Back

Security Overview

Last updated: 19 June 2026

This page is the public summary of the technical and organisational measures we take to protect LESSO data. The corresponding contractual commitments are in the Data Processing Agreement (§6 — Security measures), governed by UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025. Enterprise customers can request the full security inheritance letter using the form at the bottom of this page.

Encryption

  • In transit: TLS 1.3 for all client-server traffic; HSTS preloaded; modern cipher suites only.
  • At rest: AES-256 for the production database, object storage, and backups.
  • Secrets: environment-scoped, rotated on staff offboarding, and never committed to source control.

Access controls

  • Role-based access for both end users and LESSO staff. Least-privilege provisioning is the default.
  • SSO with Microsoft 365 and Google Workspace; MFA available on email/password accounts; password resets revoke all active sessions through token-version invalidation.
  • Production-database access is restricted to a named on-call list and audited.
  • Leadership reporting is aggregated and anonymised by design — LESSO does not expose individual-teacher transcripts to school leadership UIs.

Sub-processor security inheritance

LESSO inherits certifications from its infrastructure sub-processor:

  • Civo Ltd (LON1): ISO 27001, Cyber Essentials Plus, G-Cloud listed.
  • Microsoft Azure (UK South, fallback): ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3.
  • Stripe: PCI-DSS Level 1, ISO 27001, SOC 1/2 (billing only — see sub-processor list).
  • Resend: SOC 2 Type II (transactional email only).

Logging and monitoring

  • Authentication, authorisation, and administrative actions are logged centrally and retained for a minimum of 12 months.
  • Application errors and unusual rate patterns are surfaced to an on-call channel.
  • Security-relevant events (failed logins, lockouts, 2FA state changes) are surfaced both to the user and to LESSO operations.

Vulnerability management

  • Continuous dependency scanning on every change; security patches prioritised by CVSS and exploitability.
  • External vulnerability disclosure: please contact security@lesso.co.uk. We acknowledge within one business day and triage within five.
  • Periodic third-party penetration testing; report summary available under NDA on enterprise plans.

Incident response

We have a documented incident-response procedure covering detection, containment, eradication, recovery, and post-incident review. Customer-impacting Personal Data Breaches are notified to controller customers without undue delay and in any event within 72 hours of becoming aware, in line with our DPA commitment. Communications to affected schools include the information required by Article 33(3) UK GDPR to the extent then available, and we update as the investigation progresses.

Business continuity and disaster recovery

  • Operational backup retention (active service): production database backups are taken at least daily, encrypted, and retained for 30 rolling days within UK infrastructure. This applies during the active term of the service agreement and governs business-continuity backup management.
  • Post-termination backup purge: backup copies created during the active service are purged within 90 days after the end of the school agreement. These two figures (30-day operational rolling window and 90-day post-termination purge) apply to different scenarios and are not in conflict — a DPO reading the DPA and this page will see the same numbers. See the full Retention Schedule.
  • Restoration is rehearsed quarterly. Target Recovery Time Objective: 4 hours. Target Recovery Point Objective: 24 hours (typically much shorter).
  • Microsoft Azure UK South is configured as an inference fallback so that an outage of Civo / relax.ai does not take Mrs J offline.

Request our security inheritance letter

For procurement diligence at trusts and enterprise customers. Includes our Civo / Azure inheritance, penetration-test summary, and answers to the questions common school-MAT vendor questionnaires ask.

LESSO Ltd | Registered in England and Wales