Built so there's nothing to leak.

What we commit to

• UK GDPR

  DPA on request

• Hosted in London

  DigitalOcean, no CDN

• No file content stored

  Streams in memory

• No AI training

  Ever, no exceptions

• Microsoft OAuth 2.0

  Respects MFA & CA

• Read-only scopes

  Cannot write to your tenant

OAuth scopes we request (read-only)

Scopes are delegated, not application-level. The student approves them on Microsoft's own sign-in page; the IT admin grants tenant-wide consent so the consent screen doesn't appear for individual students.

• User.Read — display name, school email, Entra object id (so the dashboard can greet the student and identify their seat).
• Files.Read.All — read the student's own OneDrive. The token cannot write, delete, or share. Permission boundaries are enforced by Microsoft itself: only files the user has rights to are returned.
• Notes.Read.All — read the student's personal and class OneNote notebooks. We additionally restrict class-notebook content to the student's own section group in code as a defence-in-depth layer.
• EduRoster.ReadBasic — list the classes a student is enrolled in, so we can offer the right class notebooks.
• offline_access — keep the access token alive long enough for a multi-gigabyte download to finish without re-prompting.

We do not request mail, calendar, Teams, OneDrive write, SharePoint write, or any application-level permission that would let the service act outside a signed-in user's context.

Data flow

1. Student opens mydocs.school and clicks Download my Docs. They're redirected to Microsoft's sign-in page (login.microsoftonline.com).
2. Student signs in on Microsoft's page using the school account. Multi-factor authentication and any Conditional Access policies your tenant enforces apply here, exactly as they would for Outlook or Teams. We never see the password.
3. Microsoft redirects back to our service with an authorisation code, which we exchange for an access & refresh token. The session is held in an encrypted, HTTP-only, secure cookie scoped to mydocs.school.
4. The dashboard calls Microsoft Graph on the student's behalf to list their OneDrive root, personal notebooks, and class notebooks. Nothing is stored.
5. When the student clicks Download, files stream from Microsoft Graph through our service into a zip that goes straight to the browser. The zip is built in memory; we never write file content to disk.

What we store, what we don't

Stored

• A seat row per student (encrypted school email, HMAC of the email for lookup, Entra object id, first-download timestamp, 60-day expiry).
• An audit log row per download (timestamp, student id reference, source — OneDrive vs notebook id, bytes delivered). Aggregated and deleted after 12 months.
• School admin records: organisation name, school admin display names & emails (encrypted at rest), Stripe customer id, subscription state.
• Encrypted session cookies for active sign-ins.

Not stored

• File contents (page text, image data, raw .one bytes).
• Filenames beyond the immediate scope of building the zip.
• Microsoft Graph response bodies beyond the active request.
• Browser metadata, IP geolocation, fingerprinting signals.
• Anything to do with email, calendar, Teams, or SharePoint sites the student hasn't opted into.

Class notebook privacy boundary

Class notebooks are the most sensitive surface we touch. We enforce student-level scoping at two layers:

• SharePoint ACLs — Microsoft only ever returns the section group named after the signed-in student. Teacher pages, peer sections, the Content Library and the Collaboration Space are all denied at the source.
• Application-level check — before adding any .one file to the zip, our code re-confirms the section group name matches the student's expected scope. A mismatch causes the file to be excluded and an audit log entry to be written. This has never fired in production, and it's there so it can't.

Hosting & infrastructure

• App Platform: DigitalOcean, London region (LON1). TLS termination at the platform edge; TLS 1.2+ enforced.
• Database: managed Postgres on DigitalOcean, London region. Encrypted at rest with platform-managed keys. Sensitive columns (school email, student email) additionally encrypted at the application layer with Fernet keys held in DigitalOcean secrets — keys are never written to the database.
• Session store: managed Redis, London region. Sessions encrypted at rest; cookies use rotating signing keys.
• Sub-processors: DigitalOcean (hosting), Stripe (payment processing), Cloudflare (TLS / DDoS at the registrar level only — no content caching or analytics), Microsoft (the tenant being exported from). No analytics provider, no advertising provider, no AI provider.

Compliance position

• UK GDPR: the school is the data controller, Muon Works Ltd is the processor. Data subject access requests come to us via the school as controller; we respond in under 30 days.
• DPA: Data Processing Agreement available on request. Covers sub-processors, breach notification (within 72 hours), and the data transfer position (data does not leave the UK during processing).
• ICO registration: Muon Works Ltd is registered with the UK Information Commissioner's Office as a data controller.
• Cyber Essentials / SOC 2 / ISO 27001: not held at present. We're transparent about that. If a formal certification is a hard requirement for your procurement, contact us early so we can confirm fit.
• Children's data: the service handles data belonging to students under 18 in many tenants. We treat all student data with the same posture — minimum collection, no content storage, no AI training, no advertising.

How to revoke us

An IT admin can remove tenant-wide consent at any time: Entra admin centre → Enterprise applications → mydocs.school → Properties → Delete. The next Graph call our service makes for any user in your tenant fails immediately. The next sign-in attempt will see the consent screen instead of completing silently.

Reporting a vulnerability

Email [email protected] with as much detail as you can share. We acknowledge inside one business day and aim to triage inside three.

Common security questions

Do you store the file content itself?

No. Files stream from Microsoft Graph to the student's browser through our service. The zip is built in memory and discarded once the download completes or is cancelled.

Where does the service run?

DigitalOcean App Platform in the London region. The Postgres database (which only holds school admin and billing metadata — no file content) is also in London. Encrypted nightly backups are kept for seven days.

Will you use student data to train AI?

No. Not ours, not anyone else's, not under any circumstance. We don't run analytics that inspect student activity, we don't sell or share data with advertisers, and we don't make data available to third-party AI providers.

Do you hold SOC 2 or ISO 27001 certification?

Not at present. We're a small UK company and we'd rather tell you that straight than dance around it. If your procurement workflow requires those certifications, we may not be the right fit yet. We follow the underlying principles (least-privilege scopes, no content retention, encrypted PII, modern auth) but the formal audit programmes are not in place.

Will you sign a Data Processing Agreement?

Yes. Email [email protected] and we'll send our DPA. It covers UK GDPR processor obligations, sub-processors, breach notification, and the data transfer position. Schools are welcome to mark it up and send back.

What happens if a student's account is compromised?

Our service has no special powers — anyone who can sign in to a student's Microsoft 365 account could trigger a download. If the tenant revokes a session in Entra (Users → the user → Revoke sessions), the next call we make to Microsoft on that user's behalf fails immediately and the session is over.