnaires):

Email: jon@anotherwebispossible.co.uk

We aim to respond to all enquiries within a few business days.