Security Overview

Encryption

• In transit: TLS 1.3 for all client-server traffic; HSTS preloaded; modern cipher suites only.
• At rest: AES-256 for the production database, object storage, and backups.
• Secrets: environment-scoped, rotated on staff offboarding, and never committed to source control.

Access controls

• Role-based access for both end users and LESSO staff. Least-privilege provisioning is the default.
• SSO with Microsoft 365 and Google Workspace; MFA available on email/password accounts; password resets revoke all active sessions through token-version invalidation.
• Production-database access is restricted to a named on-call list and audited.
• Leadership reporting is aggregated and anonymised by design — LESSO does not expose individual-teacher transcripts to school leadership UIs.

Sub-processor security inheritance

LESSO inherits certifications from its infrastructure sub-processor:

• Civo Ltd (LON1): ISO 27001, Cyber Essentials Plus, G-Cloud listed.
• Microsoft Azure (UK South, fallback): ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3.
• Stripe: PCI-DSS Level 1, ISO 27001, SOC 1/2 (billing only — see sub-processor list).
• Resend: SOC 2 Type II (transactional email only).

Logging and monitoring

• Authentication, authorisation, and administrative actions are logged centrally and retained for a minimum of 12 months.
• Application errors and unusual rate patterns are surfaced to an on-call channel.
• Security-relevant events (failed logins, lockouts, 2FA state changes) are surfaced both to the user and to LESSO operations.

Vulnerability management

• Continuous dependency scanning on every change; security patches prioritised by CVSS and exploitability.
• External vulnerability disclosure: please contact security@lesso.co.uk. We acknowledge within one business day and triage within five.
• Periodic third-party penetration testing; report summary available under NDA on enterprise plans.

Incident response

We have a documented incident-response procedure covering detection, containment, eradication, recovery, and post-incident review. Customer-impacting Personal Data Breaches are notified to controller customers without undue delay and in any event within 72 hours of becoming aware, in line with our DPA commitment. Communications to affected schools include the information required by Article 33(3) UK GDPR to the extent then available, and we update as the investigation progresses.

Business continuity and disaster recovery

• Production database backups are taken at least daily, encrypted, and retained for 30 days within UK infrastructure.
• Restoration is rehearsed quarterly. Target Recovery Time Objective: 4 hours. Target Recovery Point Objective: 24 hours (typically much shorter).
• Microsoft Azure UK South is configured as an inference fallback so that an outage of Civo / relax.ai does not take Mrs J offline.