Get started

Data flow

Where the data goes, step by step.

For the DPO who wants the actual flow on the page, not in an email attachment. Pupil records, evidence and transactional email all stay in Azure UK South. The only US-based sub-processor is Stripe, for card payments.

Parent / Pupil deviceWeb app over HTTPSThird-party verifierSingle-use signed linkAzure UK South · school tenantEYS web serviceContainer AppsAI Content SafetyModeration scanCosmos DBRecords + auditBlob storageEvidence (EXIF-stripped)Audit log containerWrite-once at the app layerAzure email (UK)ACS · UK SouthStripe (US / IE)Payments · SCC + IDTA

Solid arrows show the standard request flow. The dashed line shows the transactional email Azure Communication Services dispatches — within the UK — to a third-party verifier.

The flow, in words

From capture to keepsake.

1

Capture

Parent (under-13) or pupil (13+) opens the web app on their device and records a moment — photo, video or note. On-device guidance steers towards activity-focused content. The browser sends the upload over HTTPS to the Earn Your Stripes service.

2

Moderate

Before storage, every image and text fragment is passed to Azure AI Content Safety (UK South) for hate / sexual / violent / self-harm scoring. Severity ≥ 4 is blocked outright; 2–3 is held for the school’s DSL. Microsoft does not retain the content after scoring.

3

Strip

EXIF metadata — location, device model, timestamps — is stripped from the image. The original is re-encoded.

4

Store

The processed image lands in a tenant-scoped Azure Blob container (UK South). A record is written to Azure Cosmos DB (UK South). Every read or write is funnelled through a repo that refuses unscoped operations.

5

Notify

A transactional email — parental approval request, attestation invite, award notification — is sent via Azure Communication Services (UK South). Only the recipient address and the message body are shared, and they never leave the UK.

6

Verify

A third-party verifier (coach, instructor) opens the single-use signed link from the email. They see one submission, sign off, and the link expires. No account. No session.

7

Audit

Every state-changing action and every sensitive view (evidence access, DSL view-as) writes a structured entry to the audit container, with actor, timestamp and subject.

8

Pack purchase (school-billed)

When a school buys an Active Pupil Pack, Stripe (Ireland / US) handles the card directly. We receive only a transaction reference and outcome. Families never make payments through the platform. Transfer is covered by SCCs + UK IDTA.

Sub-processor detail Back to Trust