When Brexit reshaped the data protection landscape for UK businesses, organisations handling children’s data found themselves in a particularly urgent position. Cyber Essentials and Cyber Essentials Plus - already recommended for government suppliers - became a baseline expectation for any company processing personal data of UK citizens, especially minors.
For Sumdog, an educational platform serving over 7,500 primary schools across the UK at the time, this meant their US-hosted infrastructure was no longer acceptable. The data had to move to a region where UK and EU data protection rules could be properly enforced, and the entire stack needed to meet Cyber Essentials Plus requirements from network segmentation to access controls.
The compliance trigger - Brexit, UK GDPR, and children’s data
The UK’s departure from the EU created a distinct data protection regime. While UK GDPR mirrors the EU version in most respects, the UK Information Commissioner’s Office (ICO) now operates independently, and the rules around international data transfers tightened.
For EdTech companies processing children’s personal data - names, learning progress, school affiliations - the bar is higher still. The Children’s Code (Age Appropriate Design Code) adds specific obligations around data minimisation and security that go beyond what adult-facing services need to worry about.
Sumdog’s infrastructure was hosted in the US, which meant relying on adequacy decisions and contractual clauses that were becoming increasingly fragile post-Brexit. The pragmatic decision was to eliminate the cross-border transfer entirely by moving everything to an AWS region within the EU, where data residency requirements could be met without legal gymnastics.
Combined with the need to achieve Cyber Essentials Plus certification, this became a full infrastructure modernisation project rather than a simple lift-and-shift.
What Cyber Essentials Plus actually demands from your infrastructure
Cyber Essentials is a UK government-backed scheme with two levels. The basic certification is a self-assessment questionnaire. Cyber Essentials Plus adds a hands-on technical audit where an assessor actively tests your systems for vulnerabilities.
For cloud-hosted applications, this means your infrastructure needs to demonstrate:
- Firewalls and internet gateways configured to restrict inbound traffic
- Secure configuration with no default credentials or unnecessary services running
- User access control with least-privilege principles and MFA everywhere
- Malware protection across all endpoints
- Patch management with critical updates applied within 14 days
For Sumdog, the legacy infrastructure - a mix of EC2 instances managed partly with Ansible, partly with Packer, and partly by hand - couldn’t demonstrate these controls consistently. There was no single source of truth for what was deployed, no automated patching pipeline, and access controls had accumulated organically over years of growth.
The full case study covers the technical details of the migration, but the compliance angle is what drove the architecture decisions.
How we approached the migration - IaC as the compliance backbone
The core insight was that Infrastructure as Code isn’t just an operational convenience - it’s a compliance tool. When every resource is defined in Terraform, you can audit your entire estate by reading code. Security groups, IAM policies, encryption settings, backup schedules - all version-controlled, all reviewable, all reproducible.
We started by importing the existing infrastructure into Terraform state and progressively replacing manual configurations with codified modules. This gave us:
- A complete inventory of every cloud resource in one place
- Version history for every infrastructure change
- The ability to detect drift between what’s defined and what’s running
- Reproducible environments that can be rebuilt from scratch
The migration from EC2-hosted databases to AWS RDS using Database Migration Service gave us encryption at rest and in transit by default, automated patching, and point-in-time recovery. Three Cyber Essentials Plus requirements addressed by a single architectural decision.
The application layer moved into ECS Fargate containers, eliminating the need to manage OS-level patching on compute instances entirely. Fargate runs on AWS-managed infrastructure, so the patching obligation shifts to AWS while you retain control over your application code and container images.
Data residency in practice - not just picking a region
Moving to eu-west-2 (London) solved the data residency question, but the migration itself had to maintain data integrity for an active platform used by thousands of schoolchildren daily.
The migration approach involved several parallel workstreams:
- AWS DMS for continuous replication during the transition period
- Both environments running in parallel for validation
- Final cutover executed during a planned maintenance window with less than 4 hours of downtime
- Comprehensive data integrity checks before and after the switch
The backup and disaster recovery strategy was designed from scratch as part of the migration - automated daily snapshots, cross-region replication for critical data, and tested restore procedures.
For a platform handling children’s data, the ability to demonstrate that you can recover from a breach or data loss incident isn’t optional. It’s a regulatory expectation.
The outcome - compliance as a side effect of good engineering
The project delivered what Sumdog needed: infrastructure that passes Cyber Essentials Plus audits by design rather than by patching gaps after the fact.
What changed in practice:
- Every security control is codified, every change is tracked in git
- The entire environment can be rebuilt from scratch in under an hour
- Platform performance improved significantly thanks to Graviton-based RDS instances
- Hosting costs dropped because right-sized containers on Fargate are cheaper than oversized EC2 instances running 24/7
- The development team ships faster because the CI/CD pipeline handles testing and deployment automatically
If your organisation handles UK user data - particularly children’s data - and you’re still running on infrastructure that predates your compliance obligations, the gap between where you are and where you need to be is probably wider than you think.
We’ve been through this process multiple times now. Book a free consultation and we’ll tell you honestly how much work is involved.
