Introduction

ePraise has several responsibilities as a data processor under the General Data Protection Regulation (GDPR). We are registered with the Information Commissioners Office (ICO) with registration reference ZA079765. Whilst there can be no such thing as a completely secure system, ePraise will endeavour to take all reasonable measures to ensure that data integrity and security is maintained at all times.

This policy may be updated from time to time without notice, and any changes will be reflected on this page. This policy was last updated on 3rd October 2023.

The service

ePraise is a cloud-based platform and our data centres are based in the UK and Ireland. Our data centres employ a number of virtual, physical and environmental controls to maintain data security and are ISO 27001 certified.

We also use other third-party sub-processors in order to provide services such as our MIS link, single sign on capabilities, data analytics and email/text notifications. We carefully select these third parties to ensure they have appropriate security measures in place to ensure your data security and integrity.

To find out more about how our data centres and other third-party sub-processors maintain the security and integrity of your data, please see the third-party sub-processors section below.

GDPR

Here are some useful things you may wish to know relating to the General Data Protection Regulation (GDPR):

• ePraise is defined as a 'processor' with respect to school data. This means we will always act upon any authorised requests to add, update and delete data from ePraise wherever possible.
• ePraise's data protection representative is Ben Dunford. He can be contacted via ben@epraise.co.uk.
• As controllers, schools have a legal obligation to define their lawful basis for a given data processing activity. We do not recommend schools use consent as their lawful basis for processing but instead use the following:
  • The processing is necessary because of a legal obligation that applies to you. Schools have a legal obligation to provide students with an education. ePraise are working on behalf of schools to help support them in providing this.
  • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions. Schools provide a public function and ePraise are working on behalf of those schools.
  • The processing is in accordance with the "legitimate interests" condition. Schools have asked ePraise to process this data and there is no "prejudicial effect on the rights and freedoms, or legitimate interests, of the individual".
• ePraise allows schools to process personal data relating to the following data subjects. Some schools may opt not to include governors, however many features will be unavailable if students, staff or parents are excluded from the site.
  • Students
  • Staff
  • Parents and other student contacts (e.g. foster parents, grand parents etc.)
  • Governors
• ePraise allows schools to process personal data relating to the following data areas. Schools can turn off many of the data areas listed below if they wish to, without affecting other areas of functionality, for example turning off Documents will not affect how Seating plans work, except that any linked student documents will not be available within the feature.
  • Activities (e.g. clubs, trips)
  • Attendance (e.g. sessions, lessons)
  • Achievement (e.g. points, badges)
  • Assessment (e.g. grades, feedback)
  • Behaviour (e.g. incidents, trends)
  • Communications (e.g. messages, notifications)
  • Contact details (e.g. home addresses, email addresses, phone numbers)
  • Discussions, notes and reflective writing (e.g. planning, cover, bios)
  • Documents (e.g. reports, EHICs)
  • Events (e.g. meetings, holidays)
  • General data collection (e.g. forms)
  • Groups (e.g. classes, tutor groups)
  • Incidents (e.g. bullying, well-being concerns)
  • Indicators & related data (e.g. gender, pupil premium, SEN)
  • Interventions (e.g. detentions, support sessions)
  • Login information (e.g. usernames, passwords, last logins)
  • Meetings (e.g. parents evenings, one-to-ones)
  • Preferences (e.g. sorting, viewing)
  • Relationships (e.g. relationship types, priorities, restrictions)
  • Rewards (e.g. purchases, donations)
  • Seating plans (e.g. positions, classrooms)
  • Tasks (e.g. homework, classwork)
  • Timetables (e.g. subjects, times)
  • Tracking (e.g. activity on the website)

Subject access requests

Under the GDPR, all individuals who are the subject of personal data held by ePraise are entitled obtain:

• Confirmation that we are processing their personal data
• A copy of their personal data
• Other supplementary information (which is provided in our Privacy Policy, Service Agreement and this Data Protection and Security Policy)

ePraise will provide school administrators with an automated subject access requests routine that will enable them to retrieve data related to students, teachers and parents in the system. If we receive any requests directly, we may pass these back to the school's ePraise administrator where relevant, or will provide the requested information within 30 days of the request (provided we can verify the identity and authority of the person making the request).

Deletion of data

Schools can delete personal data from the epraise.co.uk service via their school administrator login(s). If you wish for our integration partners to delete your data too, you will need to contact them directly (as they may also work with other providers who need this data). Upon the cancellation of a subscription, we will delete all personal data relating to your school from our ePraise servers within 30 days. We will keep a history of contact with the school for a period of up to 5 years after cancellation, to allow us to accurately answer any questions that may arise in the future.

Security measures

We will endeavour to ensure that:

• An SSL connection between the epraise.co.uk service and the client's computer is active at all times for any logged in user
• All ePraise servers have security updates applied regularly
• All ePraise servers use a firewall that enforces strict access rules
• All ePraise servers have appropriate security settings to minimise the opportunities for malicious activity to take place
• When a user changes their own password, it is encrypted, using the secure hashing and salting method
• Administration passwords to the epraise.co.uk servers are not shared with any third parties or employees who do not need access as part of their role
• Any personally identifiable information provided by schools is not shared with any third parties, except when necessary to provide a function of the service
• Access to the ePraise offices are secured with appropriate physical measures
• All ePraise office computers and mobile devices use disk encryption
• All ePraise office computers and mobile devices have strong passwords or another secure authentication method
• When sold or passed on, all ePraise office computers and mobile devices will have their data securely erased
• ePraise staff receive regular training on data security and intrusion prevention
• ePraise staff delete copies of school data from their own computers in a permanent, secure manner as soon as they no longer need it
• When a member of staff leaves ePraise for any reason, all passwords they have previously used are changed
• We will investigate any suspicious activities identified through monitoring and/or audits
• We will inform the data protection representative (Ben Dunford) immediately upon the discovery of anything that indicates a breach may have taken place. The data protection representative will then orchestrate any actions and notifications required as per GDPR
• We regularly test our systems and protocols to ensure reliability, efficiency and security
• We regularly review our systems and protocols and update them if necessary to improve their reliability, efficiency and security

Redundancy, backup and disaster recovery

We will endeavour to ensure that:

• Our primary database has at least one live secondary (mirror) database
• We take a database-level backup at least three times per day
• We take a server-level backup at least once a day
• Backup and restoration procedures are tested on a regular basis
• Load balancing is employed when necessary
• All servers are actively monitored for any disruption
• Any disruption reported is investigated as soon as possible
• Any disruption found is resolved as soon as possible
• In the event of any disruption, schools are kept informed as per our Service Agreement

MIS link and Writeback

ePraise uses software and services provided by third parties ('integration partners') to provide a connection to school MIS systems (e.g. SIMS). Our integration partners are listed in the third-party processors section, however note that we will usually only have one integrator available at any given time. Schools wishing to take advantage of this service will generally need to have software running on their internal ICT systems, to facilitate the transfer of information from the MIS to ePraise and vice versa.

The integration partners will run reports against your MIS in order to collate it at their end, before we then request the data for ePraise. Our integration partners are likely to provide this service for more than just ePraise at your school, therefore you will be required to have approved a separate agreement with the integration partner.

We choose integration partners based on their ability to provide the best service to both ourselves and our schools and will endeavour to ensure that any partner meets all the necessary requirements of UK legislation as well as both our and your expectations. However, you should never give access to school data to any company you have any concerns about, and we would encourage you to do your own checks before installing any software, providing any credentials and/or authorising any access.

In order to provide the service, we will request access to a number of data areas from the integration partner. Below is a list of the different data areas we will request by default:

• Achievements
• Assessment
• Attendance
• Behaviours
• Contacts (e.g. names and contact details of parents)
• Employees (e.g. includes names, contact details, start date, end date)
• Photos (staff and students)
• Students (e.g. upn, start dates, end date, names, contact details, student indicators)
• Classes, groups and timetables

Before this data is sent to our platform, you will have the opportunity to assess the requested data scopes in fine detail via the data integrator's platform. We may offer additional scopes in the future as part of new features or updates, and you will have the opportunity to accept or reject these changes within the data integrator's platform when this happens.

Note that some access may be requested for future use as part of our commitment to keep improving the platform. It is possible to stop ePraise receiving particular data fields should this be necessary for any reason.

Third-party sub-processors

As with most organisations, we work with a limited number of vetted third parties in order to facilitate our operations. Below is a complete list of third parties we currently work with or have worked with recently, with a link to their appropriate data protection documentation. Note that an individual user's data will only pass through a small subset of this list, for example we might receive their data via Wonde, host it on a server at AWS and send push notifications to them via Google.

Our parent company

• Firefly Learning: https://fireflylearning.com/privacy-policy-firefly-app-and-website

Hosting, infrastructure and storage

• Amazon Web Services (AWS): https://aws.amazon.com/compliance/

School data integration services

• Wonde: https://wonde.com/downloads/Wonde%20-%20Security%20Information.pdf

Apps, analytics and communications

• Apple: https://www.apple.com/legal/privacy/en-ww/governance/
• Google: https://cloud.google.com/security/compliance/iso-27001
• MailGun: https://www.mailgun.com/gdpr/
• Edtech Impact: https://edtechimpact.com/privacy
• Zendesk: https://www.zendesk.co.uk/company/privacy-and-data-protection/
• SalesForce: https://www.salesforce.com/privacy/overview/
• Marketo: https://uk.marketo.com/company/trust/gdpr/