Skip to content

Data Protection and GDPR

EdTechPro understands how important Data Security is especially when it relates to young people.

We have worked closely with Cybersecurity and Legal Partners to make sure that we comply with the GDPR and have appropiate security measures in-place to protect customer data.

For transparency we have listed our most important security measures below, however, if your school needs more information, please do get in contact with us. 

We also understand school's need to complete a Data Privacy Impact Assessment (DPIA) to be complaint with GDPR. To assist with this process we can, on request, produce a DPIA model template for schools to help them complete their Risk Assessments.

 

Cyber Essentials

68a80d_bdc53d40b2464274b2000eea7b8b8074~mv2

EdTechPro has received Cyber Essentials accreditation after completing a self-assessment, confirming that we have reviewed and are adhering to the UK government's standards for protecting data against common cybersecurity threats. Additionally, we have the appropriate policies in place for our staff.

 

ICO Registered

68a80d_fdef11d4e2734ba28d5d1ec79c33c0ff~mv2

Under the Data Protection (Charges and Information) Regulations 2018, organisations that process personal data need to pay a data protection fee to the Information Commissioner's Office (ICO).

We comply with this regulation and have registered with the ICO. Our ICO registration number is: ZB715800

 

Security Measures

  • A development cycle with an independent review on code by a cyber-security firm for security advice and approval.

  • Limited error output to avoid data leaks through verbose messages.

  • Sanitising all input/outputs even from MIS integration partners to mitigate against injection attacks.

  • Authentication is conducted away from the website. We utilise Identity and Access Management partners to handle and store log in information. 

  • We only use UK/EU data centres and servers which are held in secure facilities with 24/7/365 security. 

  • We act on instruction from clients on Data Retention periods. 

  • We back up client databases at regular intervals.

  • Client's MIS data is stored in their own database, separated from other clients to avoid the possibility of accidental crossover.

  • Database content is encrypted at rest.

  • Server/client communication is conducted over TLS 1.3.

  • We use Let's Encrypt to ensure encryption certificates are kept up-to-date.

  • All clients have different encryption sets in addition to database and server instances meaning your data is kept away from using the same server instances.

  • Software firewall to block all ports except Web Traffic.

  • Subscription to DDoS Protection of up to 1.3 Tb's to protect clients and maximise uptime.

  • Encryption on Virtual Machine instances.

  • Principle of least privilege used to mean only relevant Staff can access the back-end code and databases.

  • Scrutiny by cyber-security firms by annual penetration testing.

  • All Staff have Enhanced DBS Certificates and are subscribed to the DBS Update Service.

  • All Staff have GDPR training.

  • All Staff use Multi-Factor Authentication or trusted locations for log ins.

  • An enhanced password security policy.

  • Network Staff at a minimum hold managing cloud certifications such as Microsoft or Cisco and will hold a minimum of Level 3 qualifications in Information Technology.

Data Retention

EdTechPro has a duty as a data processor to hold data for only as long as neccessary. We therefore, delete school data such as pupil information when instructed by the school, some information is removed automatically on behalf of the school such as when a pupil becomes a leaver, or when our contract comes to an end with the school (unless a data backup is requested).

As a data controller we have to hold information about our clients for statutory periods, for example for accounting purposes, please see our Privacy Notice for further information.

Our Sub-Processors

We use Sub-Processors to be able to provide our services. A list of sub-processors is listed in our agreement and any new sub-processors we use will be added to this list.

Note, these sub-processors are who we use in our role as "Data Processor", our clients (the school) are the "Data Controllers" and we act on their instructions at all times.

If you would like to know the processors we use as a "Data Controller" (when you interact with us directly, or use our website) please see our Privacy Notice.

OVHCloud

OVH provides data centre solutions to EdTechPro. We use OVH as a sub-processor to host client services. OVH provides secure data centres and hold ISO 27001 accrediation.

DigitalOcean

DigitalOcean provides data centre solutions to EdTechPro. We use DigitalOcean as a sub-processor to host client server instances and our internal CRM solution. DigitalOcean provides secure data centres and hold ISO 27001 accrediation.

Wonde

Wonde is our main MIS integration partner. EdTechPro utilises Wonde to pull data from our client's MIS systems into our services on behalf of the school.

Arbor

EdTechPro is an Arbor Developer Partner. We integrate with Arbor to collect MIS data from school's are subscribed to Arbor as their MIS solution.

Google

We use Google's services in our products. Translate is used in our Reading Log product to provide automated translation features and we utilise Firebase for client authentication for Portal products.

Microsoft

We use Microsoft 365 as our email service provider, digital meetings platform and to perform and hold client information administration.

Twillio

We use Twillio as a mailer to deliver SMS and Email messages sent on behalf of our customers to end-users.

CPOMS

We forward alerts made automatically and manually through our system to CPOMS where enabled by our customers.