Trust Hub

Everything a school DPO needs to evaluate LESSO, in one place.

Most AI vendors quietly hope you don't ask the data-protection questions. We put the answers on a page and link to them from the footer. None of this is marketing — all of it is in the contract.

The Trust Hub is the documents below plus the legal pages they reference. Each has its own URL so you can email it straight to your IT team or your Data Protection Officer. The spine is governed by UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

UK data sovereignty

Customer and personal data are stored and processed in the United Kingdom on Civo Ltd (LON1) with Microsoft Azure UK South pinned as fallback for AI inference only.

Binding no-training commitment

We do not use your prompts, conversations, or generated content to train AI models — not our own, not Civo's, not relax.ai's, not Microsoft's. The commitment is in our DPA.

Teacher-facing in the current platform

Mrs J is teacher-facing only — the current platform has no pupil accounts and does not process pupil personal data. Any future pupil-facing surface will require a full updated DPIA, an AADC compliance assessment, a separate Article 28 addendum, and 30 days' advance notice to contracted schools.

The spine of the Trust Hub

Sub-processors

Every supplier we use to process LESSO data, where they sit, what they do, and an email subscription so your DPO is told before anything changes.

See sub-processors

Data Processing Agreement

Article 28 UK GDPR DPA, downloadable and ready for school counter-signature. Includes the binding no-training clause and 30-day data export on termination.

Read the DPA

DPIA summary

Our Data Protection Impact Assessment in plain English, signed and dated, with the AI-specific risks the ICO Generative AI guidance asks for — including the batch marking workflow.

Read the DPIA

Security overview

How we encrypt data in transit and at rest, how we control access, our incident-response posture, and the certifications we inherit from Civo (ISO 27001, Cyber Essentials Plus).

See the security page

DfE Product Safety Standards mapping

Point-by-point mapping of LESSO to each DfE Generative AI Product Safety Standard (19 January 2026), with linked evidence — designed for a MAT compliance lead to lift verbatim into procurement paperwork.

Read the DfE mapping

Retention Schedule

A scannable table of every data-retention period LESSO applies — operational backups, teaching materials, audit logs, billing records, and post-termination deletion. Downloadable as PDF.

See the retention schedule

ROPA entry template

A fully pre-populated Record of Processing Activities entry covering all UK GDPR Article 30 mandatory fields. Drop it straight into your school's ROPA. Downloadable as PDF.

Get the ROPA template

Whitepaper: Teacher Retention, Workload and Governed AI

Why English schools need AI that reduces avoidable work before the profession loses another generation. A synthesis of DfE, NFER, Education Support and Gallup evidence, with a framework for evaluating AI platforms.

Read the whitepaper

Related legal pages

The hub sits alongside the legal pages every LESSO user is bound by. The wording in those pages is the same wording you will find in the DPA, the DPIA, and the sub-processor list — by design.

Talk to a human

General questions: hello@lesso.co.uk

Privacy and data-protection matters: Luke, our co-founder, handles all compliance and can be reached directly at support@lesso.co.uk.

LESSO Ltd | Registered in England and Wales