IT Setup Guide - VESPA Academy
VESPA Academy Logo VESPA Academy
IT Setup Guide

Getting VESPA Academy 2.0 Ready for Your School

This page is designed for your school's IT administrator or network manager. It covers everything needed to enable single sign-on and ensure the platform works smoothly across your network.

Quick Checklist

1

Approve SSO — Microsoft 365

VESPA Academy uses Microsoft's standard OAuth 2.0 sign-in so staff and students can click "Continue with Microsoft" on the login page. Most school Microsoft 365 tenants require an administrator to grant consent before users can sign in with a third-party app.

What users see without approval: An "Approval required" screen asking them to request permission from their admin. This is normal — it just means the app hasn't been approved yet.

How to approve (Entra ID / Azure AD)

  1. Sign in to the Microsoft Entra admin centre with a Global Administrator or Cloud Application Administrator account.
  2. Navigate to Identity > Applications > Enterprise applications.
  3. Search for "VESPA" in the application list. If you see it listed (it may appear as "VESPA Lite"), click on it.
  4. Go to Permissions and click "Grant admin consent for [your organisation]".
  5. Review the permissions — VESPA only requests:
    • openid — sign the user in
    • profile — read the user's name
    • email — read the user's email address
    No access to mailboxes, files, calendars, or any other Microsoft 365 data.
  6. Click Accept. All users in your tenant can now sign in immediately.
Alternative: direct consent link
If the app doesn't appear in Enterprise applications yet, you can trigger the admin consent flow by visiting the login page at app.vespa.academy/login and clicking "Continue with Microsoft" while signed in as a tenant admin. Approve the consent prompt and tick "Consent on behalf of your organization".
2

Approve SSO — Google Workspace

If your school uses Google Workspace, staff and students can sign in by clicking "Continue with Google". Google Workspace admins may need to allow the app.

How to approve (Google Admin Console)

  1. Sign in to the Google Admin Console with a Super Admin account.
  2. Navigate to Security > Access and data control > API controls.
  3. Under App access control, click "Manage third-party app access".
  4. Click "Configure new app", then select "OAuth App Name Or Client ID".
  5. Search for "VESPA Academy" and select it from the results.
  6. Set the access level to Trusted and click Configure.
  7. All users in your Google Workspace can now sign in immediately.
Permissions requested: Basic profile information (name and email address) only. No access to Google Drive, Gmail, Calendar, or any other Google services.
Can't find the app? If "VESPA Academy" doesn't appear in search results, have any user from your school visit app.vespa.academy/login and click "Continue with Google". The sign-in attempt will register the app in your admin console. You can then return to API controls and approve it.
3

Network & Email Allowlisting

Please ensure the following domains are permitted through your school's web filter, firewall, and email filtering systems. Student activity access also requires Skiv (videos) and activity CDNs — not just the main app.

Complete printable allowlist: vespa.academy/it-allowlist — share this link with your IT team or web filter vendor (e.g. Securely).

Core platform (required)

*.vespa.academy App, docs, activity assets, PDFs (app.vespa.academy, vespa.academy)
qcdcdzfanrlvdcagmwmg.supabase.co Database, authentication, API, realtime (or *.supabase.co)

Videos — Skiv (required)

skiv.com All VESPA coaching videos (embed player — we no longer use YouTube for new content)

Student activities (required for assigned activities)

cdn.jsdelivr.net JavaScript libraries in activity slide decks
cdnjs.cloudflare.com Additional CDN libraries
slides.com Embedded activity presentations
fonts.googleapis.com Web fonts
fonts.gstatic.com Font files

Single sign-on

login.microsoftonline.com Microsoft 365 sign-in (most UK schools)
graph.microsoft.com Microsoft 365 directory sync (technical admin)
accounts.google.com Google sign-in (if used)
oauth2.googleapis.com Google OAuth (if used)

Legacy / optional

www.youtube.com Legacy activity videos only
www.youtube-nocookie.com Privacy-enhanced YouTube embeds
muse.ai Legacy embeds in some older slide HTML

Email safe-sender list

noreply@notifications.vespa.academy Transactional emails (welcome, password reset, reports)
@vespa.academy All VESPA Academy emails (support, admin, notifications)
@notifications.vespa.academy Notification subdomain
Portal works but activities are blocked? Your filter is usually blocking skiv.com, slides.com, or CDN domains. See the full allowlist or share blocked URLs with support@vespa.academy.
No special ports or IP ranges required. VESPA Academy is a web application accessed entirely over standard HTTPS (port 443). No desktop software installation is needed.
4

Fallback: Email & Password Login

If SSO approval is not possible immediately, users can still access VESPA Academy using email and password:

  1. Go to app.vespa.academy/login
  2. Click "Forgot password?"
  3. Enter the email address associated with the VESPA account
  4. A password reset link will be sent to that email
  5. Click the link and set a new password

This works for both staff and students. SSO can be approved later — once approved, users can switch to "Continue with Microsoft" or "Continue with Google" at any time.

5

Data Protection, Privacy & AI Policies

The following policy documents are available for your DPO, data protection officer, or IT governance team. These cover how VESPA handles personal data, our AI usage, retention periods, and compliance with UK GDPR. View the full policies index for a complete list including corporate and procurement policies.

Privacy Policy How we collect, use, and protect personal data — lawful basis, rights, cookies, third parties
Data Protection Policy UK GDPR compliance — controller/processor roles, DPIA, breach procedures, sub-processor list
Data Retention Policy Per-data-type retention periods, deletion procedures, data export, lapsed account handling
Data Processing Agreement Standard UK GDPR Article 28 DPA — processor obligations, sub-processors, security measures
Information Security Policy Cyber Essentials certified (IASME-CE-060416), MFA, hosting, incident response
Modern Slavery Policy Supply chain ethics and zero tolerance for modern slavery
Quality Policy Quality objectives, controlled processes, support handling, subcontractor standards and continuous improvement
Environmental Policy Cloud-first operating model and environmental commitments
Equality, Diversity & Inclusion Policy Equality Act compliance — employer and service delivery commitments
Health & Safety Policy Remote working, DSE and safe working environment
Safeguarding Statement KCSIE-aligned safeguarding and child data protection
Accessibility Statement WCAG 2.2 commitment and accessibility feedback contact
Terms & Conditions Service terms, free trials, billing, support obligations
AI Usage Policy How AI is used (advisory only) — OpenAI & Anthropic API sub-processors; no training on school data; not sold or shared for unrelated purposes
BCP / DR Plan Business continuity and disaster recovery — RTO/RPO targets, scenario playbooks, succession and provider outage procedures
Student Privacy Policy Student-friendly version of the privacy policy
Data Processing Agreement (DPA) Our standard DPA is published at vespa.academy/data-processing-agreement and is incorporated into subscription terms. Contact admin@vespa.academy for a signed copy if your procurement team requires one.
?

Need Help?

If you have any questions about the technical setup, or if your network configuration requires specific IP addresses or additional information, please contact us:

Email: support@vespa.academy
Admin: admin@vespa.academy
Book a 15-minute call