Procurement evidence pack
Everything a school / MAT / trust procurement team needs to evaluate SoloCogs for rollout - in one place. Updated 4 June 2026.
When the print dialogue opens, choose "Save as PDF" as your destination. You will get a single comprehensive PDF covering every section below.
Reference customers: we're in closed beta; pilots in mainstream secondary, SEND, and home-ed settings are under way. See the Stories page for the pilot shape and outcomes-as-they-land - we don't print invented quotes.
In this pack
1Legal entity
SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. The operator and contracting entity for any procurement is Portsdown Tuition; SoloCogs is the service / product brand. The data controller for personal data processed through SoloCogs is Portsdown Tuition.
- Trading name
- SoloCogs
- Operator (legal entity)
- Portsdown Tuition (sole trader)
- Founder / Operator
- Jazz McCullough
- Registered address
- Portsmouth, England, UK
- HMRC registration
- Sole-trader self-assessment, current
If a procurement form requires a Ltd company, please flag this at the conversation stage - incorporation is on the roadmap.
2Insurance
Current cover protects in-person 1:1 tutoring activity. Cover is in scheduled renewal effective 1 August 2026 for upgraded SaaS-tier protection (£2M Professional Indemnity + £500k Cyber). The renewal schedule and certificate PDF are available to procurement teams from that date.
Contracting commitment: we will not sign a school SaaS contract until the upgraded cover is in force. Pilot terms during closed beta carry the existing professional cover and a written carve-out limiting the pilot scope to a single school cohort (no personal data of children outside that cohort processed).
- Professional Indemnity
- £2,000,000 from 1 Aug 2026 In renewal
Current: £500,000 (expires 31 July 2026). The renewal lifts cover to procurement-grade £2M and adds Cyber. - Cyber Liability
- £500,000 from 1 Aug 2026 In renewal
Covers breach response, ICO investigations, ransomware, customer notification. - Public Liability
- £1,000,000 (current + renewing) Active
- Employers' Liability
- Not required (sole trader, no employees). Will be added the day any employee or contractor starts.
- Retroactive date
- 1 September 2025 (date trading commenced).
- Insurer
- Hiscox UK (via PolicyBee broker) - final renewal carrier confirmed during quote shopping.
3Data controller + Designated Safeguarding Lead
- Data Controller
- Portsdown Tuition (Jazz McCullough). A Data Protection Officer (DPO) is not legally required for an organisation of this size; responsibility rests with the data controller directly.
- Designated Safeguarding Lead
- Jazz McCullough (qualified teacher, current DBS, NSPCC Level 3 Safeguarding refresh 2026).
- Statutory contact
- hello@solocogs.co.uk
- ICO registration
- Registered as a data controller with the UK Information Commissioner's Office. Registration number ZB916444 - searchable on the ICO public register.
4Data residency
All student, parent and staff personal data is stored within the United Kingdom or European Economic Area. No data is processed in or transferred to a third country without an adequacy decision or Standard Contractual Clauses in place.
- Primary database region
- Supabase EU West (London, United Kingdom)
- Object storage region
- Supabase EU West (London, United Kingdom)
- Backups
- Same region. Point-in-time recovery active.
- Edge Function execution
- EU West region only.
5Sub-processors
The third parties listed below process personal data on behalf of Portsdown Tuition under written data-processing agreements. All sub-processors are GDPR-compliant and located within or providing services to the UK / EEA.
- Supabase Inc.
- Database, authentication, object storage, Edge Functions. UK / EU region. DPA
- Resend
- Transactional email (weekly digest, password resets, account notifications). EU region. DPA
- Google Analytics 4
- Opt-in only via the cookie banner. No PII transmitted. IP anonymisation enabled. Privacy
- Google Tag Manager
- Tag delivery for the analytics opt-in only. No data processed without explicit consent.
- Wonde
- MIS integration broker for schools that authorise it. Used only by school-tier customers to mirror student / class / teacher records. Per-school authorisation; no data flow without explicit school consent. Security
- jsDelivr CDN
- Static asset delivery (CSS / JS libraries only - no personal data transits).
No advertising, marketing, or analytics sub-processor receives any personal data without explicit opt-in consent.
6DPIA + GDPR documentation
Full GDPR and data-protection documentation is published. Procurement officers needing additional supporting evidence (sub-processor agreements, processor due-diligence, breach playbook) can request via the contact email.
- Data Protection Impact Assessment (DPIA) - the formal risk analysis
- GDPR + Data Residency one-pager - executive summary
- Data Protection Policy - operational policy
- Privacy Policy - the public-facing statement
- Cookie Policy
- Data Subject Rights process - how DSARs, deletion, rectification requests are handled
- Incident Response Runbook - 72-hour ICO notification flow + breach playbook
Children's Code (AADC): internal self-audit against all 15 ICO Age Appropriate Design Code standards is on file (13 Strong / 1 Not Applicable / 1 minor enhancement remaining). Available on request.
7Safeguarding disclosure flow
SoloCogs runs an automated detection layer on every free-text answer, Cogs query, and Zone-of-Regulation reflection. Matched concerning content writes a row to the safeguarding_concerns table; the Designated Safeguarding Lead reviews. For school-tier customers, the queue is RLS-isolated by tenant so a disclosure from one school is invisible to any other school.
- Detection
- Built-in trigger list (self-harm, abuse, distress, substance, other categories) plus tenant-specific custom triggers (schools can add their own slang/local terms).
- Triage SLA
- High-severity: same calendar day. Medium: within 48 hours. Low: weekly review.
- Recipient
- Designated Safeguarding Lead (DSL) - Jazz McCullough for SoloCogs-operated tenants; the school's own DSL for school-tier customers via their staff dashboard.
- Tenant isolation
- RLS policies on
safeguarding_concernstable ensure cross-tenant invisibility. Audit-grade. - Audit trail
- Status transitions logged (open / in-review / resolved / escalated / false-positive) with reviewer + resolution note.
8Data retention + Data Subject Rights
- Active account retention
- Personal data retained for the life of the subscription / school contract.
- Soft-delete window
- 30 days. A deleted account is recoverable for 30 days then purged.
- Backup retention
- Point-in-time recovery: 7 days. Snapshot retention: 30 days. All purged on schedule.
- Data Subject Access Request (DSAR)
- Response within 30 days per UK GDPR. Submit via hello@solocogs.co.uk.
- Right to erasure
- Self-serve account deletion from Family settings + Account settings. Cascades to all linked data including child accounts.
- Right to portability
- CSV export of every quiz attempt, RP submission, Knowledge Check and accessibility-usage record via the parent / staff dashboard.
9Pricing
Per-seat bands are published openly on the pricing page. Quotes for non-standard cohort sizes (e.g. above 500 seats), AP / EOTAS providers, or PRU settings are available on request.
- Pricing page - per-seat bands at 50 / 100 / 250 / 500 + tutor-provider tier
- Quote contact: hello@solocogs.co.uk with seat count + setting type
10Curriculum coverage
SoloCogs covers AQA GCSE Combined Science: Trilogy Foundation (8464) across Biology, Chemistry, and Physics, plus the Required Practicals as virtual labs. Higher Tier is additive (Foundation content stays available). Three units are honestly labelled Spec-light with lift-to-parity scheduled before public launch.
11Technical security & resilience
The platform is built on industry-standard managed infrastructure. The summary below maps to the most common procurement questions; we will provide additional evidence (architecture diagram, BCP, penetration-test scope) on request.
- Encryption in transit
- TLS 1.3 enforced across all surfaces. HSTS preload. CSP headers active (see
/_headersfor full policy). - Encryption at rest
- AES-256 server-side encryption for both database and object storage (Supabase-managed).
- Authentication
- Supabase Auth with bcrypt password hashing. Multi-factor authentication (MFA) available on parent / tutor / admin accounts via the account-settings page (TOTP / authenticator app).
- Access control
- Row-Level Security (RLS) policies on every table containing personal data. Tenant isolation enforced at the database layer for school-tier customers.
- Audit logging
- All sign-ins, password changes, role changes, deletions, and safeguarding triage actions are logged with timestamp + actor for at least 1 year.
- Backups
- Point-in-time recovery (7 days) plus 30-day snapshot retention. Backups encrypted at rest in the same UK / EU region.
- Vulnerability management
- GitHub Dependabot alerts + security updates enabled on the source repository (private). Critical vulnerabilities triaged within 24 hours.
- Cyber Essentials
- On the roadmap (target Q3 2026). Self-assessment evidence available now; certified status will be promoted to procurement teams on issue.
- Penetration testing
- OWASP ZAP scans run against staging. External CHECK-listed pen test scheduled prior to first paid school deployment.
- Service availability
- Hosted on managed regional infrastructure with 99.9% target uptime. Status page on the roadmap; incidents reported within the breach-playbook timeline.
- Incident response
- Documented runbook with 72-hour ICO notification flow + affected-data-subject communication template. See full runbook.
12Contact
- Procurement enquiries
- hello@solocogs.co.uk
- Response SLA
- Within 2 working days. School / MAT enquiries get a 30-minute scoping call within 1 working week.
- Technical / DPO queries
- Same address. Routed to the data controller directly.
- Safeguarding queries
- Same address. Routed to the DSL.
Need something not in this pack?
Sub-processor agreements, breach playbook, business continuity plan, supplier code of conduct, equality impact assessment - all available on request.
Email hello@solocogs.co.uk