// Trust & Security Report
Virtual Class Ltd (trading as Third Space Learning)
UK-founded (2013) education platform providing 1-to-1 online maths tutoring to primary and secondary schools; core product has shifted from human tutors to "Skye," a proprietary voice-based AI maths tutor, alongside a teacher/school admin portal and free public resources (Maths Hub, blog).
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on thirdspacelearning.com“TSL holds Cyber Essentials certification, certified by IASME, valid to Dec 2026, covering firewalls, secure configuration, access control, malware protection and patch management.”
Verify on thirdspacelearning.com“"UK & EU GDPR Compliant"; "ICO registered ZA104352"; company operates as data controller under UK GDPR with a published Data Protection & Privacy Policy dated July 2025.”
> Show 8 unconfirmed / not-held certifications
source: thirdspacelearning.comNo public evidence: SOC 2 is not mentioned anywhere on the vendor's trust-compliance page, privacy policy, or GDPR page. Only Cyber Essentials and an annual penetration-test commitment are cited as security assurance.
source: thirdspacelearning.comNo public evidence of a completed ISO 27001 certification. A 2018 vendor PDF ('GDPR_at_Third_Space_Learning.pdf') discusses GDPR readiness but does not confirm ISO 27001 was achieved, and the current 2026 trust-compliance page lists only Cyber Essentials, not ISO 27001.
source: thirdspacelearning.comNo public evidence on any vendor-domain page.
source: thirdspacelearning.comNo public evidence. Vendor instead publishes a self-declared 'EU AI Act Compliant' and 'DfE AI safety standards compliant' posture on its trust page, not a certified AI management system.
source: thirdspacelearning.comNo public evidence on any vendor-domain page.
source: thirdspacelearning.comNo public evidence and not applicable: TSL is a UK-founded education vendor processing school/pupil data, not US health data; no HIPAA claim appears anywhere on the site.
source: thirdspacelearning.comNo public evidence. No payment-card handling claims found; likely delegated to a third-party payment processor, not independently disclosed.
source: thirdspacelearning.comNo public evidence; not applicable (UK-founded company, primary market UK schools).
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Vendor's own trust-compliance page states platform (AWS) hosting in Ireland and BigQuery analytics processing in London, UK, with data "processed and stored in the UK or EU." Note: one independent web search snippet (not a vendor page) claimed US-based storage for the AI tutoring service; the vendor publishes separate UK and US versions of its privacy policy, so this likely reflects region-specific hosting for US school customers rather than a contradiction, but this could not be fully reconciled from vendor-domain evidence alone.
Vendor states plainly on both the homepage and trust-compliance page and in the July 2025 Data Protection & Privacy Policy PDF that pupil data is not used to train AI models: "Skye does not use pupil data to train future AI models" and "where we use third party AI models, they are not allowed to be trained on student data." No tier-based exception was found (this applies to all schools). Voice is transcribed for real-time tutoring but the transcription/voice model itself is stated as not retaining audio for training.
// Security controls
Baseline security certification
Cyber Essentials (IASME-certified), valid to December 2026 — a UK government-backed baseline scheme, not equivalent in rigor to SOC 2 Type II or ISO 27001.
thirdspacelearning.comPenetration testing
"We have committed to carrying out an independent penetration test every year."
thirdspacelearning.comBreach notification
"TSL notifies affected schools within 72 hours" of a security incident affecting school data.
thirdspacelearning.comEncryption in transit / at rest
Not explicitly documented. The July 2025 privacy policy states only generic assurance: "All personal data processed by us is stored securely... We use a range of organisational and technical security measures," with no specific mention of TLS version or at-rest encryption standard (e.g., AES-256). Treat as unconfirmed.
thirdspacelearning.comHosting / infrastructure
Platform (AI tutor + learning platform) hosted on Amazon Web Services (AWS), Ireland; pseudonymised analytics processed via Google BigQuery in London, UK. AWS's own compliance program is the host's certification, not Third Space Learning's.
thirdspacelearning.comInternational data transfers
Relies on UK adequacy regulations for EEA transfers, the UK-U.S. Data Bridge for US transfers, and Transfer Risk Assessments plus UK IDTA / SCC addenda where no adequacy decision applies.
thirdspacelearning.comChild safeguarding controls
Live "Timeslot Supervisors" in every AI tutoring session, a tiered red-flag monitoring system, full session recording retained for safeguarding purposes, and a named Designated Safeguarding Officer (DSO) plus deputy.
thirdspacelearning.comData retention
Student data (including session recordings/transcripts) is deleted or irreversibly anonymised at the end of the third academic year following the student ceasing to be active.
thirdspacelearning.comData minimisation (pupil data scope)
Only first name, surname/initial, school, working-at maths level, platform pupil ID, lesson voice/audio, session transcript, and progress/attainment data are collected; special category data (ethnicity, religion, health, SEN status, gender, date of birth) is explicitly stated as not collected.
thirdspacelearning.com// Products & data scope
data: Pupil first name, school, maths level, platform pupil ID, lesson voice/audio, session transcript, progress/attainment data; session recordings retained for safeguarding and service-improvement purposes until end of third academic year.
Core current product; company's original offering (2013+) was human-tutor-delivered 1-to-1 tutoring, now delivered via the proprietary Skye AI tutor. Vendor states Skye and any third-party AI models used are not trained on pupil data.
data: Staff contact details (name, email, role, school), PPA timetable availability; tiered access so most school accounts cannot view lesson recordings or transcripts unless separately requested from TSL.
Used by teachers/school leaders to assign pupils, review progress reports, and manage the tutoring programme.
data: Website visitor analytics and, for registered users of the online learning hub, contact details and browsing/usage data via cookies.
Marketing/lead-generation and community resource, separate data footprint from the tutoring product.
// What to watch
- Vendor states 'You do not need a Data Processing Agreement' on the basis that TSL is a data controller (not a processor) for pupil data. This is a defensible UK GDPR legal position given its statutory safeguarding duties, but enterprise/school procurement teams that require a standard DPA as a checklist item may be surprised by its absence — flag for buyer awareness rather than treat as a compliance gap.
- No SOC 2, ISO 27001, or AI-governance certifications (ISO/IEC 42001, CSA STAR AI) were found. The only third-party security assurance is Cyber Essentials, a UK government-backed baseline scheme that is materially lower-assurance than SOC 2 Type II or ISO 27001 — do not present Cyber Essentials as equivalent to either in AIFOXX listing copy.
- A 2018 vendor PDF references considering ISO 27001 at that time; no evidence was found that certification was ever completed, and the current (2026) trust-compliance page does not list it. Do not infer ISO 27001 is held from that legacy document.
- Data residency has a partial inconsistency across sources: the vendor's own trust-compliance page (fetched directly) states UK/EU hosting (AWS Ireland, BigQuery London), while one independent web-search summary (not a vendor page) described US-based storage for the AI tutoring service. The vendor does publish separate UK and US privacy-policy versions, which may explain region-specific hosting for US customers, but this was not fully reconciled from vendor-domain evidence and should be confirmed directly with the vendor before publishing a single data-residency claim.
- No explicit encryption standard (TLS version, at-rest encryption algorithm) is disclosed on any vendor-domain page reviewed; only generic 'organisational and technical security measures' language is used.
- Identity confirmed: legal entity is Virtual Class Ltd, trading as Third Space Learning, at domain thirdspacelearning.com, matching the evidence file's URL. No conflation risk identified with any similarly named company.
// At a glance
Pricing model
Flat annual per-school subscription for unlimited pupil access and sessions; no per-session fees (per vendor homepage: "no per-session fees... one low annual price").
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Virtual Class Ltd (trading as Third Space Learning)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
thirdspacelearning.com