General
Are you GDPR compliant?
Yes. XamPro takes the privacy and security of personal data very seriously. We treat all personal data received in accordance with UK GDPR and the Data Protection Act 2018.
Do we need a new contract reflecting GDPR requirements?
Our Terms of Use and Privacy Notice, which all users of XamPro products must agree to, address all requirements of GDPR. In addition, all subscribing schools are required to sign an Information Sharing Agreement (ISA).
Are you registered with the Information Commissioner's Office?
Yes. EduSoft LTD is ICO registered: ZB799468.
Systems Security
How secure are your systems?
Based on our most recent penetration and vulnerability tests, there are no significant vulnerabilities in our systems. We work with IT security advisors to review practices regularly.
Are regular security audits carried out?
Yes. Working with IT security advisors, all data protection practices are regularly reviewed and tested both internally and annually by independent third-party security experts.
Are your software and operating systems patched regularly?
Yes. All software and systems are patched in accordance with vendor recommendations on an ongoing basis.
Are company devices protected by industry-grade anti-virus software?
Yes. All devices are protected with enterprise-grade anti-virus and endpoint protection software.
Is your internal network secured appropriately?
Yes. Firewalls and appropriate security measures are in place. All devices are correctly configured, default settings changed, and unused ports closed.
Have you experienced any cybersecurity incidents?
No. Any such incident is logged and addressed via a formal incident response process. To date, no user information has been compromised by any security incident.
Do you have a password policy?
Yes. All passwords must meet minimum strength criteria including:
- 8 characters minimum length
- Must include a lowercase letter
- Must include an uppercase letter
- Must include a number
Additionally, accounts are locked after repeated failed login attempts as a further safeguard.
Do you have multi-factor authentication (MFA)?
Yes. Administrator-level access across all systems requires two-factor authentication (2FA) as a minimum.
Are access controls and monitoring in place?
Yes. Access to user data is automatically logged along with the reason for access. These logs are regularly reviewed for anomalies.
Do you hold any IT or security accreditations?
Yes. EduSoft LTD is Cyber Essentials accredited.
Personal Data
What security measures protect personal data?
Our systems are hosted by industry-leading, fully accredited providers in UK data centres. Systems are built using industry-standard approaches and tested for vulnerabilities rigorously — both internally and annually by third-party security experts.
What country is data stored in?
All user data is stored exclusively in the United Kingdom.
How is customer data stored?
We use cloud-hosted services including Amazon Web Services (AWS), hosted in UK-based data centres. Backups may also be stored in our own UK-based data centre.
Is user data encrypted?
Yes. All user data is encrypted in transit using industry-standard TLS protocols. All student data is also encrypted at rest.
Does our data leave your systems?
No. Data held within XamPro's systems does not leave our controlled environment, except for SMS message content shared with ICO-compliant SMS gateway providers for schools using the SMS module.
Do you have data breach procedures?
Yes. We have both data protection policies and formal procedures for identifying, managing, and reporting data breaches in line with ICO requirements.
Are data management procedures reviewed regularly?
Yes. All data management procedures are reviewed at least annually.
What data does XamPro hold about schools?
The data held depends on the services subscribed to. Typically:
- Non-subscribers: Contact details for school staff (name, job title, email, telephone) and marketing preferences.
- All subscribers: School staff contact details, marketing preferences, and student data.
For students, the following data is mandatory when uploaded to XamPro:
- First name, surname, date of birth, UPN, admission number, gender, year group, registration group, teacher name, class name/code, supervisor name.
The following data is optional and used only to provide enhanced reporting:
- Ethnicity, free school meal eligibility, FSM6, home language, looked after status, more able, preferred name, pupil premium, SEN status, service children, traveller status.
How long does XamPro retain data?
Data is retained for the duration of the school's active subscription, then held for 31 days following termination before permanent deletion. Please see our Privacy Policy for full details.
Does XamPro have an Information Sharing Agreement (ISA)?
Yes. All subscribing schools are required to review and sign our ISA before using XamPro. A draft copy can be downloaded here.