Security Overview
A one-page summary of how SoloCogs protects student, parent, and staff data. Designed for school procurement, data protection officers, and IT teams. Cross-references the GDPR one-pager, sub-processors, and DPIA.
Who runs SoloCogs: SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. The data controller for personal data processed through SoloCogs is Portsdown Tuition.
Contact: hello@solocogs.co.uk
TL;DR for procurement
- UK data residency: all student data hosted in London (eu-west-2), no US data flows for personal data.
- Database-level isolation: Postgres row-level security enforces tenant + parent + school boundaries - one organisation can never see another's data.
- MFA available for all staff accounts; required for admin roles.
- Encryption in transit + at rest; TLS 1.3 enforced, AES-256 storage.
- Daily backups, 30-day retention, encrypted, same UK region.
- UK GDPR compliant. DPIA published. DPA available on request.
- Cyber Essentials self-assessment in progress; formal certification targeted before commercial school rollout.
1. Data residency & hosting
Primary database
Supabase (PostgreSQL) hosted in West Europe / London (eu-west-2). UK data residency. Encrypted at rest (AES-256). PCI-style network isolation.
File storage
Supabase Storage in the same UK region. Used for avatars and generated educational illustrations. No student-uploaded files are processed.
Static site & CDN
Cloudflare Pages for static asset delivery and DDoS protection. No personal data passes through Cloudflare's cache or workers.
Backups
Daily Supabase-managed PostgreSQL snapshots, retained 30 days, encrypted at rest, in the same UK region. Tested restore procedure documented.
2. Access control & isolation
Row-level security (RLS)
Every row of student data carries an owner ID and is protected by Postgres row-level security. RLS policies are enforced by the database itself - even a bug in our application code cannot allow one parent or school to see another's data.
Tenant boundaries
Schools, parents, and tutors are separate tenancies. Class-teacher assignments scope which students each staff member can read. Reviewed quarterly.
Multi-factor authentication
MFA available for all staff accounts via TOTP authenticator apps. Required for admin roles. SSO with Google and Microsoft for Education is planned for the Autumn 2026 schools rollout.
Authentication & rate limiting
Email/password authentication with industry-standard password hashing (bcrypt). Sign-in rate-limited per IP to mitigate credential stuffing. Compromised-password screening on every sign-up.
3. Encryption
| Layer | Standard |
|---|---|
| HTTPS / in transit | TLS 1.3 enforced on all endpoints. HSTS enabled with includeSubDomains. |
| Database at rest | AES-256 disk encryption managed by Supabase / AWS RDS. |
| File storage at rest | AES-256 encryption on Supabase Storage objects. |
| Backups | Encrypted snapshots, same UK region, 30-day retention. |
| Secrets management | API keys and DB credentials stored in environment variables and rotated on a quarterly schedule. No secrets in source control. |
4. Data protection & compliance
UK GDPR
Lawful bases, retention periods, subject rights process, and data flows documented in our GDPR one-pager. Subject Access Requests resolved within 1 calendar month.
DPIA
Published Data Protection Impact Assessment covering identified risks, mitigations, and residual risk classification.
DPA on request
Schools and tutoring providers can request a signed Data Processing Agreement; returned within 3 working days.
Sub-processors
Full dated, versioned sub-processor register. Material changes notified 30 days in advance.
Safeguarding
Detection of safeguarding language in free-text answers surfaces to a staff-side queue. Escalation pathway documented in our safeguarding policy. Aligned with KCSIE 2024.
Age-appropriate design
No third-party advertising. No behavioural profiling. No location tracking. No data sold or shared with advertisers. Compliant with ICO Age Appropriate Design Code.
5. Operational security
| Control | Implementation |
|---|---|
| Patching & updates | Managed runtime: Supabase platform handles Postgres + GoTrue updates; Cloudflare handles edge. Application dependencies reviewed monthly via automated tooling. |
| Vulnerability scanning | Supabase platform-level scanning; Dependabot for application code. Critical CVEs patched within 7 days, high within 30 days. |
| Logging & monitoring | API, Auth, Postgres, Storage, and Edge Function logs retained by Supabase. Critical errors surface to staff dashboard. |
| Admin access | Two named admin accounts (founder and contracted technical lead). All admin actions audited via Supabase platform logs. |
| Source control | Private GitHub repository. Branch protection enabled on production branch. No PII committed. |
| Disaster recovery | RPO 24 hours (daily backup cadence). RTO 4 hours for full restore from snapshot. Documented runbook. |
6. Breach & incident process
In the event of a personal data breach:
- Detection: via Supabase platform alerting, customer report, or staff review of logs.
- Containment: immediate revocation of affected credentials or sessions; affected sub-system isolated.
- Notification to ICO: within 72 hours where a breach is likely to result in a risk to individuals' rights and freedoms.
- Notification to affected schools / parents: without undue delay, with plain-language summary of what happened, what data was affected, and what steps to take.
- Post-incident review: root-cause analysis documented; control changes implemented to prevent recurrence.
Incident contact: hello@solocogs.co.uk (subject line: "Security incident").
7. Certifications & standards
| Standard | Status | Notes |
|---|---|---|
| UK GDPR / Data Protection Act 2018 | Compliant | Registered with the UK ICO. Policy suite published. |
| ICO Age Appropriate Design Code | Compliant | No advertising, no behavioural profiling, no location tracking. |
| KCSIE 2024 | Aligned | Safeguarding detection and escalation built into the platform. |
| Cyber Essentials | In progress | NCSC self-assessment underway. Formal IASME certification targeted before paid school rollout. |
| Cyber Essentials Plus | Planned | Post-launch milestone; required for some MAT and LA tenders. |
8. What this overview does not claim
We believe in stating what is true rather than over-claiming. SoloCogs is a closed-beta product operated by a sole trader. Specifically:
- We are not ISO 27001 certified. The investment required is disproportionate to the present customer base. We re-evaluate annually.
- We are not SOC 2 audited. Same reasoning.
- We do not currently offer a customer-managed encryption key (CMEK) option.
- We do not currently have a 24/7 on-call rota; incident response targets are best-effort with named primary contact.
If any of these are blocking criteria for your procurement, please contact us early so we can discuss alternatives or a roadmap commitment.
9. Contact
Procurement & DPA enquiries: hello@solocogs.co.uk
Security incidents: hello@solocogs.co.uk (subject: "Security incident")
Data Subject Access Requests: hello@solocogs.co.uk (subject: "SAR")
Postal: Portsdown Tuition, Portsmouth, England (full address on request)