- Answers to some of the questions schools ask before deciding to use Assembly Platform.
- For further information about your responsibilities, please read the ICO guidance for education providers and the ICO data protection guidance for schools.
Are you registered as a technical partner with our MIS supplier?
Yes, we only ever work with MIS vendors using their official partnership programmes.
- Capita SIMS: we are a SIMS Technical Partner. You can find us listed under Ark UK Programmes on the Capita website. This means we have been checked and verified to read data from SIMS.
- Progresso: we are an Advanced Learning Technical Integration Partner.
- Bromcom: we are a Bromcom partner.
- ScholarPack: we are software partners with ScholarPack.
- RM Integris: we are a registered partner on RM Integris Datashare.
- Arbor: we are official partners with Arbor.
How do we control what data is extracted from our MIS?
- The Assembly Platform helps you share specific scopes of data with applications of your choice in a secure manner.
- We never extract personal data from your MIS unless you have explicitly granted us authorisation to do so through a Data Access Request. Read our guide for more information: Assembly: Controlling access to your school’s data.
- Each education application’s Data Access Request will tell you exactly what data will be shared before you choose to authorise it.
Do you share our data with anyone else?
- We never rent or sell your data for marketing purposes, and only share sensitive information with third parties in instances where we are specifically requested to do so by you.
- For example, some services on Platform allow the sharing of your data with third parties (e.g. school improvement charities and curriculum providers). In such circumstances, information is only shared if you give permission, and you control these permission settings through your Platform account.
- Access to data is managed via bearer tokens. These can be revoked at any time and must be refreshed frequently to remain active.
Are you General Data Protection Regulation (GDPR) compliant?
We are fully GDPR compliant.
- Consent to access your data requires a positive opt-in and we already make it possible, and clear, to withdraw that consent at any time via the Platform. For more information, consult our terms.
I want to use the Assembly Platform, but other members of staff have concerns.
We take privacy and security very seriously.
- When thinking about whether to use the Assembly Platform to share data with third-party applications, we encourage you to consider the security of your school’s current data sharing practices, and how you would fulfil the task for which you wish to use Assembly if you did not adopt our Platform.
- Given the wide range of security features built into the Assembly Platform, compared to most other data sharing methods, the Assembly Platform will be a security upgrade rather than a security concern.
- If you or a colleague have any concerns that remained unanswered after reading this guide, please get in touch and we can help to field any questions you may have.
Where is our data stored and how do you ensure it is stored and processed securely?
- Our servers are hosted in the Amazon eu-west-1 region (in Ireland).
- All personal and sensitive data is kept and transported within the EU or countries which are granted to have Adequate Levels of Protection as defined by the European Commission.
- As well as this, all external data transmissions to and from the Assembly Platform are encrypted using modern SSL/TLS protocols and ciphers.
- We also encrypt data at rest (when it is stored on a laptop or disk) and have field-level encryption in our database of personally identifiable student-level fields such as name and UPN, as well as the names and contact details of related parents/ guardians.
What is your data removal policy?
- You have the right to have all your data removed from the Assembly platform at any point in time.
- If you wish to do this then you should give us notice by raising a support case with the relevant details, including the subject: Data Removal Request.
- We will delete the requested data within 5 working days.
I think I have discovered a bug that makes the Platform insecure. What should I do?
- Please let us know as soon as possible by raising a support case with us.
- Whilst we are confident that our Platform is highly secure, any potential weakness will be taken seriously and addressed urgently.
Do you look at our data or gain insight from it?
- We do not look at the data that you choose to store or transport via Platform. The only exception to this is if it is necessary to do so for support or debugging purposes.
- If we need to look at your school’s data in Platform, we will ask you explicitly to grant authorisation before doing so. We will revoke this permission once we have finished investigating on your behalf. You can also revoke access yourself at any time from your Platform account.
- The only insight gathering we do is by using software such as Google Analytics, but this only tracks non-sensitive metadata (such as what type of user you are, or how long you stayed on a page).
- If you think anything is unclear, always ask the relevant organisation.
- It is your duty as the data controller to make sure you know what data sharing entails.
Should we tell parents that we are using Assembly?
- As the data controller, it is your responsibility to inform parents about your school’s approach to data protection.
- If you have a policy in place that covers this, it may already explain your school’s approach to data sharing in a way that covers your use of Assembly.
- If you are unsure about whether your current policies cover your use of Assembly, you should consult the ICO or further legal advice.
What is your ODP Data Protection registration number?
Our ODP registration number is Z9683573.
What third party services do you use for collecting data?
We use the following third-party services to collect data in the following ways:
- Google Analytics for website analytics. The service collects masked IP addresses.
- Convox for IP address whitelisting to prevent DDoS attacks. The service collects IP addresses.
- Sentry for monitoring exceptions and errors. IP addresses are collected only when exceptions and errors are generated, and the process is handled entirely in AWS, so there is no external data transfer.
- Papertrail for logging. No personal data or IP addresses are recorded.
- Full Story to track browser sessions for bugs and issues. Full Story collects IP addresses so that it can associate browser sessions with users. However, we do not send any personal or sensitive data to Full Story. We explicitly block such data from being transferred to the service. Users may also opt-out of Full Story being able to track their sessions using this opt-out link.
Where can I find your full terms of service?
Please see our Terms of Service.