TESS Group · Trust & Security

Procurement-grade trust documentation

Everything your procurement, security and information-governance teams need to evaluate TESS Group as a supplier, data residency, sub-processors, ISO posture, EPA-safe AI, UK GDPR rights, and contract clauses.

Ofsted Good
Independently inspected, full report on the Ofsted reports portal
ISO 27001 aligned
Information security controls aligned to Annex A; ISO 9001 quality system
UK & EU GDPR
UK GDPR & Data Protection Act 2018 compliant. DPA on request.

1. At-a-glance summary

A procurement-ready checklist of what we hold, where data lives, and how we operate. Items marked “aligned” mean we operate to the control set but are not certified by a UKAS-accredited body, we will state this honestly in every supplier questionnaire.

ItemPosition
Legal entityThe TESS Group Limited (registered in England & Wales, company number 07080851).
Data residency, learner dataUK OneFile e-portfolio, learner records, document storage hosted on UK tenants.
Data residency, websiteUK edge Static assets served via Cloudflare UK edge nodes.
Data residency, AI tutor (Coachy)UK Lovable Cloud, database hosted in London (AWS eu-west-2). No model training on customer data.
EncryptionAt rest & in transit TLS 1.3 for transport, AES-256 at rest on sub-processor platforms.
UK & EU GDPRCompliant UK GDPR + Data Protection Act 2018. EU GDPR via SCCs where data crosses to the EU.
Data Protection OfficerAppointed Contact: [email protected].
Sub-processorsPublished See Section 2. Notification of changes by email to nominated buyer contact.
Penetration testingAnnually Annual penetration test of customer-facing surfaces by independent third party. Details available to enterprise procurement on request.
ISO 27001Aligned, not certified Controls mapped to Annex A; we do not currently hold UKAS-accredited certification. Controls mapping available on request.
ISO 9001Aligned Quality management system aligned to ISO 9001 principles.
SOC 2Not held We do not hold a SOC 2 Type I or Type II report. Buyers typically accept our ISO 27001 controls mapping in its place.
Cyber EssentialsPlus, in progress Certificate available to enterprise procurement on request.
Apprenticeship auditOfsted Good Independently inspected. ESFA RoATP-registered.
EPA-OrganisationBCS, The Chartered Institute for IT, BCS-EPAO accreditation reference available on request. EPA delivered by an external EPAO, not by TESS.
Bug bountyContact-based Responsible disclosure to [email protected]. No public bounty programme.
Incident notification SLA72 hours Notification to controller within 72 hours of becoming aware of a personal data breach, in line with UK GDPR Article 33.
InsurancePublic liability, employer’s liability and professional indemnity. Certificate available on request.
DPAAvailable Standard template or your paper. Email [email protected].
We aim to be honest about what we hold and what we don’t. Where this page says “aligned to” rather than “certified”, that is deliberate, please ask your TESS account contact for the underlying evidence and we will share what we have.

2. Data residency & sub-processors

Learner personal data is hosted in the United Kingdom. A small number of operational sub-processors are in the EU or operate under appropriate UK IDTA / EU SCC transfer mechanisms. We will notify nominated buyer contacts before adding or replacing a sub-processor that processes learner personal data.

Where learner data lives

  • Portfolio & learner records: OneFile (UK-hosted apprenticeship e-portfolio system) is the primary system of record for learner evidence, reviews and gateway sign-off.
  • Operational documents: Office productivity tools on a UK tenant (see below). Learner-identifiable documents are stored in restricted folders with role-based access.
  • Website analytics: Aggregated and pseudonymous; no learner-identifiable data is exposed to web analytics.
  • AI tutor conversations: Coachy conversation history is stored in a UK-hosted application database. AI inference is processed through Lovable's contracted AI gateway; provider agreements prohibit training on and retention of customer data (see Section 3).

Sub-processor list

This list is current as of 12 May 2026. The authoritative version is maintained internally; the latest copy is available on request to [email protected].

CDN & edge

Cloudflare

Static asset hosting, DDoS protection, edge caching for tessgroup.co.uk and coachy.tessgroup.co.uk.
UK edge
Apprenticeship portfolio

OneFile

Learner e-portfolio, evidence, reviews, gateway. System of record for ESFA-funded delivery.
UK
App platform & AI gateway (Coachy)

Lovable

Application hosting, database and AI gateway for Coachy. SOC 2 Type II, ISO 27001, GDPR. Customer data is not used to train models; AI provider agreements restrict training and retention. Full sub-processor list on request.
UK database
Email & productivity

Microsoft 365 / Google Workspace

Details available to enterprise procurement on request.
UK tenant
Code hosting

GitHub

Hosting for website source code only. No learner PII is committed to source control.
US (no PII)
CRM & marketing

HubSpot (or equivalent)

Enquiry capture, CRM, marketing automation. US-hosted under EU SCCs / UK IDTA. Specific vendor details available to enterprise procurement on request.
US + SCCs
Review collection

Trustpilot

Customer review collection. Learners and employers may be invited to leave a review post-completion.
UK
Form & enquiry handling

Formspree

Enquiry form submission endpoint. Submissions forwarded to TESS inboxes; no third-party retention beyond delivery.
US + SCCs
Web analytics

Google Tag Manager / Google Analytics

Aggregated traffic analytics; IP anonymisation enabled; consent-gated via cookie banner.
US + SCCs
If your procurement framework requires a definitive sub-processor list with hosting regions on letterhead, request it from [email protected]. We refresh this page when a change occurs.

3. Coachy, AI tutor data & model posture

Coachy is the AI tutor included with our AI & Automation Practitioner Level 4 (ST1512) apprenticeship. It is purpose-built around the standard and is designed to be safe for apprenticeship use, both data-safe and EPA-safe.

Coachy data & AI commitments

  • AI platform: Coachy runs on Lovable Cloud and processes conversations through Lovable’s contracted AI gateway using current frontier models. Coachy is a thin application layer with a custom system prompt scoped to ST1512.
  • Training data: Apprentice conversations are not used to train AI models. This is contractually guaranteed under Lovable’s commercial terms and its agreements with AI providers.
  • Encryption: Conversations are TLS 1.3 in transit; encrypted at rest in the Coachy application database.
  • Scope: Coachy is scoped to apprenticeship content (ST1512 standard, units AU0009 / AU0010 / AU0011 on the L5 side). It declines to engage with off-topic or harmful requests.
  • EPA-safe by design: Coachy explains, coaches and asks Socratic questions, but it will not write portfolio evidence, gateway submissions or end-point assessment artefacts for an apprentice. This is a deliberate product guard-rail.
  • Authentication: Apprentices sign in with their OneFile email via a magic-link, no separate password to manage.
  • Employer retention controls: Employers can request extended audit retention or accelerated deletion at the end of the programme.
  • Audit logs: Full apprentice-conversation logs can be made available to the employer’s governance committee subject to the apprentice’s knowledge and consent under UK GDPR.

What Coachy does not do

  • It does not write portfolio evidence on the apprentice’s behalf.
  • It does not produce content the apprentice can paste straight into an EPA submission.
  • It does not store apprentice data outside the regions described above.
  • It connects to AI models only through Lovable’s contracted gateway; no consumer AI endpoints are used.

Deeper technical detail is published in How Coachy works and on the Coachy product page.

4. EPA-safe contract clauses

Apprenticeship end-point assessment (EPA) integrity is a regulator-level concern. We commit to the following clauses in any apprenticeship agreement, and we will incorporate equivalent language into bespoke MSAs on request.

Our EPA-safe commitments

  • No AI authorship of EPA artefacts. No AI tool provided by TESS (including Coachy) will write any portion of an apprentice’s gateway or end-point assessment submissions.
  • Plagiarism & academic misconduct. Suspected misconduct is investigated under our Malpractice & Maladministration policy and reported to the EPAO (typically BCS for AI standards) in line with their requirements.
  • Authorship verification at gateway. Skills coaches review portfolio evidence and conduct verification questions before sign-off at gateway.
  • Independent EPA. End-point assessment is delivered by an independent EPAO (BCS for ST1512). TESS does not assess its own learners at EPA.
  • Transparent AI use disclosure. Where apprentices use AI tools to support their learning, this is disclosed in their evidence trail in line with EPAO guidance.

5. Accessibility statement

We target WCAG 2.2 AA on tessgroup.co.uk and on the Coachy application. Accessibility is an ongoing programme, some legacy pages have known issues we are working through.

What we’ve done

  • May 2026 emoji-to-SVG sweep: replaced decorative emoji icons with inline SVG carrying aria-label or aria-hidden as appropriate.
  • Skip-links on every page (“Skip to main content”).
  • Semantic HTML5 landmarks (<header>, <nav>, <main>, <footer>).
  • Full keyboard navigation; visible focus rings.
  • Colour contrast on body text ≥ 4.5:1.
  • Alt text on all content images; decorative images marked aria-hidden.

What’s ongoing

  • Form-error semantics on some legacy enquiry forms.
  • Programme-finder chatbot keyboard trap edge cases on Safari iOS.
  • Third-party widgets (e.g. Trustpilot embed) inherit upstream accessibility.

If you encounter an accessibility barrier, email [email protected] and we will respond within 5 working days.

6. Apprenticeship-specific compliance

For NHS, public-sector and regulated-industry buyers, the apprenticeship-specific regulatory framework matters as much as the standard procurement controls.

  • Ofsted: Rated Good. Public inspection report at the Ofsted reports portal.
  • ESFA RoATP: Registered on the Education & Skills Funding Agency Register of Apprenticeship Training Providers. Public listing:
  • Skills England / IfATE: Programmes delivered against Institute for Apprenticeships & Technical Education (Skills England) standards including ST1512 (AI & Automation Practitioner L4) and the AI Apprenticeship Units AU0009/AU0010/AU0011 at L5.
  • BCS-EPAO: The British Computer Society is the end-point assessment organisation for ST1512.
  • Safeguarding & Prevent: Designated Safeguarding Lead in post; staff trained in Prevent duty under the Counter-Terrorism & Security Act 2015. Policy on /policies.
  • Equality & diversity: Equality Act 2010 compliant; reasonable adjustments process documented.

7. Data protection rights & DPO contact

Under UK GDPR Articles 15–22, apprentices, employer contacts and prospective learners can exercise the following rights. Requests are handled by our Data Protection Officer within one calendar month.

  • Article 15, Right of access: A subject access request returning copies of personal data we hold about you.
  • Article 16, Rectification: Correction of inaccurate or incomplete data.
  • Article 17, Erasure: “Right to be forgotten” subject to lawful retention obligations (e.g. ESFA 6-year retention).
  • Article 18, Restriction: Suspending processing while a dispute is resolved.
  • Article 20, Portability: A machine-readable copy of data you provided to us.
  • Article 21, Objection: Object to processing based on legitimate interests or direct marketing.
  • Article 22: No solely automated decision-making with significant effects is conducted on learner data.
Data Protection Officer
For all UK GDPR requests, DPAs, and data-handling questions

Postal: Data Protection Officer, The TESS Group Limited, . You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

8. Incident response

Personal-data breaches and security incidents follow a documented process. Our notification SLA matches UK GDPR Article 33: 72 hours from the point at which TESS becomes aware of a breach.

What we do on detection

  • Immediate containment and forensic preservation.
  • Risk assessment, rights and freedoms of data subjects.
  • Notification to controllers (employers) within 72 hours, including: nature of the breach, categories & approximate number of data subjects, likely consequences, mitigation taken.
  • Notification to the ICO where the breach is reportable.
  • Notification to affected learners directly where there is high risk to their rights and freedoms.
  • Post-incident review and policy update.
Security & incident contact
Responsible disclosure, suspected breach, urgent security concerns

Verified · Live · Auto-syncing

What our learners actually say.

Independently verified on Google, 4.9★ from 453 reviews

4.9
From 453 reviews
72%
Distinction at EPA
10K+
Learners trained
Good
Ofsted rated
Open cohort Next AI & Automation L4 intake · 19 Jun 2026 Reserve →
★★★★★ Also rated 4.9 on Trustpilot · 237 verified reviews
See all 453 reviews on Google

★ What employers say

From L&D directors at the companies you know.

BUYITDIRECT · Retail & ecommerce
"This project increased visibility of performance reporting, stakeholder communication and accuracy. It enabled proactive management of peak volumes and faster responses to emerging challenges."
Ashton Vlahovic · BuyItDirect
DPD · Logistics & delivery
"As a business, DPD have had good results with the TESS group and have applied their courses to multiple apprenticeships. I'd 100% recommend them to anyone who wants to do an apprenticeship."
Course graduate · DPD
SERVICES FOR EDUCATION · Charity / education
"I found the course useful and informative and have already used AI in helping us as a finance team look at ways we can streamline processes. The prompt framework was really useful in helping refine the questions to ask."
Finance team · Services For Education

Accredited centre · Approved provider

Ofsted Good Skills England Approved CMI Chartered Partner BCS Chartered Partner CIPD Aligned ILM Approved Centre NCFE Aligned APM Accredited HABC Aligned

9. Procurement FAQ

The questions our procurement-grade buyers (NHS trusts, financial services, Transport for London, large public-sector bodies) ask most often.

What ISO certifications do you hold?

TESS Group operates an information security management approach aligned to ISO/IEC 27001 controls (Annex A) and a quality management system aligned to ISO 9001 principles.

We are not currently certified to ISO 27001 by a UKAS-accredited certification body. Where a procurement framework requires formal certification we will say so up front; where alignment is acceptable we provide our internal controls mapping on request.

Where is my apprentice’s data stored?

Apprenticeship learner data (portfolio, OneFile records, learner profile, documents) is hosted in the United Kingdom. The website is served from Cloudflare’s UK edge. Coachy (AI tutor) runs on Lovable Cloud with its database hosted in the UK (London region); AI requests are processed under contracts that prohibit providers training on customer data. Operational tooling (email, document storage) is on UK tenants.

The complete sub-processor list with hosting regions is in Section 2.

Does Coachy use my employee data to train AI models?

No. Coachy runs on Lovable Cloud (SOC 2 Type II, ISO 27001 and GDPR compliant). Customer prompts and data are not used to train models, and Lovable’s agreements with its AI providers contractually restrict training and retention. Apprentice conversations are encrypted in transit (TLS 1.3) and at rest, and are visible only to the apprentice and (with their consent) their TESS skills coach.

Can I get a Data Processing Agreement (DPA)?

Yes. We can sign your standard DPA or provide our own template. Email [email protected] to request a copy. Our DPA covers UK GDPR Article 28 obligations, sub-processor notification, international transfer safeguards (UK IDTA / EU SCCs where applicable) and incident notification timeframes.

Are you on a UK government procurement framework?

TESS Group is on the ESFA Register of Apprenticeship Training Providers (RoATP), which is the procurement framework for apprenticeship delivery in England.

Framework membership for non-apprenticeship procurement vehicles (e.g. CCS, ESPO, YPO) varies, contact [email protected] to confirm current status for your specific framework.

What happens to data when the apprenticeship ends?

Statutory retention applies: ESFA funding rules require provider retention of apprenticeship records for at least 6 years after the funding year in which the apprentice completes. After this period, records are securely destroyed in line with our retention schedule (available on request).

Coachy conversation history is retained for the duration of the apprenticeship and deleted within 90 days of completion unless the employer requests extended audit retention.

Do you carry public liability and professional indemnity insurance?

Yes. TESS Group carries public liability, employer’s liability and professional indemnity insurance. Certificates of insurance are available on request via [email protected], please specify the contracting entity and required limits and we will issue a Certificate of Insurance to your procurement team.

Can we run a security questionnaire?

Yes, we routinely complete supplier security questionnaires (SIG, CAIQ, bespoke buyer questionnaires) for NHS, financial services and public-sector buyers. Email [email protected] with your questionnaire and a target turnaround date. Standard turnaround is 10 working days.

Speak to our compliance team

Procurement questionnaire, DPA, security review, framework verification, we’ll route you to the right person.

Email [email protected] Request DPA template (email DPO)