XamPro GDPR / Privacy Policy

General

Are you GDPR compliant?

Yes, XamPro takes the privacy and security of your personal data very seriously. We treat any personal data that we receive from you in accordance with the GDPR.

Do we need a new contract that reflects GDPR requirements?

Our Terms of Use and Privacy Notice, that all users of XamPro products are obliged to agree to, address the requirements of GDPR.

Are you registered with the Information Commissioner’s Office?

Yes, XamPro is ICO registered, registration number: Z8113100

Systems security

How secure are your systems?

Based on our most recent penetration and vulnerability tests, there are no significant vulnerabilities associated with our systems.

Are regular audits of privacy and information security practices carried out?

Yes, working with I.T. security advisors, all data protection practices are regularly reviewed.

Are your software and operating systems patched regularly in accordance with the vendors' recommendations?

Yes

Are all of your company devices protected from malware by industry-grade Anti Virus?

Yes

Is your organisation's internal network secured appropriately from the Internet?

Yes, appropriate security measures such as firewalls are in place to protect our internal network. All such devices are appropriately configured, default settings are changed, and unused ports are closed.

Have you experienced any cybersecurity incidents?

Yes, like most companies, we have experienced minor cybersecurity incidents. Any such incident is logged and addressed via a formal process. To date, no user information has been compromised by any incident.

Do you have a password policy?

Yes, all passwords must meet strength criteria including:

• 8 Characters Minimum Length
• Must include a lowercase letter
• Must include an uppercase letter
• Must include a number

In addition, there are other restrictions and controls to lock out accounts subject to repeated failed login attempts.

Do you have multi-factor authentication in place?

Yes, administrator-level permissions for all of our systems use two-factor authentication as a minimum.

Do you have access controls in place that restrict access to information and uniquely identify users? Are access attempts monitored and reviewed regularly?

Yes, access to user data is automatically logged along with the reason for access. These logs are regularly reviewed.

Do you have restrictions in place to stop rogue software from being installed on your company devices?

Yes, installation of software on company equipment is restricted to admin users.

Do you hold any IT or Security accreditations?

Yes, we are Cyber Essentials accredited.

Personal data

What technical and organisational security measures do you have in place to protect personal data?

Our systems are hosted by industry-leading, fully accredited hosting providers in data centres in the UK. Our systems are built using industry-standard approaches and tested for vulnerabilities rigorously by our own team on an ongoing basis as well as on an annual basis by third-party security experts.

What country will data be stored in?

All user data is stored in the UK.

What policies and procedures do you have in place to protect personal data?

Our data protection and acceptable use policies and associated staff training ensure that all staff are aware of their and the company’s obligations to protect any personal data that we hold.

How do you ensure secure storage, erasure, and destruction of personal data?

All customer data is stored either in the data centres of industry-leading service providers (e.g. Mailchimp) or in our own systems in UK-hosted data centres. These third-party providers offer secure erasure/destruction services as part of their SLAs.

How do you store customer data (e.g. on-prem servers, cloud services, or hybrid)?

We use cloud-hosted services like Microsoft Azure and Amazon Web Services to store user data. Though data may also be stored (for instance, as backups) in our UK-based data centre.

Is user data encrypted in your systems?

Yes. All user data is encrypted in transit with industry-standard practices. Furthermore, all student data is similarly encrypted at rest.

Does our data leave your system for any reason?

Teacher names and email addresses are shared with our marketing service providers as detailed in our privacy notice, with appropriate opt-out management in place. Student data is not shared with any third parties outside the AQA group. All suppliers are reviewed for data protection compliance with regard to GDPR and any other relevant regulation prior to entering into contracts with them.

Do you have data protection policies and procedures for dealing with any data breaches?

Yes, we have both.

Are data management procedures reviewed regularly?

Yes, annually.

What data does your organisation hold in relation to our school?

We will hold different data depending on the services that you subscribe to and the choices that you have made about how you use them. Typically we hold the following personal data:

• Non-subscribers: We may hold contact details (name, job title, email, telephone) for school staff based on publicly available information, previous orders, or as part of signing up for a demo or competition. We may also hold details of marketing preferences.
• All subscribers: We may hold contact details (name, job title, email, telephone) for school staff as well as marketing preferences.

In addition to school staff contact details, we may hold data regarding pupils. The following is mandatory for students whose data is uploaded to XamPro for the use of XamPro Onscreen or MERiT products:

• First name, surname, date of birth, UPN, admission number, gender, date of birth, year group, registration group, teacher name, class name/code, supervisor name

However, the following data is optional and if uploaded is used to provide enhanced reports:

• Ethnicity, eligibility for free school meals, FSM6, home language, looked after, ever looked after, more able, preferred name, pupil premium indicator, SEN status, service children, traveller status

How long will XamPro retain data?

Please see our Privacy Notice for details of our data retention policy.