Where our controls map to your obligations
A live, public mapping of the controls we operate to the frameworks UK schools, MATs and Local Authorities are routinely asked about — UK GDPR, SOC 2, ISO 27001 and KCSIE. Where a control links to evidence inside the platform, you can click straight through (some links require sign-in).
Last reviewed 21 April 2026 · Owner: Data Protection Officer (dpo@inclusivexr.co.uk)
UK GDPR & Data Protection Act 2018
Lawful basis, data-subject rights, processor obligations.
Authenticated users can self-serve a JSON export with email verification and audit logging. Single-use download link, 7-day expiry.
Self-service deletion with email verification removes profile, roles, notifications, AI conversations and parent links. Pupil-level safeguarding records remain anonymised.
DPA executed with every customer; sub-processor list maintained; 24-hour breach notification commitment.
TLS 1.3 in transit, AES-256 at rest, row-level security on every table, MFA for admins, encrypted secret vault for third-party tokens.
Append-only audit_log writes a record for every data-rights, role, and licence change via SECURITY DEFINER triggers.
SOC 2 (Trust Services Criteria)
Security, availability, confidentiality.
Role-based access via dedicated user_roles table; SECURITY DEFINER has_role() function prevents privilege escalation; never store roles on user-editable rows.
TLS 1.3 enforced at the edge (Cloudflare). Database encryption at rest. Third-party tokens stored in Supabase Vault (libsodium).
Edge-function logs streamed to platform; observability dashboard surfaces error rates and latency for admins.
Notification triggers fire on safeguarding alerts and EHCP changes; admin escalation paths documented.
All schema changes ship as versioned migrations with mandatory RLS review; deploys are auditable via the platform changelog.
ISO/IEC 27001:2022
Information Security Management System (Annex A).
Terms of Service set out staff/pupil/parent acceptable use; idle-timeout enforces session hygiene.
Pupil records anonymised by key, no audio retained, parental consent date stamped on every pupil row.
Email/password with PBKDF2, OAuth (Google) for trusted IdP login, MFA for admin roles, rate-limited reset flow.
RLS forbids cross-school reads; profile email visibility scoped to leadership; deny-by-default writes on public submission tables.
audit_log is insert-locked at the role level; only SECURITY DEFINER functions and the service role can write — tamper-evident.
AES-256 at rest, TLS 1.3 in transit, sha256 hashing for PII-derived dedupe keys (IPs, emails).
KCSIE 2024 (Keeping Children Safe in Education)
Statutory safeguarding guidance for English schools.
Pupil-voice transcripts are auto-screened for safeguarding keywords; high/critical alerts notify SENCO and Headteacher in real time.
Privileged roles (mat_director, la_commissioner, ixr_admin) are not self-assignable; escalation requires admin action and is fully audited.
No public pupil-to-pupil messaging surface; AR module library is curated; AI assistant restricted to staff with explicit safeguarding system prompt.
EHCP drafts, pupil-voice records and safeguarding alerts retained per the school's licence + 12 months; never auto-deleted while a safeguarding case is open.
Need a SIG, DPIA template or contractual schedule?
Email dpo@inclusivexr.co.uk with your trust/LA name. We respond within 2 working days with a signed package (DPA, SCC addendum, sub-processor list, pen-test summary, ICO registration).