Trust centre
Safe, Secure, and School-Ready
Procurement-ready information for data protection, safeguarding, accessibility, supplier transparency, and AI usage controls. See the Schools page for what CanDoLearn is and is not.
UK GDPR aligned
School procurement ready
Secure by design
DPIA sign-off available
Procurement-ready information for schools
Key documents and review points for SENCOs, safeguarding leads, business managers, DPOs and trust procurement teams.
Trust quick facts
- DPA available on request for school procurement
- Sub-processor register reviewed and published
- UK GDPR privacy notice updated with lawful bases, profiling, and rights information
- Accessibility statement and safeguarding statement published
- Support contact: support@candolearn.co.uk
Children's privacy by design
CanDoLearn is designed around data minimisation, adult-managed access, clear educational purpose, teacher oversight and age-appropriate learning support. We avoid unnecessary profiling and keep human review at the centre of intervention decisions.
AI governance
AI supports content generation for learning practice. Teachers remain in control of assignment and review.
Content should be reviewed before use where appropriate, especially for sensitive contexts or specific support needs.
The system does not make safeguarding decisions.
The system does not make high-stakes automated decisions about pupils.
Schools can request more detail about model use, data flows and sub-processors.
Human review stays central to intervention decisions and school oversight.
Security and privacy controls
Security governance
Security policies, risk management, and continuous improvement practices aligned to recognised control frameworks.
Controller and processor clarity
School deployments are supported under data processing terms, while CanDoLearn remains controller for sales, support, security, and direct family accounts.
Encryption controls
TLS in transit and encryption at rest for sensitive data.
Least-privilege access
Role-based access with scoped permissions and regular access review.
Data minimisation
We collect only data needed to deliver learning and intervention outcomes.
Auditable operations
Change tracking, operational monitoring, and incident response processes are documented.
Privacy handling model
School deployments
Schools and academy trusts usually act as controller for learner and staff data used to deliver the service. CanDoLearn processes that data on documented instructions under contract terms and supports customer deletion, access, and retention requests.
Direct enquiries and family accounts
CanDoLearn acts as controller for website enquiries, demo requests, support, direct family accounts, security logs, and legal compliance records. Lawful bases and data subject rights are described in the Privacy Policy.
Where providers transfer data outside the UK, we rely on approved safeguards such as adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.
Complete your DPIA sign-off online
Use this form to record your school or trust review details, submit them to CanDoLearn, and keep a signed copy for procurement or pilot records.
DPIA review and sign-off
Schools can complete this form to record procurement review details, submit them to CanDoLearn, and keep a copy for their own records.
Supplier and sub-processor list
Fly.io
Hosting and infrastructure
Data location: UK/EU preference
HubSpot
CRM and form submissions
Data location: EU region supported
Resend
Transactional email delivery
Data location: EU/EEA options supported
GitHub
Source code and change management
Data location: Global service with safeguards
Anthropic
AI content generation
Data location: Service-dependent with safeguards
Gemini
AI content generation
Data location: Service-dependent with safeguards