TESS Group · Trust & Security

Procurement-grade trust documentation

Everything your procurement, security and information-governance teams need to evaluate TESS Group as a supplier — data residency, sub-processors, ISO posture, EPA-safe AI, UK GDPR rights, and contract clauses.

Ofsted Good
Most recent inspection: [placeholder: confirm date]
ISO 27001 aligned
Information security controls aligned to Annex A; ISO 9001 quality system
UK & EU GDPR
UK GDPR & Data Protection Act 2018 compliant. DPA on request.

1. At-a-glance summary

A procurement-ready checklist of what we hold, where data lives, and how we operate. Items marked “aligned” mean we operate to the control set but are not certified by a UKAS-accredited body — we will state this honestly in every supplier questionnaire.

ItemPosition
Legal entityThe TESS Group Limited, registered in England & Wales [placeholder: company number]. Registered office: [placeholder: registered address].
Data residency — learner dataUK OneFile e-portfolio, learner records, document storage hosted on UK tenants.
Data residency — websiteUK edge Static assets served via Cloudflare UK edge nodes.
Data residency — AI tutor (Coachy)EU Anthropic Claude API, EU region. No model training on customer data.
EncryptionAt rest & in transit TLS 1.3 for transport, AES-256 at rest on sub-processor platforms.
UK & EU GDPRCompliant UK GDPR + Data Protection Act 2018. EU GDPR via SCCs where data crosses to the EU.
Data Protection OfficerAppointed Contact: [email protected] [placeholder: confirm DPO name].
Sub-processorsPublished See Section 2. Notification of changes by email to nominated buyer contact.
Penetration testingAnnually Annual penetration test of customer-facing surfaces by independent third party. [placeholder: name testing partner / last test date].
ISO 27001Aligned, not certified Controls mapped to Annex A; we do not currently hold UKAS-accredited certification. Controls mapping available on request.
ISO 9001Aligned Quality management system aligned to ISO 9001 principles.
SOC 2Not held We do not hold a SOC 2 Type I or Type II report. Buyers typically accept our ISO 27001 controls mapping in its place.
Cyber EssentialsPlus — in progress [placeholder: confirm current Cyber Essentials / Cyber Essentials Plus status & certificate date].
Apprenticeship auditOfsted Good Most recent inspection: [placeholder: confirm date]. ESFA RoATP-registered.
EPA-OrganisationBCS, The Chartered Institute for IT [placeholder: confirm BCS-EPAO accreditation reference]. EPA delivered by an external EPAO — not by TESS.
Bug bountyContact-based Responsible disclosure to [email protected]. No public bounty programme.
Incident notification SLA72 hours Notification to controller within 72 hours of becoming aware of a personal data breach, in line with UK GDPR Article 33.
InsurancePublic liability, employer’s liability and professional indemnity. Certificate available on request.
DPAAvailable Standard template or your paper. Email [email protected].
We aim to be honest about what we hold and what we don’t. Where this page says “aligned to” rather than “certified”, that is deliberate — please ask your TESS account contact for the underlying evidence and we will share what we have.

2. Data residency & sub-processors

Learner personal data is hosted in the United Kingdom. A small number of operational sub-processors are in the EU or operate under appropriate UK IDTA / EU SCC transfer mechanisms. We will notify nominated buyer contacts before adding or replacing a sub-processor that processes learner personal data.

Where learner data lives

  • Portfolio & learner records: OneFile (UK-hosted apprenticeship e-portfolio system) is the primary system of record for learner evidence, reviews and gateway sign-off.
  • Operational documents: Office productivity tools on a UK tenant (see below). Learner-identifiable documents are stored in restricted folders with role-based access.
  • Website analytics: Aggregated and pseudonymous; no learner-identifiable data is exposed to web analytics.
  • AI tutor conversations: Coachy conversation history is stored in a UK-hosted application database. The AI inference itself runs via the Anthropic API in the EU region (see Section 3).

Sub-processor list

This list is current as of 12 May 2026. The authoritative version is maintained internally; the latest copy is available on request to [email protected].

CDN & edge

Cloudflare

Static asset hosting, DDoS protection, edge caching for tessgroup.co.uk and coachy.tessgroup.co.uk.
UK edge
Apprenticeship portfolio

OneFile

Learner e-portfolio, evidence, reviews, gateway. System of record for ESFA-funded delivery.
UK
AI inference (Coachy)

Anthropic

Claude API for AI tutor (Coachy). Commercial API terms — customer inputs/outputs are not used for model training.
EU region
Email & productivity

Microsoft 365 / Google Workspace

[placeholder: confirm which tenant TESS uses — M365 or Google Workspace, and tenant region]
UK tenant
Code hosting

GitHub

Hosting for website source code only. No learner PII is committed to source control.
US (no PII)
CRM & marketing

HubSpot (or equivalent)

Enquiry capture, CRM, marketing automation. [placeholder: confirm CRM — HubSpot, Salesforce, Pipedrive] US-hosted under EU SCCs / UK IDTA.
US + SCCs
Review collection

Trustpilot

Customer review collection. Learners and employers may be invited to leave a review post-completion.
UK
Form & enquiry handling

Formspree

Enquiry form submission endpoint. Submissions forwarded to TESS inboxes; no third-party retention beyond delivery.
US + SCCs
Web analytics

Google Tag Manager / Google Analytics

Aggregated traffic analytics; IP anonymisation enabled; consent-gated via cookie banner.
US + SCCs
If your procurement framework requires a definitive sub-processor list with hosting regions on letterhead, request it from [email protected]. We refresh this page when a change occurs.

3. Coachy — AI tutor data & model posture

Coachy is the AI tutor included with our AI & Automation Practitioner Level 4 (ST1512) apprenticeship. It is purpose-built around the standard and is designed to be safe for apprenticeship use — both data-safe and EPA-safe.

Coachy data & AI commitments

  • Underlying model: Anthropic Claude, accessed via the Anthropic API in the EU region. Coachy is a thin application layer with a custom system prompt scoped to ST1512.
  • Training data: Apprentice conversations are not used to train Anthropic’s models. This is contractually guaranteed by Anthropic’s commercial API terms.
  • Encryption: Conversations are TLS 1.3 in transit; encrypted at rest in the Coachy application database.
  • Scope: Coachy is scoped to apprenticeship content (ST1512 standard, units AU0009 / AU0010 / AU0011 on the L5 side). It declines to engage with off-topic or harmful requests.
  • EPA-safe by design: Coachy explains, coaches and asks Socratic questions, but it will not write portfolio evidence, gateway submissions or end-point assessment artefacts for an apprentice. This is a deliberate product guard-rail.
  • Authentication: Apprentices sign in with their OneFile email via a magic-link, no separate password to manage.
  • Employer retention controls: Employers can request extended audit retention or accelerated deletion at the end of the programme.
  • Audit logs: Full apprentice-conversation logs can be made available to the employer’s governance committee subject to the apprentice’s knowledge and consent under UK GDPR.

What Coachy does not do

  • It does not write portfolio evidence on the apprentice’s behalf.
  • It does not produce content the apprentice can paste straight into an EPA submission.
  • It does not store apprentice data outside the regions described above.
  • It does not connect to public model providers other than Anthropic.

Deeper technical detail is published in How Coachy works and on the Coachy product page.

4. EPA-safe contract clauses

Apprenticeship end-point assessment (EPA) integrity is a regulator-level concern. We commit to the following clauses in any apprenticeship agreement, and we will incorporate equivalent language into bespoke MSAs on request.

Our EPA-safe commitments

  • No AI authorship of EPA artefacts. No AI tool provided by TESS (including Coachy) will write any portion of an apprentice’s gateway or end-point assessment submissions.
  • Plagiarism & academic misconduct. Suspected misconduct is investigated under our Malpractice & Maladministration policy and reported to the EPAO (typically BCS for AI standards) in line with their requirements.
  • Authorship verification at gateway. Skills coaches review portfolio evidence and conduct verification questions before sign-off at gateway.
  • Independent EPA. End-point assessment is delivered by an independent EPAO (BCS for ST1512). TESS does not assess its own learners at EPA.
  • Transparent AI use disclosure. Where apprentices use AI tools to support their learning, this is disclosed in their evidence trail in line with EPAO guidance.

5. Accessibility statement

We target WCAG 2.2 AA on tessgroup.co.uk and on the Coachy application. Accessibility is an ongoing programme — some legacy pages have known issues we are working through.

What we’ve done

  • May 2026 emoji-to-SVG sweep: replaced decorative emoji icons with inline SVG carrying aria-label or aria-hidden as appropriate.
  • Skip-links on every page (“Skip to main content”).
  • Semantic HTML5 landmarks (<header>, <nav>, <main>, <footer>).
  • Full keyboard navigation; visible focus rings.
  • Colour contrast on body text ≥ 4.5:1.
  • Alt text on all content images; decorative images marked aria-hidden.

What’s ongoing

  • Form-error semantics on some legacy enquiry forms.
  • Programme-finder chatbot keyboard trap edge cases on Safari iOS.
  • Third-party widgets (e.g. Trustpilot embed) inherit upstream accessibility.

If you encounter an accessibility barrier, email [email protected] and we will respond within 5 working days. [placeholder: confirm [email protected] is monitored, or change to [email protected]]

6. Apprenticeship-specific compliance

For NHS, public-sector and regulated-industry buyers, the apprenticeship-specific regulatory framework matters as much as the standard procurement controls.

  • Ofsted: Rated Good. Public inspection report at the Ofsted reports portal. [placeholder: link to specific Ofsted URN page]
  • ESFA RoATP: Registered on the Education & Skills Funding Agency Register of Apprenticeship Training Providers. Public listing: [placeholder: link to ESFA RoATP entry]
  • Skills England / IfATE: Programmes delivered against Institute for Apprenticeships & Technical Education (Skills England) standards including ST1512 (AI & Automation Practitioner L4) and the AI Apprenticeship Units AU0009/AU0010/AU0011 at L5.
  • BCS-EPAO: The British Computer Society is the end-point assessment organisation for ST1512. [placeholder: confirm BCS-EPAO accreditation reference and direct link]
  • Safeguarding & Prevent: Designated Safeguarding Lead in post; staff trained in Prevent duty under the Counter-Terrorism & Security Act 2015. Policy on /policies.
  • Equality & diversity: Equality Act 2010 compliant; reasonable adjustments process documented.

7. Data protection rights & DPO contact

Under UK GDPR Articles 15–22, apprentices, employer contacts and prospective learners can exercise the following rights. Requests are handled by our Data Protection Officer within one calendar month.

  • Article 15 — Right of access: A subject access request returning copies of personal data we hold about you.
  • Article 16 — Rectification: Correction of inaccurate or incomplete data.
  • Article 17 — Erasure: “Right to be forgotten” subject to lawful retention obligations (e.g. ESFA 6-year retention).
  • Article 18 — Restriction: Suspending processing while a dispute is resolved.
  • Article 20 — Portability: A machine-readable copy of data you provided to us.
  • Article 21 — Objection: Object to processing based on legitimate interests or direct marketing.
  • Article 22: No solely automated decision-making with significant effects is conducted on learner data.
Data Protection Officer
For all UK GDPR requests, DPAs, and data-handling questions

Postal: Data Protection Officer, The TESS Group Limited, [placeholder: registered office address]. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

8. Incident response

Personal-data breaches and security incidents follow a documented process. Our notification SLA matches UK GDPR Article 33: 72 hours from the point at which TESS becomes aware of a breach.

What we do on detection

  • Immediate containment and forensic preservation.
  • Risk assessment — rights and freedoms of data subjects.
  • Notification to controllers (employers) within 72 hours, including: nature of the breach, categories & approximate number of data subjects, likely consequences, mitigation taken.
  • Notification to the ICO where the breach is reportable.
  • Notification to affected learners directly where there is high risk to their rights and freedoms.
  • Post-incident review and policy update.
Security & incident contact
Responsible disclosure, suspected breach, urgent security concerns

9. Procurement FAQ

The questions our procurement-grade buyers (NHS trusts, financial services, Transport for London, large public-sector bodies) ask most often.

What ISO certifications do you hold?

TESS Group operates an information security management approach aligned to ISO/IEC 27001 controls (Annex A) and a quality management system aligned to ISO 9001 principles.

We are not currently certified to ISO 27001 by a UKAS-accredited certification body. Where a procurement framework requires formal certification we will say so up front; where alignment is acceptable we provide our internal controls mapping on request.

Where is my apprentice’s data stored?

Apprenticeship learner data (portfolio, OneFile records, learner profile, documents) is hosted in the United Kingdom. The website is served from Cloudflare’s UK edge. Coachy (AI tutor) processes conversations via the Anthropic API in the EU region. Operational tooling (email, document storage) is on UK tenants.

The complete sub-processor list with hosting regions is in Section 2.

Does Coachy use my employee data to train Anthropic’s models?

No. Coachy uses the Anthropic Claude API under commercial API terms. Anthropic does not use API inputs or outputs to train its models. Apprentice conversations are encrypted in transit (TLS 1.3) and at rest, and are visible only to the apprentice and (with their consent) their TESS skills coach.

Can I get a Data Processing Agreement (DPA)?

Yes. We can sign your standard DPA or provide our own template. Email [email protected] to request a copy. Our DPA covers UK GDPR Article 28 obligations, sub-processor notification, international transfer safeguards (UK IDTA / EU SCCs where applicable) and incident notification timeframes.

Are you on a UK government procurement framework?

TESS Group is on the ESFA Register of Apprenticeship Training Providers (RoATP), which is the procurement framework for apprenticeship delivery in England.

Framework membership for non-apprenticeship procurement vehicles (e.g. CCS, ESPO, YPO) varies — contact [email protected] to confirm current status for your specific framework. [placeholder: confirm which frameworks TESS is on]

What happens to data when the apprenticeship ends?

Statutory retention applies: ESFA funding rules require provider retention of apprenticeship records for at least 6 years after the funding year in which the apprentice completes. After this period, records are securely destroyed in line with our retention schedule (available on request).

Coachy conversation history is retained for the duration of the apprenticeship and deleted within 90 days of completion unless the employer requests extended audit retention.

Do you carry public liability and professional indemnity insurance?

Yes. TESS Group carries public liability, employer’s liability and professional indemnity insurance. Certificates of insurance are available on request via [email protected] — please specify the contracting entity and required limits and we will issue a Certificate of Insurance to your procurement team. [placeholder: confirm insurer + cover limits]

Can we run a security questionnaire?

Yes — we routinely complete supplier security questionnaires (SIG, CAIQ, bespoke buyer questionnaires) for NHS, financial services and public-sector buyers. Email [email protected] with your questionnaire and a target turnaround date. Standard turnaround is 10 working days.

Speak to our compliance team

Procurement questionnaire, DPA, security review, framework verification — we’ll route you to the right person.

Email [email protected] Download DPA template (PDF)

[placeholder: replace /downloads/tess-dpa-template.pdf with the hosted DPA PDF, or remove this CTA. Until then it 404s — buyers can email [email protected].]