← All policies

Security Overview

A one-page summary of how SoloCogs protects student, parent, and staff data. Designed for school procurement, data protection officers, and IT teams. Cross-references the GDPR one-pager, sub-processors, and DPIA.

Version 1.0 Reviewed: June 2026

Who runs SoloCogs: SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. The data controller for personal data processed through SoloCogs is Portsdown Tuition.

Contact: hello@solocogs.co.uk

TL;DR for procurement

  • UK data residency: all student data hosted in London (eu-west-2), no US data flows for personal data.
  • Database-level isolation: Postgres row-level security enforces tenant + parent + school boundaries - one organisation can never see another's data.
  • MFA available for all staff accounts; required for admin roles.
  • Encryption in transit + at rest; TLS 1.3 enforced, AES-256 storage.
  • Daily backups, 30-day retention, encrypted, same UK region.
  • UK GDPR compliant. DPIA published. DPA available on request.
  • Cyber Essentials self-assessment in progress; formal certification targeted before commercial school rollout.

1. Data residency & hosting

Primary database

Supabase (PostgreSQL) hosted in West Europe / London (eu-west-2). UK data residency. Encrypted at rest (AES-256). PCI-style network isolation.

File storage

Supabase Storage in the same UK region. Used for avatars and generated educational illustrations. No student-uploaded files are processed.

Static site & CDN

Cloudflare Pages for static asset delivery and DDoS protection. No personal data passes through Cloudflare's cache or workers.

Backups

Daily Supabase-managed PostgreSQL snapshots, retained 30 days, encrypted at rest, in the same UK region. Tested restore procedure documented.

2. Access control & isolation

Row-level security (RLS)

Every row of student data carries an owner ID and is protected by Postgres row-level security. RLS policies are enforced by the database itself - even a bug in our application code cannot allow one parent or school to see another's data.

Tenant boundaries

Schools, parents, and tutors are separate tenancies. Class-teacher assignments scope which students each staff member can read. Reviewed quarterly.

Multi-factor authentication

MFA available for all staff accounts via TOTP authenticator apps. Required for admin roles. SSO with Google and Microsoft for Education is planned for the Autumn 2026 schools rollout.

Authentication & rate limiting

Email/password authentication with industry-standard password hashing (bcrypt). Sign-in rate-limited per IP to mitigate credential stuffing. Compromised-password screening on every sign-up.

3. Encryption

Layer Standard
HTTPS / in transit TLS 1.3 enforced on all endpoints. HSTS enabled with includeSubDomains.
Database at rest AES-256 disk encryption managed by Supabase / AWS RDS.
File storage at rest AES-256 encryption on Supabase Storage objects.
Backups Encrypted snapshots, same UK region, 30-day retention.
Secrets management API keys and DB credentials stored in environment variables and rotated on a quarterly schedule. No secrets in source control.

4. Data protection & compliance

UK GDPR

Lawful bases, retention periods, subject rights process, and data flows documented in our GDPR one-pager. Subject Access Requests resolved within 1 calendar month.

DPIA

Published Data Protection Impact Assessment covering identified risks, mitigations, and residual risk classification.

DPA on request

Schools and tutoring providers can request a signed Data Processing Agreement; returned within 3 working days.

Sub-processors

Full dated, versioned sub-processor register. Material changes notified 30 days in advance.

Safeguarding

Detection of safeguarding language in free-text answers surfaces to a staff-side queue. Escalation pathway documented in our safeguarding policy. Aligned with KCSIE 2024.

Age-appropriate design

No third-party advertising. No behavioural profiling. No location tracking. No data sold or shared with advertisers. Compliant with ICO Age Appropriate Design Code.

5. Operational security

Control Implementation
Patching & updates Managed runtime: Supabase platform handles Postgres + GoTrue updates; Cloudflare handles edge. Application dependencies reviewed monthly via automated tooling.
Vulnerability scanning Supabase platform-level scanning; Dependabot for application code. Critical CVEs patched within 7 days, high within 30 days.
Logging & monitoring API, Auth, Postgres, Storage, and Edge Function logs retained by Supabase. Critical errors surface to staff dashboard.
Admin access Two named admin accounts (founder and contracted technical lead). All admin actions audited via Supabase platform logs.
Source control Private GitHub repository. Branch protection enabled on production branch. No PII committed.
Disaster recovery RPO 24 hours (daily backup cadence). RTO 4 hours for full restore from snapshot. Documented runbook.

6. Breach & incident process

In the event of a personal data breach:

Incident contact: hello@solocogs.co.uk (subject line: "Security incident").

7. Certifications & standards

Standard Status Notes
UK GDPR / Data Protection Act 2018 Compliant Registered with the UK ICO. Policy suite published.
ICO Age Appropriate Design Code Compliant No advertising, no behavioural profiling, no location tracking.
KCSIE 2024 Aligned Safeguarding detection and escalation built into the platform.
Cyber Essentials In progress NCSC self-assessment underway. Formal IASME certification targeted before paid school rollout.
Cyber Essentials Plus Planned Post-launch milestone; required for some MAT and LA tenders.

8. What this overview does not claim

We believe in stating what is true rather than over-claiming. SoloCogs is a closed-beta product operated by a sole trader. Specifically:

If any of these are blocking criteria for your procurement, please contact us early so we can discuss alternatives or a roadmap commitment.

9. Contact

Procurement & DPA enquiries: hello@solocogs.co.uk

Security incidents: hello@solocogs.co.uk (subject: "Security incident")

Data Subject Access Requests: hello@solocogs.co.uk (subject: "SAR")

Postal: Portsdown Tuition, Portsmouth, England (full address on request)