For procurement officers

Procurement evidence pack

Everything a school / MAT / trust procurement team needs to evaluate SoloCogs for rollout - in one place. Updated 4 June 2026.

DBS-checked educators ICO reg ZB916444 UK-only data, KCSiE-aligned
Email for signed DPA + counter-sign

When the print dialogue opens, choose "Save as PDF" as your destination. You will get a single comprehensive PDF covering every section below.

Reference customers: we're in closed beta; pilots in mainstream secondary, SEND, and home-ed settings are under way. See the Stories page for the pilot shape and outcomes-as-they-land - we don't print invented quotes.

1Legal entity

SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. The operator and contracting entity for any procurement is Portsdown Tuition; SoloCogs is the service / product brand. The data controller for personal data processed through SoloCogs is Portsdown Tuition.

Trading name
SoloCogs
Operator (legal entity)
Portsdown Tuition (sole trader)
Founder / Operator
Jazz McCullough
Registered address
Portsmouth, England, UK
HMRC registration
Sole-trader self-assessment, current

If a procurement form requires a Ltd company, please flag this at the conversation stage - incorporation is on the roadmap.

2Insurance

Current cover protects in-person 1:1 tutoring activity. Cover is in scheduled renewal effective 1 August 2026 for upgraded SaaS-tier protection (£2M Professional Indemnity + £500k Cyber). The renewal schedule and certificate PDF are available to procurement teams from that date.

Contracting commitment: we will not sign a school SaaS contract until the upgraded cover is in force. Pilot terms during closed beta carry the existing professional cover and a written carve-out limiting the pilot scope to a single school cohort (no personal data of children outside that cohort processed).

Professional Indemnity
£2,000,000 from 1 Aug 2026 In renewal
Current: £500,000 (expires 31 July 2026). The renewal lifts cover to procurement-grade £2M and adds Cyber.
Cyber Liability
£500,000 from 1 Aug 2026 In renewal
Covers breach response, ICO investigations, ransomware, customer notification.
Public Liability
£1,000,000 (current + renewing) Active
Employers' Liability
Not required (sole trader, no employees). Will be added the day any employee or contractor starts.
Retroactive date
1 September 2025 (date trading commenced).
Insurer
Hiscox UK (via PolicyBee broker) - final renewal carrier confirmed during quote shopping.

3Data controller + Designated Safeguarding Lead

Data Controller
Portsdown Tuition (Jazz McCullough). A Data Protection Officer (DPO) is not legally required for an organisation of this size; responsibility rests with the data controller directly.
Designated Safeguarding Lead
Jazz McCullough (qualified teacher, current DBS, NSPCC Level 3 Safeguarding refresh 2026).
Statutory contact
hello@solocogs.co.uk
ICO registration
Registered as a data controller with the UK Information Commissioner's Office. Registration number ZB916444 - searchable on the ICO public register.

4Data residency

All student, parent and staff personal data is stored within the United Kingdom or European Economic Area. No data is processed in or transferred to a third country without an adequacy decision or Standard Contractual Clauses in place.

Primary database region
Supabase EU West (London, United Kingdom)
Object storage region
Supabase EU West (London, United Kingdom)
Backups
Same region. Point-in-time recovery active.
Edge Function execution
EU West region only.

5Sub-processors

The third parties listed below process personal data on behalf of Portsdown Tuition under written data-processing agreements. All sub-processors are GDPR-compliant and located within or providing services to the UK / EEA.

Supabase Inc.
Database, authentication, object storage, Edge Functions. UK / EU region. DPA
Resend
Transactional email (weekly digest, password resets, account notifications). EU region. DPA
Google Analytics 4
Opt-in only via the cookie banner. No PII transmitted. IP anonymisation enabled. Privacy
Google Tag Manager
Tag delivery for the analytics opt-in only. No data processed without explicit consent.
Wonde
MIS integration broker for schools that authorise it. Used only by school-tier customers to mirror student / class / teacher records. Per-school authorisation; no data flow without explicit school consent. Security
jsDelivr CDN
Static asset delivery (CSS / JS libraries only - no personal data transits).

No advertising, marketing, or analytics sub-processor receives any personal data without explicit opt-in consent.

6DPIA + GDPR documentation

Full GDPR and data-protection documentation is published. Procurement officers needing additional supporting evidence (sub-processor agreements, processor due-diligence, breach playbook) can request via the contact email.

Children's Code (AADC): internal self-audit against all 15 ICO Age Appropriate Design Code standards is on file (13 Strong / 1 Not Applicable / 1 minor enhancement remaining). Available on request.

7Safeguarding disclosure flow

SoloCogs runs an automated detection layer on every free-text answer, Cogs query, and Zone-of-Regulation reflection. Matched concerning content writes a row to the safeguarding_concerns table; the Designated Safeguarding Lead reviews. For school-tier customers, the queue is RLS-isolated by tenant so a disclosure from one school is invisible to any other school.

Detection
Built-in trigger list (self-harm, abuse, distress, substance, other categories) plus tenant-specific custom triggers (schools can add their own slang/local terms).
Triage SLA
High-severity: same calendar day. Medium: within 48 hours. Low: weekly review.
Recipient
Designated Safeguarding Lead (DSL) - Jazz McCullough for SoloCogs-operated tenants; the school's own DSL for school-tier customers via their staff dashboard.
Tenant isolation
RLS policies on safeguarding_concerns table ensure cross-tenant invisibility. Audit-grade.
Audit trail
Status transitions logged (open / in-review / resolved / escalated / false-positive) with reviewer + resolution note.

Full Safeguarding Policy → · Safeguarding flow diagram →

8Data retention + Data Subject Rights

Active account retention
Personal data retained for the life of the subscription / school contract.
Soft-delete window
30 days. A deleted account is recoverable for 30 days then purged.
Backup retention
Point-in-time recovery: 7 days. Snapshot retention: 30 days. All purged on schedule.
Data Subject Access Request (DSAR)
Response within 30 days per UK GDPR. Submit via hello@solocogs.co.uk.
Right to erasure
Self-serve account deletion from Family settings + Account settings. Cascades to all linked data including child accounts.
Right to portability
CSV export of every quiz attempt, RP submission, Knowledge Check and accessibility-usage record via the parent / staff dashboard.

9Pricing

Per-seat bands are published openly on the pricing page. Quotes for non-standard cohort sizes (e.g. above 500 seats), AP / EOTAS providers, or PRU settings are available on request.

10Curriculum coverage

SoloCogs covers AQA GCSE Combined Science: Trilogy Foundation (8464) across Biology, Chemistry, and Physics, plus the Required Practicals as virtual labs. Higher Tier is additive (Foundation content stays available). Three units are honestly labelled Spec-light with lift-to-parity scheduled before public launch.

Full AQA Spec Coverage Matrix →

11Technical security & resilience

The platform is built on industry-standard managed infrastructure. The summary below maps to the most common procurement questions; we will provide additional evidence (architecture diagram, BCP, penetration-test scope) on request.

Encryption in transit
TLS 1.3 enforced across all surfaces. HSTS preload. CSP headers active (see /_headers for full policy).
Encryption at rest
AES-256 server-side encryption for both database and object storage (Supabase-managed).
Authentication
Supabase Auth with bcrypt password hashing. Multi-factor authentication (MFA) available on parent / tutor / admin accounts via the account-settings page (TOTP / authenticator app).
Access control
Row-Level Security (RLS) policies on every table containing personal data. Tenant isolation enforced at the database layer for school-tier customers.
Audit logging
All sign-ins, password changes, role changes, deletions, and safeguarding triage actions are logged with timestamp + actor for at least 1 year.
Backups
Point-in-time recovery (7 days) plus 30-day snapshot retention. Backups encrypted at rest in the same UK / EU region.
Vulnerability management
GitHub Dependabot alerts + security updates enabled on the source repository (private). Critical vulnerabilities triaged within 24 hours.
Cyber Essentials
On the roadmap (target Q3 2026). Self-assessment evidence available now; certified status will be promoted to procurement teams on issue.
Penetration testing
OWASP ZAP scans run against staging. External CHECK-listed pen test scheduled prior to first paid school deployment.
Service availability
Hosted on managed regional infrastructure with 99.9% target uptime. Status page on the roadmap; incidents reported within the breach-playbook timeline.
Incident response
Documented runbook with 72-hour ICO notification flow + affected-data-subject communication template. See full runbook.

12Contact

Procurement enquiries
hello@solocogs.co.uk
Response SLA
Within 2 working days. School / MAT enquiries get a 30-minute scoping call within 1 working week.
Technical / DPO queries
Same address. Routed to the data controller directly.
Safeguarding queries
Same address. Routed to the DSL.

Need something not in this pack?

Sub-processor agreements, breach playbook, business continuity plan, supplier code of conduct, equality impact assessment - all available on request.

Email hello@solocogs.co.uk