Security

The architecture under the compliance.

Compliance is a policy posture; security is the architecture that makes the posture defensible. This page is the procurement-grade companion to the trust page — encryption, residency, retention, sub-processors and the data protection contract we hold with every customer.

Encryption & transport

Encrypted in transit and at rest.

Every connection to TutorStudio is HTTPS-only with HSTS preload; every customer database is encrypted at rest with managed keys. Authenticated paths are issued short-lived JWTs scoped to the cohort and the age band; service-role bypass is architecturally rejected at the database layer.

Transport

TLS 1.2+ with HSTS at GA

HTTPS-only across every cohort surfaceHTTP requests redirect to HTTPS. HSTS ships with the platform headers ahead of GA; submission to the HSTS preload list follows the 7-day Content-Security-Policy soak. Mixed-content and downgrade attempts are rejected by the edge.

At rest

Managed-key envelope encryption

Customer data encrypted with managed keysDatabase rows, object storage and backups are encrypted at rest. Token columns carry an additional application-layer envelope per the token-encryption posture.

Sessions

Short-lived, cohort-scoped

JWTs scoped to cohort and age bandAuthentication tokens carry the cohort claim, the age-band claim and a short expiry. Row-level security keys off the band — not the raw DOB.

Service role

No bypass

Service-role queries follow tenant scopeThe service role does not bypass row-level security on tenant tables. Cross-tenant queries require a documented break-glass with a two-admin audit trail.

Residency & retention

UK and EU residency, statutory retention.

Customer data is hosted on UK and EU regions only. Retention defaults to the shortest window the regulator allows; statutory floors (KCSIE-flagged safeguarding records, Companies Act records, payment records) carry the longer retention they require. Deletion is final and audit-logged — we do not soft-delete.

Residency

UK / EU only

Hosted in the UK and EUPrimary databases and object storage are in UK / EU regions. Where a sub-processor introduces cross-border processing, UK SCCs / IDTA are in place and disclosed on the sub-processors page.

Retention floor

Shortest applicable

AADC default · shortest the regulator allowsUnder-18 retention is the shortest window the standard allows. Engagement data retired on a documented cadence; cold storage migration is dated and audit-logged.

Statutory floors

Where law says longer

Safeguarding · payments · Companies ActKCSIE-flagged safeguarding records are retained on the statutory floor (7 years minimum). Payment records align to HMRC requirements. Company records align to Companies Act 2006.

Deletion

Hard delete, audit-logged

Final, verifiable, propagatedDeletion triggers a 30-day verifiable erasure across every subsystem. The DSR pipeline cascade names every table that holds personal data; statutory-exempt rows are retained with an exemption marker visible to the data subject.

Sub-processors

Published, dated, contracted.

Every sub-processor TutorStudio uses is named on the sub-processors page, with the processing purpose, the data category, the residency and the contractual basis (Article 28 DPA / UK SCC / IDTA). Material changes are notified ahead of effect.

See the full sub-processors list

Eleven primary sub-processors

AI · Anthropic · MathpixLanguage and vision models for lesson summarisation and handwriting digitisation. UK / EU API regions; no training on customer data.
Payments · StripePCI-DSS Level 1 payment processor. Stripe Connect for tutor payouts. UK + EU processing.
Infrastructure · Supabase · Vercel · Cloudflare · HetznerDatabase, hosting, edge and whiteboard collaboration. All UK / EU regions.
Operations · Resend · Sentry · PostHog · Stream.ioEmail, error monitoring, product analytics, live-session video. All gated by the cookie consent record on marketing surfaces.

Article 28 contract

DPA in place per sub-processor

Article 28 DPA signedEvery sub-processor named on the page has an Article 28 data-processing agreement on file. Cross-border processing is covered by UK SCCs and IDTA where applicable.
Material change notificationSub-processor additions or material changes are notified to active customers ahead of effect. The current list and last-reviewed dates are on /legal/sub-processors.
Onward sub-processingWhere a sub-processor uses its own sub-processors, we hold them to the same Article 28 floor we hold the primary sub-processor to.

DPA & ICO posture

Contracted, registered, accountable.

TutorStudio operates under a public Data Processing Agreement (DPA) appended to the standard customer contract. We are registered with the UK Information Commissioner’s Office once the registration completes ahead of public launch; the registration reference will be published on this page at that point.

DPA

Standard contract addendum

Public DPA, customer-signableThe DPA is appended to the standard customer contract and is available on request for customers requiring counter-signature.

ICO registration

Pending public launch

Registered with the Information Commissioner’s OfficeICO registration is part of the pre-launch checklist. The registration reference is published here once issued.

Records of Processing

Article 30 register

Internal, available to regulatorsAn Article 30 RoPA is maintained internally for every processing activity. Regulator inspection requests are honoured on the statutory window.

Breach

72-hour notification

ICO + affected customersPersonal-data breaches are notified to the ICO within 72 hours of detection. Affected customers are notified when their data is implicated.

Procurement-grade evidence

For school or agency procurement?

The trust page carries KCSIE alignment and DBS posture. The safeguarding page carries the DSL pathway and 5 R’s flow. The AADC page carries the fifteen Children’s Code standards. The sub-processors list carries the Article 28 contract surface.

See sub-processors Trust page