Information Security Standards: ISO27001
PupilAsset meets all relevant UK security requirements (specifically PCI DSS, ISO27001)
- PupilAsset is registered with, and holds current Data Protection certification
- PupilAsset holds UK school and pupil data only in UK data centres accredited with the most stringent and SAS70 standards
- Access to PupilAsset production application servers is only via web-standard secure SSL pages
- Data transfer to and all PupilAsset production servers is conducted solely via encrypted pathways (namely SSL (https) encryption for browsers, and SSH for administration)
- Passwords and other sensitive information are either encrypted or MD-5 hashed (with salt to prevent rainbow-table based attacks)
- Off-site overnight back-ups run daily to ensure that no data is lost in the event of failure at the primary data-centre (see Backup and Data Recovery for more details)
- Resilience is provided by a back-up server (located at a separate UK-based data centre)
- The PupilAsset system itself has a mechanism for secure file transfer, ensuring the end-to-end encrypted transmission of data to the system and/or our support team when necessary
- Pupil Asset is recognised by the DfE as a registered provider of Cloud (educational apps) software services (see Cloud, educational apps, software services and the Data Protection Act Departmental advice for local authorities, school leaders, school staff and governing bodies).
If you have any questions regarding security, this is an area we understandably take incredibly seriously, so please do get in touch via the normal support channels (or for new enquiries, use the contact form).