Arbor's Data Protection Policy to comply with GDPR

GDPR puts the 'privacy by design' principle into law - security features should be an integral part of how that system is constructed. We also follow this principle at Arbor.

This article explains our policies regarding data protection for all our products, including our security features, principles, and processes. It will answer any concerns you may have, whether you’re a Head Teacher, a MAT leader, or a Data Protection Officer.

  • For an overview of how we protect your data, take a look at our website.
  • We also have a Data Protection Impact Assessment template (DPIA) available here: DPIA template


Arbor meets and exceeds the requirements of GDPR, protecting the data we store with a comprehensive Information Security Management System which the International Organisation for Standardisation (ISO) audits annually. This system is governed by our Information Security Management Committee, which consists of senior management across various business areas.

  • Physical security is maintained by formal security inspections, risk assessments and access control at every Arbor office. Access to Arbor locations is restricted with secure keys, CCTV, 24/7 security personnel and secure perimeter doors.
  • Digital security is maintained not only by our staff’s awareness training and personal vigilance, but by a number of digital safeguards. Staff passwords are changed regularly and wherever possible all our business systems require two-factor authentication. Data is kept on our central system rather than any individual device, so you can give and revoke permissions to different users.

Arbor MIS also has a number of tools to help you keep your school GDPR compliant:

  • Data quality dashboards to help keep personal data accurate
  • User login histories can be viewed by headteachers and system administrators for access control
  • Role-based, granular permissions so that, for instance, an individual who can see a student’s child protection status cannot necessarily view or edit documents relating to that status
  • Two-factor authentication can be enabled for your staff on request, as well as enforced regular password changes (not available for the Parent Portal or Parent App): Two-factor authentication
  • Subject Access Requests with all information about a data subject (whether staff, student or guardian) possible to download with one button: Downloading Profiles
  • Data Retention Dashboards for personal records highlight records that exceed data retention timelines, so they can be deleted in bulk: Managing data retention for your MIS data


Our certifications

We have certifications for:

  • ISO 9001 - Internationally recognised as the gold standard for Quality Management Systems. It helps organisations ensure that their processes comply with rigorous standards for quality assurance and are measurably effective. Certification requires an independent audit to be passed annually.
  • ISO 27001 - International standard for Information Security Management Systems. It contains a large number of controls an organisation must implement, considering everything from how personal information is handled, through to physical security of locations where information is stored or processed. Maintaining certification requires passing an independent audit annually. Certificate number LRQA 10015370
  • Our server infrastructure provider, Amazon Web Services, is also certified with ISO 27001, ISO 27017 and ISO 27018
  • Cyber Essentials - Cyber Essentials is an effective, Government backed scheme that helps protect organisations, whatever their size, against a whole range of the most common cyber attacks. Certificate number 0016298130002077
  • PCI DSS - As a secure provider of card payments, Arbor is audited annually for compliance with the Payment Card Industry Data Security Standard (PCI DSS). You can read more about this in our PCI Charter.
  • We are on the DfE cloud supplier checklist, and the G-Cloud list of approved cloud suppliers.

You can find our certificates by clicking the links at the bottom of this article. These certifications mean our security management is audited annually to the highest international standards.



Data storage and partners

How do you store data?

Arbor is fully cloud hosted in Amazon Web Services UK’s London servers. All personal data is physically stored, processed and managed from the UK. Backups are also stored in the UK.

All our architecture is housed in a private firewalled network to reduce external access and increase security. The school MIS operates a single-tenanted database model - this means that data is segregated from other customers in our database and persistence layers. Instances are recycled daily to reduce the risk of data being compromised, and all servers are patched continuously to reduce security vulnerabilities. Encryption in transit is through bank grade 256-bit SSL.

Is the rest of your supply chain secure?

Arbor maintains back-to-back contracts with our subcontractors so that all data security policies and responsibilities flow down to them, meaning all school data is kept secure. These standards are renewed every year, keeping protection up-to-date.

Our server infrastructure is maintained by engineers who work at Arbor Education Partners d.o.o., which is a fully-owned subsidiary company of Arbor Education Partners Group Ltd. They are subject to the same GDPR compliant security procedures as our central staff, plus our server security requirements. Access to servers by our engineers requires individual SSH keys, registered in an LDAP server, which are additionally password protected.

What’s your policy for third-party apps?

Arbor can replace a lot of the third-party applications used by schools alongside their legacy MIS, but we welcome integration from your other processors with our open RESTful API. Once we’ve vetted your apps for compliance, they can become an Arbor approved partner.

Nobody will be able to access your Arbor-stored data without the explicit, written consent of the data controller in your school.

You can find a list of third-party organisations which have already been approved here: Arbor's Third-Party API Integrations. You’ll be able to grant or reject access from the partners you use, and revoke their access at any time. All our partners have to prove their own GDPR compliance, and in particular a fine-grained permissions model that only gives data access to those who need it.

It’s then the partner’s responsibility to maintain the quality of their integration with Arbor. If we’re investigating an issue for you and believe it’s actually an issue from one of your integrated processors, we’ll let you know as soon as possible so you can take it up with them directly.

Our Authorised Sub-processors

Our Authorised Sub-processors


Third Party service/vendor Purpose Relationship Entity Country
AWS Amazon Servers/High Availability Supplier UK
Snowflake Warehousing and Analytics Supplier UK
Stripe Payment Processing Supplier UK
Vonage SMS provider Supplier UK
Microsoft Azure Identity and Artificial Intelligence Services Supplier UK
Swyft Customer Support , customer training and customer onboarding Subcontractor UK
SBS (School Business Services) Customer training and customer onboarding Subcontractor UK
Schools ICT Customer training and customer onboarding Subcontractor UK
Somerset County Council Customer training and customer onboarding Subcontractor UK
Odondo Customer Support Subcontractor UK
Herts for Learning Customer training and customer onboarding Subcontractor UK
Entrust Customer training and customer onboarding Subcontractor UK
North Yorkshire County Council Customer training and customer onboarding Subcontractor UK
Services 4 Schools Customer training and customer onboarding Subcontractor UK
Twilio Sendgrid Email provider Supplier US
Google Cloud Geocoding Supplier UK
DataDog Logging and Observability Supplier US
Sentry Logging Supplier UK
Docraptor PDF Generation Supplier UK
Loqate Postal address validation Supplier UK
Kickbox Email address validation Supplier UK
Gainsight (Px) Product usage and analysis Supplier UK
Gainsight (Cs) Onboarding, customer health, and newsletters Supplier UK




Arbor staff

The objective of our access policy, for both schools and our own staff, is that every user will have permission to access only the level of data that they need to do their job, and only for as long as they still need it. All these policies are also audited as part of our ISO 27001 certification.

  • Arbor’s Access Control Policy - Our Access Control Policy* doesn’t grant access to any systems unless there is a justified business need. Each system has a business owner, and a policy that governs who can gain access and what justifications support a user being granted privileged access.
  • Checking & Training Our Staff - All our staff and contractors undergo a DBS check, and employees require two references before starting work. All staff who need to access customer data receive data protection and information security awareness training as part of their induction, followed by our continuous professional training program. All staff involved in information security management have both significant industry experience, and formal training on the skills required.
  • Revoking Permission - When employees leave Arbor, their access to all business systems is revoked within 24 hours as part of our off-boarding procedure. We conduct semi-annual access control audits for every business system, and those users with business owner or administrator level permissions have their access reviewed quarterly.


Managing data on the MIS

Complying with Subject Access Requests

Arbor will make every reasonable effort to help you get what you need from our system, and this includes helping you comply with Subject Access Requests in a secure way.

Unlike some legacy MIS systems which hold different types of data in a variety of separate places throughout your school, Arbor can show you all the information you have permission to access about a student, staff member, or guardian directly from their profile page: Information Request File, Subject Access Request (SAR) or Freedom of Interest Request

You can even anonymise all staff information from the download with just one tickbox, to protect your other data subjects during the request.

How can data be deleted from Arbor?

Schools can use our built in Student and Staff Data Retention dashboard to help comply with their GDPR responsibility to delete unnecessary data.

Please see our full guidance on using this feature, and what to do if the built-in retention period has not yet been passed: Managing data retention for your MIS data

Can we back up data in case of deletion?

Arbor will be able to restore the system to any point in the past 30 days in the case of accidentally deleted data, in case you remove something and can’t change it back with our built-in editing tools.

This will incur a charge if this data issue has occurred due to user error, or lack of due diligence on the school's side. Please contact us if you need to request this, or for more information on charges.

However, our built-in warnings against data deletion make this very rare.

What if we want to leave Arbor?

If you wish to terminate your Arbor contract, you will have a 90 day notice period in which we can export your data to a new MIS.

We can provide your data as a full database backup, either:

  • using our open RESTful API
  • extract using MYSQL database
  • directly to you in a standard CTF file format
  • directly to you in a CSV file

All your data will be fully deleted from our servers 7 days after your final contract termination date as per our Data Export and Deletion Policy*.


Security and access to data on the MIS

Access control

One of the most powerful ways Arbor protects your school data is permission based access. Each user has a level of permission planned in collaboration with you when Arbor is implemented, that ensures they can only view the data relevant to their role.

This is useful because GDPR demands you only let people access data that’s necessary for their job, and only for as long as necessary.

You might give your pastoral team the ability to view and edit child protection data, whilst a child’s form tutor can only view it, and a teacher who never works with them cannot access it at all.

These role based permissions are built into every Arbor feature and can be given and taken away by the school on an ad hoc basis, giving you the flexibility you need to comply with GDPR without interrupting your flow of work.

See what has been accessed or changed

Because Arbor is based on live data, entered in real time by the school, it is always as complete and correct as the school wishes it to be.

Arbor will not edit your data unless we have prior agreement to do so, such as when migrating data from a previous MIS.

  • You’ll be able to review and search the data of students and staff on our dashboards and profile pages, and edit it whenever necessary, which will change the data across the entire system instantly.
  • You can keep your old policies about how often you update personal data, and divide up the responsibility by giving administer permissions to different users.

The school or MAT leader will have access to a dashboard that also shows when each user has logged into the system, including Arbor’s own admins: See when users are logging in

Staff are able to access audits of attendance and assessment data. We can also provide you with a full audit of the actions of individual users on your system on request, but please note that this may incur a charge.

Logging in

Each user has a secure and unique password, and we support a number of additional security features, including:

In a cloud-based MIS like Arbor data isn’t stored on any device, and Arbor automatically logs out after a period of inactivity.

This means that even if there’s a breach in your school’s physical security, the data kept with us is less likely to be compromised. By accessing our cloud through their staff login, Parent Portal or Student Portal, users won’t have to print or email personal data, again reducing the risk it falls into the wrong hands.


Issues, breaches and emergencies

Can we restore systems in an emergency?

Arbor maintains a full Business Continuity Plan* which is regularly reviewed by our Information Security Management Committee, and each business unit has its own continuity plan tailored to the local conditions of that office. In the case of physical disruption, our cloud-based systems allow for rapid relocation to minimise disruption.

Our Devops team maintains a continuity plan in the case of server loss. All server configuration is stored as code, and we are able to establish an entire new set of server infrastructure within 24 hours.

Snapshot backups are taken daily and also point-in-time backups are maintained, which means we can restore the system to any point in the last 30 days. Our backup restore procedure and the rest of these policies are regularly audited.

Identifying risks and vulnerabilities

Yes. Our Devops team monitor for new vulnerabilities. Any new threats deemed a high risk are assessed by our engineering management, and a response plan is formulated.

All server operating systems are automatically patched with the latest security fixes every night. All software libraries are upgraded to the latest version, incorporating security fixes, upon every new release of our software (this happens at least once per working day). An internal security committee assesses our software and infrastructure every month for possible vulnerabilities, and plans fixes for any they find. External penetration testing is also conducted annually.

Data breaches and errors

All servers are monitored for standard key metrics (CPU, memory, network load, requests). These metrics are collected into a central monitoring server, whilst all logs are collected into a centralised logging system. Alert trigger rules are defined on both metrics and logs to proactively alert our Devops team to possible issues and unusual activity. These alerts are investigated within several hours and resolved.

All errors within the application, including those reported by schools, are collected into a central error collection system. Each error is assigned to an engineer, who attempts to reproduce and, if necessary, fix the problem within 1 business day.

  • As soon as we became aware of a breach we would aim to notify you within 24 hours.
  • If you are concerned there may have been a data breach, be sure to get in touch with us immediately. We will then conduct a thorough investigation. Our Data Protection Officer is Stephen Hall,

All incidents are detected and reported to our Chief Technical Officer, Damian Brooks, who then is responsible for coordinating our technical teams, gathering evidence, assessing the incident, and managing the response plan. All communications procedures will be followed, the incident will be logged, and corrective action will be taken to mitigate the risk in the future. Our Security Incident Response Plan* is audited as part of our ISO 27001 certification.


* We can send any of these policies to Arbor users in full on request. If you have more questions about GDPR or Arbor in general, please get in touch!

Was this article helpful?
7 out of 13 found this helpful
I'm still stuck!



Article is closed for comments.