For schools and trusts

Built to the KCSIE and DfE standard.

Custodiance runs your school or trust's web and email estate as a managed service — kept in UK and EU jurisdiction, built to the standard Keeping Children Safe in Education and the Department for Education require, and held by a named senior engineer who is personally accountable for it. Safeguarding does not stop at the policy folder; neither does the way we run your infrastructure.

The risk

What KCSIE and the DfE require of your website — and where agency builds silently fail

A typical school site — independent prep and senior, SEN provider, academy, or trust — was built a few years ago on whichever SaaS stack carried a template: WordPress on a US host, an Eventbrite open-day widget, a Mailchimp parent-newsletter signup, a Facebook Pixel for the admissions campaign, and a "contact the Head" form pointing at a US-resident inbox. The site works and open-day signups come in. It also quietly fails the obligations the school — not the agency — is accountable for. Four are worth naming precisely.

KCSIE online-safety expectations

Keeping Children Safe in Education makes online safety a running theme of a school's whole-school safeguarding approach (KCSIE 2024, Part 2). The website is the public projection of that posture — the Designated Safeguarding Lead's name and contact route findable within two clicks, a clear path to report a concern, and the online-safety, filtering, and monitoring approach published. On most agency builds the DSL line is buried in admin pages and the safeguarding page is an afterthought, not part of the main navigation.

The DPA 2018 and the Children's Code

Pupil and family data carry enhanced protection under the Data Protection Act 2018 and UK GDPR. The ICO's Age-Appropriate Design Code (the Children's Code) applies to online services likely to be accessed by children — the school's own website is precisely that — and Standard 7 requires settings to be high-privacy by default. A Facebook Pixel loading on a page that names a Year 8 pupil fails Standard 7 silently: the default is data-sharing with a US ad network, with no consent, on a page the child may access themselves.

Pupil and family data on US infrastructure

The admissions enquiry form, the open-day booking widget, and the parent newsletter typically run on US-resident SaaS — HubSpot, Eventbrite, Mailchimp — holding child names, dates of birth, year groups, and sometimes SEN context. US-resident services are subject to the US CLOUD Act, and the CJEU's Schrems II ruling made bulk transfer of this data legally precarious. For children's data the bar is higher again, and it is exactly the cross-border posture the ICO has said it expects organisations to avoid.

The school as data controller

The school — not the agency — is the data controller. That means Article 30 records of processing, Article 28 data-processing agreements with every sub-processor, and a lawful transfer mechanism (Standard Contractual Clauses plus a Transfer Risk Assessment) for any data flowing outside the UK and EU. Layered over this is image consent: no identifiable child should appear on the site without recorded, granular, withdrawable parental consent — and most sites carry photos the original consent no longer covers.

None of these obligations explicitly requires an "EU-sovereign website". Each, however, eventually asks the same question: where does the pupil and family data live, who has access, and can the school prove it? On a typical agency-built site the honest answer is "the agency set it up; we do not really know."

How Custodiance answers it

An estate held to your regulator's standard

The work that puts a school's site right is not a one-off remediation. It is the work the estate carries continuously, mapped to the KCSIE and DfE obligations a school is accountable for.

A managed estate, not a finished project

Your web and email infrastructure is run as an estate we hold continuously — audited, monitored, and changed on your behalf — not handed over once and left to decay. Admissions intake, open-day bookings, the parent newsletter, analytics, the safeguarding page, and the KCSIE policy index are kept correct as the guidance and your school evolve, so the annual-review dates do not slip between inspections.

In-jurisdiction by design

Hosting is pinned to a London region, admissions and contact forms post to Cloudflare-routed inboxes on UK and EU edges, open-day bookings move to an EU-resident endpoint with date-tied retention, the parent newsletter moves to a UK and EU-hosted sender, and analytics move to Plausible (EU-resident, cookieless). When a safeguarding governor, a data-aware parent, or an inspector asks where the pupil and family data lives, the answer is engineered, not assumed.

Built to a published methodology

The standard each estate is built to is written down and applied consistently, so the way your school is built is the way the next one is — auditable, repeatable, and defensible rather than improvised per project. The DSL contact pattern, the image-consent register, and the KCSIE policy architecture are part of that posture, set out in the Custodiance framework.

A named accountable engineer

A single senior technical partner is personally accountable for your estate — a name and a direct line, not a ticket queue. For a school too small to justify a full-time chief technology officer, this is the fractional equivalent: someone who understands your KCSIE and DfE obligations, carries the work between requests, and answers for it when a governor or an inspector asks.

Engage

Two ways to run the estate

Growth

£1,495 per month

For an established practice that wants its web and email estate run properly — in-jurisdiction, with a named partner on call.

  • Managed web + email infrastructure
  • Built to your regulator's standard
  • EU/UK-sovereign hosting
  • A named technical partner
  • Continuous monitoring + changes

Embedded

From £6,000 per month · bespoke

For a practice that wants a fractional CTO embedded — owning the roadmap, the compliance posture, and the build.

  • Everything in Growth
  • Fractional-CTO engagement
  • Compliance + DPIA support
  • Bespoke build + integrations
  • Board-level reporting

Custody, not marketing.

Have a senior partner review your estate against the KCSIE and DfE standard

A scoping call is a measured conversation about your obligations, your current setup, and what it would take to run it properly. The eight KCSIE publication requirements and the four residency failures above are reviewed against your live site and marked pass, partial, or fail, with the specific remediation for each. No obligation, and no pressure.