Data Protection & Security
Updated
Overview
This article explains how we look after and protect the data you entrust to us. It brings together the information schools often need for their own records and DPIAs in a clear, accessible format. Our goal is to help you find clear, reliable answers to common questions and to give you confidence in the way Insight manages personal data.
Here, you can read about what data we process, how it is stored and secured, and how long it is retained. We also outline how you can manage data subject requests, what our responsibilities are, and the safeguards we have in place to keep information safe.
Data Protection Officer
Our Data Protection Officer is Mike Cooper.
Email dpo@equin.co.uk or send a letter to Equin Limited, Unit G, Pattern Shop, Trevoarn, Hayle, Cornwall, England, TR27 4EZ.
ICO Registration
We are registered with the UK Information Commissioner’s Office under reference Z1904040.
GDPR Compliance
Insight fully complies with the UK General Data Protection Regulation and the Data Protection Act 2018. We follow the key principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability.
See GDPR Compliance - Insight Help Guides for more details.
Certifications
We are Cyber Essentials certified, renewed annually, demonstrating that we have key controls in place to protect against common cyber threats.
We maintain an Information Security Management System (ISMS). We are working towards ISO 27001 compliance.
Data processing and storage
What categories of personal data do you process?
We process the following categories of personal data:
- Pupil records: UPN, legal and preferred names, date of birth, gender, enrolment status (dates of joining and leaving), plus optional attributes such as address, ethnicity, EAL status, FSM history, SEN history, service child status, in-care status, attendance summaries, custom groups, notes, parent or guardian contact details, and photographs.
- Assessment data: Statutory and internal assessments, test scores, teacher judgements, and supporting evidence such as images, written comments, and attachments.
- User data: Names, email addresses, passwords, roles, and access levels for school staff and authorised users to provide secure access.
- Support data: Personal data may also be included in support communications, system logs, or call recordings.
What system or operational data do you keep?
Data type | Description | Retention | Deletion available |
System logs | Automated logs for diagnostics and monitoring; may contain limited personal data (e.g. UPNs, assessments, email addresses). | 45 days | Deleted automatically |
System backups | Daily backups for recoverability and resilience; restores tested twice per year. | 14 days | Deleted automatically |
Support communication | Emails exchanged with our team; may contain personal data. | Up to 36 months | On request |
Call recordings | Calls are recorded for training and monitoring purposes. | Up to 12 months | On request |
How do you collect data?
Insight supports several ways of collecting and updating data, both during onboarding and regular use:
- Our content team will import any historical assessment data during onboarding.
- Automatic sync of pupil records from your MIS via Wonde.
- Import pupil records via CTF (Common Transfer File) or Excel file upload.
- Import assessments, results and other data via Excel/CSV file upload.
- Manually enter data via the available user interfaces.
Where is customer data stored?
All Insight application and customer data is hosted in the United Kingdom.
Some approved sub-processors for customer operations are based in the EEA. These arrangements remain within UK GDPR-compliant jurisdictions.
How long do you keep customer data?
We keep personal data only while a subscription to Insight is active. When a subscription ends, the data remains available for 30 days to allow time for it to be exported. After this, all personal data is deleted automatically.
In limited cases, we may be required to retain some records longer if required by law or regulation.
Data security and staff practices
How is customer data protected?
We use several layers of protection to keep customer data safe:
Encryption: Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
System access: Based on the principle of least privilege, users can be assigned a role that gives them a suitable level of access to data. For example, the governor role won’t be able to see any personally identifiable information.
Multi-factor authentication (MFA): Available to add an extra layer of security to logins.
Assurance: Annual penetration testing covering both infrastructure and application layers, carried out by independent CREST-accredited providers.
Monitoring: Security events, system activity, and access to personal data are logged and monitored.
Physical security: Customer data is hosted on AWS in UK data centres with robust physical safeguards (such as controlled access, CCTV, and 24/7 monitoring).
Data segregation: Customer data is logically separated using tenant-aware access models and unique identifiers to prevent unauthorised access between schools. Development, testing, and production environments are kept strictly separate.
Input controls: Changes to data are logged with timestamps and user identification to ensure accountability.
Operational security
Access control: Access is granted only where there is a business need, revoked immediately when an employee leaves, and reviewed regularly.
Conditional access is used to protect critical systems and infrastructure.
Technical controls: Endpoint and network security, including real-time anti-virus system protection, firewall and web access protection.
Vulnerability management: Systems are regularly scanned for vulnerabilities, and patches are applied in line with defined risk-based timelines.
Our people and processes also play a key role:
- Employees undergo background checks and provide references before starting work.
- Employees complete mandatory security and data protection training at induction and annually thereafter.
- Devices are centrally managed and encrypted using BitLocker, following strict configuration standards.
Data accuracy and portability
How do you support schools with data subject rights?
Accuracy: Pupil records can be automatically synchronised each night from the school’s MIS, ensuring information such as attendance, SEN status, and enrolment details stay accurate and up to date. Schools can also edit assessment and objective data directly in Insight.
Portability: Schools can export pupil data directly from Insight to respond to Subject Access Requests or transfer records. Requests for correction, deletion, or restriction can be managed by the school directly in Insight, with our support team available to help.
Sub-processors and third-party suppliers
Who are your sub-processors?
All sub-processors undergo due diligence before engagement and are reviewed at least annually to ensure they continue to meet our security and compliance standards.
Sub-processor | Purpose | Location | Privacy / DPO contact | Certifications / Compliance |
Amazon Web Services (AWS) | Primary infrastructure hosting and storage | United Kingdom | ISO 27001, ISO 27017, ISO 27018, ISO 27701, CSA STAR, SOC 1, SOC 2, SOC 3. See AWS Compliance Programs for the full list. | |
Hibernating Rhinos | Cloud-based database hosting | United Kingdom | GDPR compliant; hosted on ISO 27001-certified UK infrastructure | |
Wonde | Import and synchronisation of MIS data | United Kingdom | ISO 27001 | |
Aircall | Telephony services for Customer Support | Germany | ISO 27001, SOC 2 | |
FrontApp | Email management for Customer Support | Ireland | SOC 2 | |
Microsoft | Productivity and support tools | United Kingdom | ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3. See Microsoft Compliance Offerings. | |
Slack Technologies (Salesforce) | Internal communication and support coordination | United Kingdom | ISO 27001, SOC 2, SOC 3. See Slack Trust & Compliance. |
Incidents and data breaches
How do you prepare for incidents or disruptions?
We maintain documented incident response, business continuity, and disaster recovery plans to ensure we can respond effectively to security incidents or operational disruptions.
Backups: Daily backups are taken with automated monitoring. A separate full weekly backup is taken for multi-tiered resilience.
Backups are restored and tested at least twice per year to ensure reliability.
Incident Response: Our plan defines roles, escalation paths, and investigation procedures.
Business continuity: Plans are reviewed at least once per year to ensure they remain effective.
How will you notify us of a data breach?
If a breach affects your school, our Data Protection Officer will notify you without undue delay, in line with our Terms of Service.
Governance and policies
What policies and governance do you have in place?
We operate an Information Security Management System aligned with ISO 27001 principles, supported by policies covering:
- Information security
- Acceptable use
- Access control
- Data classification and handling
- Incident response
- Business continuity and disaster recovery
Policies are kept up to date and regularly reviewed through internal audits and management oversight, with senior leadership accountable for information security.
These policies are supported by strong people practices, with staff vetting, training, and awareness integrated into our security culture.
