Quiet confidence, clear responsibilities

Dragonfly governance centre.

Practical information for managers, commissioners, information-governance teams and procurement colleagues assessing how Dragonfly is delivered and operated.

Six concise documents

Start with the question your review needs to answer.

These summaries are intentionally readable. Contractual schedules, organisation-specific responses and supporting evidence remain available through the procurement route.

01
Security overview

Protecting access and learning records.

A public summary of current controls—not a map of sensitive internal configuration.

Current controls

  • Encrypted HTTPS connections across the website and portal.
  • Supabase authentication for named user accounts.
  • Role-based access for learners, seniors, managers and administrators.
  • Organisation checks on manager-level server actions.
  • Server-side protection for privileged administration, registration and content-import routes.
  • Cloudflare environment secrets for sensitive service credentials.
  • Signed GoCardless webhook verification before paid licences are applied.

Operating responsibilities

  • Customers control who receives staff registration codes.
  • Users must keep credentials private and use their own named account.
  • Managers should remove access when staff leave or no longer require the service.
  • Suspected incidents should be reported promptly to Dragonfly.
  • Security controls are reviewed as the service and threat environment evolve.
Responsible disclosure: report a suspected vulnerability privately to [email protected]. Do not include service-user information or credentials.
02
Subprocessor register

Providers used to deliver Dragonfly.

This register covers the principal live service providers visible in the current platform architecture.

ProviderPurposeTypical informationSafeguard / role
SupabaseAuthentication, database and learning recordsAccount, organisation, assignment, progress and certificate dataCloud service provider operating under contractual data terms
CloudflareWebsite hosting, server functions, delivery and securityTechnical requests, IP/security logs and data processed by server functionsHosting and network provider operating under contractual data terms
GoCardlessSecure payment and payment confirmationBuyer and transaction information required to process an orderIndependent payment provider; Dragonfly does not store bank credentials
FormspreePublic contact-form deliveryInformation voluntarily entered into the contact formForm-delivery provider; users are told not to submit sensitive service-user data
Change control: this register is reviewed when a material provider changes. Organisation-specific contractual information is available through procurement.
03
Accessibility roadmap

Accessible by design, improved through evidence.

Our direction of travel, expressed honestly rather than as unsupported certification.

Current

Established foundations

Responsive layouts, keyboard focus visibility, semantic headings, labelled controls, language metadata, readable contrast and English/Welsh routes.

In progress

Portal refinement

Continuing review of complex dashboard controls, status communication, generated evidence, focus behaviour and screen-reader clarity.

Planned

Stronger assurance

Structured assistive-technology testing, caption and transcript review, accessible document checks and documented remediation cycles.

Adjustments: contact us if you need content or evidence in an alternative format. Known limitations and the feedback route are maintained in the accessibility statement.
04
Implementation guide

From purchase to an organised rollout.

A manager-led route that minimises spreadsheet administration.

  1. Confirm scope

    Agree learner numbers, manager ownership, teams, audiences and priority pathways.

  2. Set up the organisation

    Allocate licences and confirm the manager account and organisation structure.

  3. Create controlled routes

    Generate separate registration codes for each role, team and learning pathway.

  4. Brief staff

    Explain how to register, what is mandatory, what is developmental and where support is available.

  5. Monitor activation

    Check licence use, team placement and whether new starters can access their assigned learning.

  6. Use insight well

    Treat statutory gaps as compliance priorities and developmental gaps as prompts for supportive supervision.

  7. Evidence and renew

    Download branded records and monitor annual renewal from successful completion.

05
Service description

What Dragonfly provides.

A clear service boundary for individuals and organisations.

Included

  • Named learner accounts and annual platform access.
  • Foundation, Applied Practice and Toolbox learning where available.
  • English and Welsh portal use against one learning record.
  • CPD tracking, assessment results and certificates.
  • Organisation manager dashboard, assignment and registration tools.
  • Compliance, renewal, supervision and branded evidence views.
  • Platform support through the help centre and contact route.

Important boundaries

  • CPD supports but does not replace organisational policy, supervision or statutory guidance.
  • Named annual licences cannot be shared between users.
  • Customers remain responsible for lawful staff enrolment and internal action.
  • Service availability can depend on third-party cloud providers and planned maintenance.
  • Content and features may improve during the licence period without reducing the core purchased service.
06
Data-processing summary

What information is used, and why.

A concise complement to the privacy notice and contractual data terms.

InformationPurposeTypical access
Identity and contactCreate, authenticate and support named accountsThe user; authorised organisation roles; Dragonfly administrators where required
Organisation, team and rolePlace learners in the correct management and access scopeAuthorised managers and administrators
Assignments, progress and scoresDeliver learning, calculate completion and provide feedbackThe learner and authorised organisation roles
CPD, certificates and renewal datesCreate professional records and compliance evidenceThe learner and authorised organisation roles
Technical and security informationOperate, protect and troubleshoot the serviceRelevant service providers and authorised technical administrators
Payment and order informationProcess purchases and allocate confirmed licencesPayment provider and authorised commercial administrators

Roles

Dragonfly is normally controller for website enquiries and individual accounts. For organisation-managed staff learning records, the organisation is normally controller and Dragonfly acts as processor under its instructions.

Retention and rights

Records are retained to operate accounts, provide certificates and support reasonable audit evidence. Access, correction, deletion and restriction requests are handled in line with applicable UK data-protection duties and contractual responsibilities.

For fuller information, read the privacy notice and data-protection summary.
Cymraeg