Data Protection & Security
Updated
Overview
This article explains how we look after and protect the data you entrust to us. It brings together the information schools often need for their own records and DPIAs in a clear, accessible format. Our goal is to help you find clear, reliable answers to common questions and to give you confidence in the way Insight manages personal data.
Here, you can read about what data we process, how it is stored and secured, and how long it is retained. We also outline how you can manage data subject requests, what our responsibilities are, and the safeguards we have in place to keep information safe.
Data Protection Officer
Our Data Protection Officer is Mike Cooper.
Email dpo@equin.co.uk or send a letter to Equin Limited, Unit G, Pattern Shop, Trevoarn, Hayle, Cornwall, England, TR27 4EZ.
ICO Registration
We are registered with the UK Information Commissioner’s Office under reference Z1904040.
Company Information
We are Equin Limited, established 2007. Equin Limited is the provider of Insight, a Software as a Service product.
Company Number: 06347232
Telephone Number: 020 3393 4005
Postal Address: Unit 6482, PO Box 6945, London, W1A 6US
Registered Office Address: Unit G Pattern Shop, Trevoarn, Hayle, Cornwall, TR27 4EZ
Certifications
We are Cyber Essentials certified, renewed annually, demonstrating that we have key controls in place to protect against common cyber threats.
We maintain an Information Security Management System (ISMS). We are working towards ISO 27001 compliance.
GDPR Compliance
Insight fully complies with the UK General Data Protection Regulation and the Data Protection Act 2018. We follow the key principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability.
We maintain records of our processing activities and conduct regular internal audits.
Roles and Responsibilities
- Equin acts as a Data Processor for schools using Insight.
- Our customers (schools) are Public Authority Data Controllers.
- Due to the nature of our business involving regular and systematic monitoring of individuals on a large scale, including special categories of data, we have appointed an internal Data Protection Officer.
Lawful Basis for Processing
- We process data on behalf of schools based on their lawful grounds for processing.
- Schools typically process personal data as part of their public task mandated by local education authorities.
- Equin has a commercial interest via contract to support our customers’ legitimate interests.
Special Category Data
- We acknowledge that our services may involve the processing of special category data.
- To lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.
Data processing and storage
What categories of personal data do you process?
We process the following categories of personal data:
- Pupil records: UPN, legal and preferred names, date of birth, gender, enrolment status (dates of joining and leaving), plus optional attributes such as address, ethnicity, EAL status, FSM history, SEN history, service child status, in-care status, attendance summaries, custom groups, notes, parent or guardian contact details, and photographs.
- Assessment data: Statutory and internal assessments, test scores, teacher judgements, and supporting evidence such as images, written comments, and attachments.
- User data: Names, email addresses, passwords, roles, and access levels for school staff and authorised users to provide secure access.
- Support data: Personal data may also be included in support communications, system logs, or call recordings.
What system or operational data do you keep?
Data type | Description | Retention | Deletion available |
System logs | Automated logs for diagnostics and monitoring; may contain limited personal data (e.g. UPNs, assessments, email addresses). | 45 days | Deleted automatically |
System backups | Daily backups for recoverability and resilience; restores tested twice per year. | 14 days | Deleted automatically |
Support communication | Emails exchanged with our team; may contain personal data. | Up to 36 months | On request |
Call recordings | Calls are recorded for training and monitoring purposes. | Up to 12 months | On request |
How do you collect data?
Insight supports several ways of collecting and updating data, both during onboarding and regular use:
- Our content team will import historical summative assessment data during onboarding.
- Automatic sync of pupil records from your MIS via Wonde.
- Import pupil records via CTF (Common Transfer File) or Excel file upload.
- Import assessments, results and other data via Excel/CSV file upload.
- Manually enter data via the available user interfaces.
Where is customer data stored?
All Insight application and customer data is hosted in the United Kingdom.
Some approved sub-processors for customer operations are based in the EEA. These arrangements remain within UK GDPR-compliant jurisdictions.
How long do you keep customer data?
We keep personal data only while a subscription to Insight is active. When a subscription ends, the data remains available for 30 days to allow time for it to be exported. After this, all personal data is deleted automatically.
In limited cases, we may be required to retain some records longer if required by law or regulation.
Backups
Frequency
We conduct an automated full backup of the Insight database every night.
Location
Backups are stored in the UK across multiple devices spanning a minimum of three AWS Availability Zones.
Retention
Backups are retained for 14 days, and then permanently deleted.
Security
Backups are encrypted at rest.
Access to backups is restricted in line with our Access Control Policy.
Testing
Automated tests are in place to check that the daily backup is running.
Full system recovery from backups is tested at least annually, and logs are kept, in line with our Backup Policy.
Restoring data
Our backups are primarily for disaster recovery scenarios and not intended for recovering a small subset of data.
Some data (for example Assessments) have revision tracking enabled and can usually be recovered by sending a help request to our support team.
Offline backups
Insight follows NCSC guidance on offline backups through logical isolation and controlled access.
Backups are stored separately in AWS S3 and are not directly accessible or deletable from the production database. Access to backup storage is governed by separate credentials and controls.
This ensures that backups remain protected and unaffected even in the event of a compromise of the live environment, aligning with the NCSC principle of maintaining a backup that is not simultaneously accessible with production systems.
Multiple backup types (daily snapshots and weekly logical backups) are maintained to support reliable recovery.
Data security and staff practices
How is customer data protected?
We use several layers of protection to keep customer data safe:
Encryption: Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
System access: Based on the principle of least privilege, users can be assigned a role that gives them a suitable level of access to data. For example, the governor role won’t be able to see any personally identifiable information.
Multi-factor authentication (MFA): Available to add an extra layer of security to logins.
Assurance: Annual penetration testing covering both infrastructure and application layers, carried out by independent CREST-accredited providers.
Monitoring: Security events, system activity, and access to personal data are logged and monitored.
Physical security: Customer data is hosted on AWS in UK data centres with robust physical safeguards (such as controlled access, CCTV, and 24/7 monitoring).
Data segregation: Customer data is logically separated using tenant-aware access models and unique identifiers to prevent unauthorised access between schools. Development, testing, and production environments are kept strictly separate.
Input controls: Changes to data are logged with timestamps and user identification to ensure accountability.
Operational security
Access control: Access is granted only where there is a business need, revoked immediately when an employee leaves, and reviewed regularly.
Conditional access is used to protect critical systems and infrastructure.
Technical controls: Endpoint and network security, including real-time anti-virus system protection, firewall and web access protection.
Vulnerability management: Systems are regularly scanned for vulnerabilities, and patches are applied in line with defined risk-based timelines.
Our people and processes also play a key role:
- Employees undergo background checks and provide references before starting work.
- Employees complete mandatory security and data protection training at induction and annually thereafter.
- Devices are centrally managed and encrypted using BitLocker, following strict configuration standards.
Password security
Insight uses recommendations from the NCSC (National Cyber Security Centre), to inform its password policy.
- Password Length: Long passwords, such as short sentences, are the most secure. The minimum length for a password on Insight is 10 characters. Users trying to enter a password of less than 10 characters will be prevented from doing so.
- Password Complexity: There are no complexity requirements for Insight for using particular character types, in line with NCSC recommendations. Password recommendations change over time; it used to be commonplace for passwords to require combinations of uppercase and lowercase characters, numbers, and special characters, but this is no longer the case.
- Password Changes: If you're using long, secure passwords, they don't need changing frequently, as is sometimes recommended. The National Cyber Security Centre favour length of passwords over expiration, so Insight won't ask you to change your password after any given length of time.
- Insight has a list of explicitly disallowed passwords, which includes the following: insight, insighttracking, school.
- Insight checks new passwords against the top 100 breached passwords and disallows them if a match is found.
- Insight stores passwords using the BCrypt hash function. The BCrypt algorithm was created in 1999 and is extremely secure and has never been cracked. A hash is a special form of encryption where each password is transformed into a random set of alphanumeric characters of equal length, from which it is impossible to decode the original password. Insight never stores or displays passwords in plain text.
- Throttling: There is no maximum number of login attempts, in line with NCSC recommendations which favour throttling over lockouts. After a failed login, the wait time before the next attempt doubles exponentially (1s, 2s, 4s, …) up to a maximum of 15 minutes per user, and if more than 20 failed attempts originate from the same IP address within 10 minutes, a minimum 1-minute delay is applied to all logins from that address. This makes automated brute-force attacks extremely slow while ensuring a malicious actor cannot permanently block a legitimate user's account.
Data accuracy and portability
How do you support schools with data subject rights?
Accuracy: Pupil records can be automatically synchronised each night from the school’s MIS, ensuring information such as attendance, SEN status, and enrolment details stay accurate and up to date. Schools can also edit assessment and objective data directly in Insight.
Portability: Schools can export pupil data directly from Insight to respond to Subject Access Requests or transfer records. Requests for correction, deletion, or restriction can be managed by the school directly in Insight, with our support team available to help.
Sub-processors and third-party suppliers
Who are your sub-processors?
All sub-processors undergo due diligence before engagement and are reviewed at least annually to ensure they continue to meet our security and compliance standards.
Sub-processor | Purpose | Location | Privacy / DPO contact | Certifications / Compliance |
Amazon Web Services (AWS) | Primary infrastructure hosting and storage | United Kingdom | ISO 27001, ISO 27017, ISO 27018, ISO 27701, CSA STAR, SOC 1, SOC 2, SOC 3. See AWS Compliance Programs for the full list. | |
Hibernating Rhinos | Cloud-based database hosting | United Kingdom | ISO 27001, SOC 2, SOC 3 | |
Wonde | Import and synchronisation of MIS data | United Kingdom | ISO 27001 | |
Aircall | Telephony services for Customer Support | Germany | ISO 27001, SOC 2 | |
FrontApp | Email management for Customer Support | Ireland | ISO 27001, SOC 2 | |
Microsoft | Productivity and support tools | United Kingdom | ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3. See Microsoft Compliance Offerings. | |
Slack Technologies (Salesforce) | Internal communication and support coordination | United Kingdom | ISO 27001, SOC 2, SOC 3. See Slack Trust & Compliance. |
Incidents and data breaches
How do you prepare for incidents or disruptions?
We maintain documented incident response, business continuity, and disaster recovery plans to ensure we can respond effectively to security incidents or operational disruptions.
Backups: Daily backups are taken with automated monitoring. A separate full weekly backup is taken for multi-tiered resilience.
Incident Response: Our plan defines roles, escalation paths, and investigation procedures.
Business continuity: Plans are reviewed at least once per year to ensure they remain effective.
How will you notify us of a data breach?
If a breach affects your school, our Data Protection Officer will notify you without undue delay, in line with our Terms of Service.
Governance and policies
What policies and governance do you have in place?
We operate an Information Security Management System aligned with ISO 27001 principles, supported by policies covering:
- Acceptable use
- Access control
- Business continuity and disaster recovery
- Data classification and handling
- Incident response
- Information security
Policies are kept up to date and regularly reviewed through internal audits and management oversight, with senior leadership accountable for information security.
These policies are supported by strong people practices, with staff vetting, training, and awareness integrated into our security culture.
