Information Security Policy

Last updated: June 2026

4Sight Education Ltd (trading as VESPA Academy)


Policy owner	Antony Dennis, Director
Version	1.0
Effective date	June 2026
Review cycle	Annually or on material change
Applies to	All directors, staff, contractors and associates, and all systems processing 4Sight or customer data

1. Purpose and scope

This policy sets out how 4Sight Education Ltd protects the confidentiality, integrity and availability of information assets, including the personal data of students and staff processed through the VESPA Academy platform. It applies to all systems, devices and services used to deliver our services.

2. Data hosting and residency

Production data for UK customers is hosted within the European Union: application data in Supabase (EU region) and application delivery via Vercel (EU / edge). We do not operate on-premise servers. Data is encrypted in transit using HTTPS/TLS, and at rest by our infrastructure providers.

3. Access control

Access to systems and customer data is granted on a least-privilege basis and only to those who require it to perform their role.
Multi-factor authentication (MFA) is enforced on administrative and infrastructure systems.
Access to the platform by school staff and students is authenticated; we support Microsoft 365 and Google single sign-on (SSO) and recommend customers enforce MFA via their identity provider.
Access is reviewed and revoked promptly when roles change or relationships end.

4. Certification and standards

4Sight Education Ltd is Cyber Essentials certified through the IASME Consortium (certificate IASME-CE-060416, issued 2 July 2026, valid to 2 July 2027).

Verify authenticity: https://iasme.co.uk/cyber-essentials/check-a-certificate/?cert_num=IASME-CE-060416

Cyber Essentials certificate verification QR code

Our controls align with the Cyber Essentials technical control themes: firewalls, secure configuration, access control, malware protection and security update management.

Commercial insurance: Professional indemnity, public liability, employer's liability and standalone cyber liability policies are being finalised with our broker; contact admin@vespa.academy for current certificate status. (Cyber Essentials certification may include optional bundled cyber liability cover — this is supplementary to our commercial insurance arrangements.)

5. Device and endpoint security

Company and staff devices used to access systems must be kept up to date, protected by supported operating systems, full-disk encryption where available, screen-lock and reputable malware protection.

6. Sub-processors

We use a limited number of vetted sub-processors to deliver the service (including Supabase, Vercel, SendGrid, Stripe, OpenAI, Anthropic and Wonde where enabled). A current list is published in our Data Processing Agreement and Data Protection Policy. Sub-processors are subject to data-processing terms consistent with UK GDPR. Customers are notified of material changes to sub-processors.

7. Incident and breach management

Suspected or actual security incidents must be reported immediately to the Director. We investigate, contain and remediate incidents promptly. Where a personal data breach is likely to result in a risk to individuals, we notify the affected controller (the customer) without undue delay and, where applicable, support notification to the ICO within statutory timeframes.

8. Resilience and continuity

Service resilience, backup and recovery arrangements are set out in our Business Continuity & Disaster Recovery Plan (https://vespa.academy/bcp-dr-plan.html).

9. Responsibilities

The Director is responsible for information security. All staff, contractors and associates are responsible for complying with this policy and reporting concerns.

10. Review

Reviewed annually, or sooner on material change.

Signed: Antony Dennis, Director, 4Sight Education Ltd — June 2026