50% Off Satchel One MIS – Only for the Next 50 Schools! Find out more about the offer 50% Off Satchel One MIS – Only for the Next 50 Schools! Find out more about the offer 50% Off Satchel One MIS – Only for the Next 50 Schools! Find out more about the offer
Satchel is committed to the highest standards of data protection and rigorously enforces robust policies to ensure compliance with the General Data Protection Regulation (GDPR).
We prioritise the security of the data we manage, safeguarding it through a stringent Information Security Management Framework. This framework is overseen by our dedicated Information Security Oversight Committee, comprising senior leadership from various sectors within our organisation. This proactive approach ensures that we not only meet but also exceed the requirements necessary to protect your data effectively.
Utilising Amazon Web Services (AWS) for our hosting, we guarantee superior data resilience and security, facilitating on-demand data restoration within a 30-day window to align with GDPR requirements.
Our architecture is meticulously designed for high availability, underpinned by rigorous disaster recovery testing to ensure our systems remain robust against significant disruptions.
This proactive approach has enabled us to maintain an impressive uptime record of over 99.99% in the past two years, exemplifying our unwavering commitment to ensuring business continuity and the integrity of our clients' data.
To ensure uninterrupted service, our platform is designed to operate continuously without the need for regular maintenance windows. In the exceptional instances where maintenance is imperative, it is strategically scheduled during periods of minimal activity and out of hours, such as school holidays, to mitigate impact on our users.
Our platform is engineered for maximum compatibility and accessibility, requiring only a modern web browser for full functionality. This design philosophy ensures that our users can access our services conveniently, without the need for additional software installations, streamlining the user experience across diverse devices and operating systems.
In the unlikely event of a service interruption, we prioritise transparent and timely communication with our users via established channels including Intercom, our status page, and social media platforms. Our focus on customer service ensures that users are well-informed of any issues that may affect their experience, reflecting our commitment to reliability and user satisfaction.
Our infrastructure is securely hosted within Amazon Web Services' UK regions, leveraging their global network to deliver optimal performance and reliability.
Upon conclusion of our services, we provide a comprehensive database export to facilitate a smooth transition for our customers 28 days after conclusion of services. This process is aligned with our commitment to transparency and support, ensuring that customers retain full control over their data even after their engagement with our platform concludes.
At Satchel, we maintain rigorous physical security at our headquarters through formal security evaluations, comprehensive risk assessments, and strict access control measures. Entry to our facilities is carefully controlled using secure keycard access, round-the-clock surveillance cameras, and security personnel available 24/7 These measures form part of our broader physical security policies, designed to safeguard our operational environments and ensure the safety of all data and personnel.
At Satchel, we ensure data security through comprehensive staff awareness training and stringent digital safeguards. Our employees undergo regular security and awareness training, promoting vigilance and personal responsibility in safeguarding data. We enforce robust password policies, requiring frequent updates, and wherever possible, we implement two-factor authentication across our business systems to enhance security measures.
Data is securely stored in the cloud, centralising its management and facilitating the precise control of user permissions. This allows for the swift granting and revoking of access as needed. Our strict policies around data access are supported by thorough background checks on all employees, reinforcing our commitment to maintaining a secure and trustworthy data environment.
Our server infrastructure is hosted on Amazon Web Services (AWS), a leading provider that adheres to the highest standards of data centre security. AWS is certified with ISO 27001, ISO 27017, and ISO 27018, ensuring robust protection and security management of data. These certifications demonstrate AWS's commitment to securing infrastructure and managing information in a compliant and secure manner, which, in turn, enhances the overall security of the data we manage at Satchel.
Our policy for integrating third-party apps is designed to ensure maximum security and control over data extraction from our systems. We exclusively partner with Wonde for all third-party application integrations. This approach allows us to use a single, trusted provider to securely connect our systems with the applications you need. By centralising through Wonde, we streamline the integration process and maintain stringent oversight, significantly reducing the risks associated with data handling and transfer between different platforms.
We have extensive expertise in handling GDPR’s ‘Subject Access Requests’ (SARs), ensuring swift and efficient compliance. At Satchel, we have a dedicated Data Protection Officer (DPO) who oversees our response to these requests. Additionally, our support team is readily available to assist you with any SARs. You can contact them at any time to initiate a request, and we are committed to providing you with the requested data promptly. This streamlined process is part of our commitment to upholding your data rights and ensuring transparency.
Data can be deleted from Satchel by our data administrators, who have the authority to remove any data from our systems as requested, in full compliance with GDPR regulations. Once a deletion request is processed, the data is promptly removed from our active systems. Furthermore, to ensure complete erasure, any data deleted from our systems is also purged from all backups within 28 days. This policy ensures that your data is not only deleted efficiently but also securely, eliminating any residual data presence in our system.
In the event of an emergency, we are well-prepared to restore systems efficiently. Satchel has robust backup processes in place, allowing us to restore your data to any given moment within the last 28 days. Our Business Continuity Plan (BCP) includes battle-tested procedures and processes specifically designed to ensure rapid recovery and minimal disruption. This comprehensive approach guarantees that we can swiftly respond to and recover from any incidents, maintaining the integrity and availability of your data when it matters most.
School users can effectively control access to their data in Satchel through a robust system of user permissions, which can be extensively customised by the school administrators. This system allows schools to manage and control who can view, edit, or write data, ensuring that access is granted appropriately based on the roles and responsibilities within the school. Additionally, Satchel provides a set of preconfigured permissions that can serve as a starting point for further customisation.
Our support team is readily available to assist schools in setting up and managing these permissions. Schools can reach out to our team at any time for guidance on how to tailor the permissions to meet their specific needs and ensure that data access is securely controlled.
Satchel employs advanced security measures to ensure the highest level of protection for school data. We conduct regular security penetration tests carried out by a CREST-accredited party, confirming our defences are robust and up to date. In addition to strict password policies, we offer Single Sign-On (SSO) capabilities, which streamline the login process and enhance security by reducing password fatigue among users.
Our system also features comprehensive intrusion detection monitoring and real-time system checks. This proactive security approach allows us to detect and respond to potential threats swiftly, minimising the risk of any compromise. With these measures in place, Satchel ensures that even in the event of a physical security breach at a school's location, the data remains secure and well-protected. This architecture eliminates the need for local data storage, further safeguarding sensitive information from unauthorised access.
Our Access Control Policy rigorously enforces that access to any systems is only granted based on a justified business need. Each system under our purview is assigned a business owner who is responsible for overseeing access control. This policy clearly defines the criteria and justifications required for a user to be granted privileged access.
Additionally, our policy mandates regular reviews of all access permissions. These reviews ensure that access rights are still appropriate and modify them as needed to align with current business requirements and security best practices. This ongoing evaluation helps maintain a secure and efficient operational environment, preventing unnecessary exposure of sensitive information.
Yes, we conduct regular assessments of our system’s risks and vulnerabilities, adhering to very strict policies that include stringent Service Level Agreements (SLAs). These SLAs ensure timely evaluations and responses to potential security issues. Our monitoring and compliance are enhanced through the use of third-party applications that alert us to any deviations from these SLAs, helping us maintain high security standards consistently.
Additionally, we can provide SOC2 reports upon request. These reports detail our compliance practices and the effectiveness of our security measures, offering transparency into how we manage and safeguard data. This commitment to rigorous security assessment and reporting reinforces our dedication to maintaining a secure and reliable environment for all our users.
Our robust incident response plan ensures that we are immediately alerted to any potential breaches or errors through our centralised error reporting systems. These systems consolidate alerts and monitor data across our infrastructure, allowing for effective detection of unusual patterns or security threats in real time. This centralisation enhances our ability to quickly assess and respond to incidents from a unified platform.
Upon receiving an alert, our incident response team follows a meticulously outlined procedure to address the issue. This includes isolating affected systems, conducting a thorough investigation to understand the nature and scope of the incident, and implementing measures to prevent future occurrences. Our proactive and centralised approach to monitoring and incident response is a key part of our security strategy, ensuring the integrity and confidentiality of the data we manage.
In response to a data breach, our Incident Response Plan (IRP) coupled with our comprehensive monitoring systems ensures a swift and coordinated approach. Upon detection of a breach, our team is alerted immediately, and the incident is reported to both our Chief Technology Officer (CTO) and our Data Protection Officer (DPO), who are responsible for overseeing the response.
Our established incident management process aims to notify affected parties without undue delay, generally within 24 hours of becoming aware of the incident. We gather all pertinent evidence related to the breach to compile a detailed incident report. This report is crucial for assessing the incident thoroughly and managing the subsequent response plan.
As part of our commitment to transparency and accountability, we also provide a SOC2 report that details our compliance with rigorous security practices. Our response to incidents includes logging the event, following all prescribed communication procedures, and implementing corrective actions designed to mitigate future risks and enhance our security posture.
We are happy to provide full copies of any of our policies upon request. If you have additional questions about GDPR compliance or any other aspect of our services, please do not hesitate to get in touch. We're here to help and ensure you have all the information you need!