Trust controls

Safety and privacy

Aristotle is designed for learning, not crisis support, medical advice, secret data storage or unsupervised safeguarding decisions.

Safety/privacy sign-off campaign

Reviewer campaign control

Coordinate the two external production review tracks, their packets, return templates and validation records without exposing learner data.

Open reviewer dispatch
2 tracks needing work
0/1 safeguarding records
0/1 privacy records

Safeguarding reviewer handoff

Focus on learner safety, escalation ownership, high-risk input handling, moderation timing and younger-learner acknowledgement.

dispatch open 2/6 items ready 0 accepted

Legal/privacy reviewer handoff

Focus on learner data rights, child-specific notices, access controls, retention policy, export/delete controls and minimisation.

dispatch open 3/6 items ready 0 accepted

Campaign steps

  • Refresh the evidence pack and confirm internal controls, rehearsal and SLA checks are ready.
  • Export category-specific work orders for safeguarding and legal/privacy reviewers.
  • Ask each reviewer to use the matching return template and confirm scope, packet review and acceptance readiness.
  • Import returned review JSON through the validation registry only after the reviewer decision is complete.
  • Rerun the Definition of Done audit and do not close the gate until both accepted records count.

Safety/privacy launch pack

External production sign-off gate

Use this handoff before Aristotle claims production safety, safeguarding or learner-data readiness.

Ready internal controls
Open rehearsal
Open moderation SLA
0 accepted safeguarding records
0 accepted privacy records
Open production claim
5/5 controls 0 rehearsal checks 7 sign-off items open 0 open safety reviews 0 SLA breaches

This launch pack does not create external sign-off. Production safety readiness remains open until both safeguarding and legal/privacy validation records are accepted with external or real-world attestation.

Required sign-off loop

  • Guardian acknowledgement: Younger learners have guardian acknowledgement before profile, progress or safety workflow records count.
  • High-risk input handling: Self-harm, safeguarding, medical and personal-data inputs pause teaching, avoid specialist advice and create reviewable safety events.
  • Answer minimization: Safety-triggering answers are redacted from learner evidence and never increase mastery.
  • Moderation SLA: Open caution and urgent events are reviewed within the configured response window.
  • Data rights: Learner export, delete and adult-access routes are visible, auditable and tested.
  • Policy ownership: Named safeguarding and privacy owners hold traceable policy, escalation and retention references.
  • External or real-world attestation: Accepted reviewer evidence confirms safeguarding and legal/privacy review is external or real-world and not synthetic-only.

Next actions

  • Run the safety/privacy rehearsal and resolve any failed consent, redaction, export/delete or access-control check.
  • Configure the moderation SLA and resolve breached open caution or urgent safety events.
  • Resolve: Named safeguarding owner is configured (No safeguarding owner configured).
  • Resolve: Traceable safeguarding policy reference exists (missing).
  • Resolve: Moderation response SLA is configured (0 hour(s)).
  • Resolve: Named privacy/data-rights owner is configured (No privacy owner configured).
  • Resolve: Traceable privacy policy reference exists (missing).
  • Resolve: Traceable data retention policy reference exists (missing).

Acceptance rules

  • Internal safety/privacy controls: Consent, minimization, safety logging, export/delete and adult-access checks pass.
  • Safety/privacy rehearsal: The latest rehearsal event is resolved with zero failures.
  • Moderation SLA evidence: The SLA is configured and there are no breached open caution or urgent safety events.
  • External safeguarding sign-off: An accepted safeguarding validation record counts toward the gate with no handoff gaps.
  • External legal/privacy sign-off: An accepted legal/privacy validation record counts toward the gate with no handoff gaps.

Safety/privacy reviewer work order

External sign-off assignment

Use this packet when asking safeguarding and legal/privacy reviewers to inspect the evidence, return a decision and create accepted validation evidence without exposing learner data.

2 review tracks
7 handoff items open
0 accepted records
Open production claim

Return protocol

  • Inspect internal controls: Check consent, guardian acknowledgement, high-risk input handling, answer minimization, export/delete controls and adult-access auditability.
  • Inspect rehearsal evidence: Confirm the latest safety/privacy rehearsal passed, review any failed checks, and require reruns after safety, consent or learner-data changes.
  • Inspect moderation timing: Confirm the moderation SLA is configured and that open caution or urgent safety events are not beyond the response window.
  • Inspect the category handoff: Review only the checklist items assigned to the selected safeguarding or legal/privacy track, and record any open policy or ownership gaps.
  • Return a reviewer decision: Return accept, changes_requested or reject with reviewer identity, role, attestation reference, review notes and required changes.
  • Accept validation evidence only after review: A validation record counts toward the production gate only when the external reviewer accepts it with real-world attestation and no acceptance gaps.

Trust boundary

This work order helps an external reviewer return a decision. It does not itself create safeguarding, legal/privacy or production safety sign-off, and it must not be used as evidence of real-world review until the validation registry contains accepted category-specific records with external attestation.

The work order includes aggregate safety/privacy readiness, checklist labels, commands, route references and validation draft summaries only. It excludes learner names, raw answers, guardian details, emails, session keys and access codes.

Reviewer return checklist

Accepted safety/privacy returns must include external or real-world attestation, not synthetic-only confirmation, EYFS through A-Level age-scope review, packet review, scope match, readiness confirmation and the category-specific controls below.

External safeguarding reviewer

safeguarding_review EYFS through A-Level All MVP subjects
  • reviewer_confirmed_external_or_real_world
  • reviewer_confirmed_not_synthetic_only
  • reviewer_confirmed_age_scope_reviewed
  • reviewer_confirmed_work_order_and_pack_reviewed
  • reviewer_confirmed_scope_matches_gate
  • reviewer_confirmed_ready_for_acceptance
  • safeguarding_controls_reviewed - Safeguarding reviewer confirms guardian acknowledgement, escalation, moderation, safety-log and unsupported-input controls were reviewed.
  • safeguarding_owner_and_policy_ready - Safeguarding reviewer confirms owner, policy, SLA and escalation responsibilities are ready for the release claim.
  • Work order: /safety-and-privacy/review-work-order.json?category=safeguarding_review
  • Evidence: /safety-and-privacy/signoff-campaign.json /safety-and-privacy/launch-pack.json /safety-and-privacy/evidence.json /safety-and-privacy/review-work-order.json?category=safeguarding_review /safety-and-privacy/
  • Review brief: /validation/review-request/safeguarding_review/
  • Return template: /validation/review-return-template.json?request=safeguarding_review
  • Registry: /validation/?request=safeguarding_review#record-evidence

Legal/privacy reviewer

legal_privacy_review EYFS through A-Level All MVP subjects
  • reviewer_confirmed_external_or_real_world
  • reviewer_confirmed_not_synthetic_only
  • reviewer_confirmed_age_scope_reviewed
  • reviewer_confirmed_work_order_and_pack_reviewed
  • reviewer_confirmed_scope_matches_gate
  • reviewer_confirmed_ready_for_acceptance
  • privacy_controls_reviewed - Legal/privacy reviewer confirms learner data, export/delete, adult access, retention and minimization controls were reviewed.
  • legal_privacy_release_ready - Legal/privacy reviewer confirms privacy and child-safety legal risk is acceptable for the submitted release claim.
  • Work order: /safety-and-privacy/review-work-order.json?category=legal_privacy_review
  • Evidence: /safety-and-privacy/signoff-campaign.json /safety-and-privacy/launch-pack.json /safety-and-privacy/evidence.json /safety-and-privacy/review-work-order.json?category=legal_privacy_review /safety-and-privacy/
  • Review brief: /validation/review-request/legal_privacy_review/
  • Return template: /validation/review-return-template.json?request=legal_privacy_review
  • Registry: /validation/?request=legal_privacy_review#record-evidence

Safeguarding reviewer handoff

Focus on learner safety, escalation ownership, high-risk input handling, moderation timing and younger-learner acknowledgement.

open 2/6 items ready 4 open draft blocked
  • Resolve: Named safeguarding owner is configured (No safeguarding owner configured).
  • Resolve: Traceable safeguarding policy reference exists (missing).
  • Resolve: Moderation response SLA is configured (0 hour(s)).
  • Resolve: Open safety reviews are within the moderation SLA (0 breached of 0 open event(s)).

Legal/privacy reviewer handoff

Focus on learner data rights, child-specific notices, access controls, retention policy, export/delete controls and minimisation.

open 3/6 items ready 3 open draft blocked
  • Resolve: Named privacy/data-rights owner is configured (No privacy owner configured).
  • Resolve: Traceable privacy policy reference exists (missing).
  • Resolve: Traceable data retention policy reference exists (missing).

Reviewer handoffs

External reviewer worklists

Safeguarding and legal/privacy reviewers share some controls, but each sign-off has its own owner, evidence focus and open-item count.

Safeguarding reviewer handoff

Focus on learner safety, escalation ownership, high-risk input handling, moderation timing and younger-learner acknowledgement.

open 2/6 items ready 4 open

Next actions

  • Resolve: Named safeguarding owner is configured (No safeguarding owner configured).
  • Resolve: Traceable safeguarding policy reference exists (missing).
  • Resolve: Moderation response SLA is configured (0 hour(s)).
  • Resolve: Open safety reviews are within the moderation SLA (0 breached of 0 open event(s)).
Named safeguarding owner is configured Traceable safeguarding policy reference exists Moderation response SLA is configured Open safety reviews are within the moderation SLA Safety-triggering answers are minimized and excluded from mastery Younger learner guardian acknowledgement is enforced

Legal/privacy reviewer handoff

Focus on learner data rights, child-specific notices, access controls, retention policy, export/delete controls and minimisation.

open 3/6 items ready 3 open

Next actions

  • Resolve: Named privacy/data-rights owner is configured (No privacy owner configured).
  • Resolve: Traceable privacy policy reference exists (missing).
  • Resolve: Traceable data retention policy reference exists (missing).
Named privacy/data-rights owner is configured Traceable privacy policy reference exists Traceable data retention policy reference exists Export and delete controls are implemented and auditable Safety-triggering answers are minimized and excluded from mastery Younger learner guardian acknowledgement is enforced

External sign-off checklist

Safeguarding and privacy review pack

These items make reviewer ownership explicit before Aristotle can claim production safety or privacy readiness.

Open sign-off checklist
7 open checklist items
0 moderation SLA hours

Named safeguarding owner is configured

External reviewer confirms who owns triage, escalation and learner-safety decisions.

open No safeguarding owner configured

Traceable safeguarding policy reference exists

External reviewer checks policy version, escalation route, training expectations and emergency boundaries.

open missing

Moderation response SLA is configured

External reviewer checks whether urgent/caution events have an operational review window.

open 0 hour(s)

Open safety reviews are within the moderation SLA

External reviewer checks that urgent/caution items are not left open beyond the agreed response window.

open 0 breached of 0 open event(s)

Named privacy/data-rights owner is configured

Legal/privacy reviewer confirms who owns DSAR, deletion, retention and access-control decisions.

open No privacy owner configured

Traceable privacy policy reference exists

Legal/privacy reviewer checks lawful basis, learner data categories, sharing and child-specific notices.

open missing

Traceable data retention policy reference exists

Legal/privacy reviewer checks retention windows for profiles, evidence, safety events and audit records.

open missing

Export and delete controls are implemented and auditable

Legal/privacy reviewer verifies the implementation against data-rights policy.

ready Export/delete routes create safety audit events and are included in rehearsal.

Safety-triggering answers are minimized and excluded from mastery

Safeguarding reviewer verifies redaction, no-mastery handling and learner-facing support copy.

ready 0/0 safety evidence record(s) redacted

Younger learner guardian acknowledgement is enforced

Safeguarding/legal reviewers verify consent language and adult responsibilities.

ready 1/1 younger learner profile(s) have active acknowledgement

Moderation SLA

Open safety review timing

Run python manage.py run_safety_sla_check --json --fail-on-error before safeguarding review to prove urgent and caution events are not left beyond the configured response window.

Open SLA status
0 SLA hours
0 open review events
0 breached events
No open caution or urgent safety review events are waiting.

Review rehearsal

Safety and privacy control checks

Run python manage.py run_safety_privacy_rehearsal --json --fail-on-error after changing consent, safety handling, export/delete, adult access or learner records.

Open rehearsal status
0 checks recorded
- failures
No safety/privacy rehearsal has been recorded yet.

Validation drafts

External review evidence records

Create non-counting drafts in the validation registry from the current safety/privacy evidence pack. External reviewers still need to accept the records before they count toward production readiness.

Safeguarding review

open 5/5 controls 0 rehearsal checks

This draft does not count toward production readiness until accepted in the validation registry. 0 control check(s), 1 rehearsal gate(s), and 4 External safeguarding reviewer checklist item(s) are still open before this pack is ready for acceptance. Moderation SLA breached events=0.

Sign in to draft safeguarding evidence.

Legal and privacy review

open 5/5 controls 0 rehearsal checks

This draft does not count toward production readiness until accepted in the validation registry. 0 control check(s), 1 rehearsal gate(s), and 3 Legal/privacy reviewer checklist item(s) are still open before this pack is ready for acceptance. Moderation SLA breached events=0.

Sign in to draft legal/privacy evidence.

Safety boundaries

When a learner writes something that looks like self-harm, abuse, urgent safeguarding risk, medical advice seeking or sensitive personal data, Aristotle pauses ordinary assessment.

Those answers are recorded as safety evidence and do not increase mastery.

No mastery credit for high-risk answers Trusted adult or professional support needed

What is stored

Aristotle stores learner profile details, selected curriculum pathway, concept progress, ordinary answers, scores, rubric signals, confidence, scaffolding, safety flags and review timing. Safety-triggering answers are minimized to a redacted marker with flags rather than kept as ordinary answer text.

Student answers may include sensitive content, so export and delete controls are visible from the account page.

Export records Delete learner data

Adult access

Parents, teachers and school admins can use a learner access code to view educator progress, misconceptions, evidence and review timing.

Access codes should only be shared with adults who are allowed to support that learner.

Share-code access Parent, teacher or admin roles

Review workflow

High-risk inputs create open safety audit events. A parent, teacher or admin can review the safety log, add a resolution note and close the item once trusted adult action has happened.

Open until reviewed Resolution notes retained

Younger learners

EYFS, Key Stage 1, Key Stage 2 and younger age bands require parent or guardian acknowledgement before Aristotle stores a profile, progress map or safety workflow record.

Guardian acknowledgement Export and delete controls

Still required before production

This implementation is not a complete safeguarding programme. Production Aristotle still needs external policy review, moderation tooling, content accuracy review and operational ownership.

Production safety review required