MarvellousMe Compliance with General Data Protection Regulation
MarvellousMe takes the protection and security of personal data extremely seriously.
We follow industry recommended best practices with regards to data security and the privacy of personal data, with our technology partner operating our service to ISO 9001:2015, ISO 27001:2017 and being Cyber Essentials certified.
With the General Data Protection Regulation (GDPR) coming into effect in May 2018, we carried out technical and organisational measures to ensure that we comply with GDPR, and updated our policies and procedures accordingly.
In summary, the steps taken included:
- Mapping and documenting data handled by us, including:
- identifying the personal and sensitive data held;
- where the data is stored, how the data is used and with whom the data is shared;
- establishing where the data came from and identifying the legal basis for holding and processing it; and
- reviewing our standard data retention.
- Analysing GDPR requirements against our current processes and policies and making changes to our products, processes and documentation in line with requirements, including:
- reviewing and updating the contract with our sub-processor, setting out each party’s respective responsibilities under GDPR; and
- reviewing how we communicate with schools.
- Undertaking a review of our security measures to ensure systems are robust to identify any potential risks of non-compliance or any weaknesses in our data storage and handling systems;
- Providing training to all staff on the requirements of GDPR and MarvellousMe data privacy procedures;
- Ensuring that procedures are in place to deal with individual’s enhanced rights under GDPR, including ensuring we can respond to all types of data subject requests within a timely manner.
Our platform and service highlights
The MarvellousMe platform is continually being updated to provide new features to customers and combat an ever-evolving landscape of internet threats. It is built using modern architectural principles and is frequently assessed to ensure that data remains safe.
We have provided the summary below to answer common questions, and in line with the Cloud Software Services for Schools Supplier Self-Certification Checklist provided by the Department of Education and Schools Commercial team.
- Our platform is operated across multiple, Tier 4 data centres which means that all components are fully fault- tolerant, including (but not limited to) internet uplinks, storage, cooling, power and servers.
- Our data centre partner holds over 15 compliance certifications and has been approved for use on over 20 governmental Our primary data-centre also features direct connectivity with JANET, the UK’s Research and Education Network, for the best possible experience from connected education establishments. Access to this environment is tightly controlled and limited to a small number of Sec-DevOps engineers and senior developers based in the UK.
- We act as the Data Processor, acting only according to the instructions of the Data Controller (the school).
- We prohibit personal data or metadata being shared across other services, and only share data with our sub-processor (our technology partner). We do not share data with any other third parties.
- Access to the service is via a unique login ID and All aspects of the service, including authentication, are delivered via HTTPS.
- Sensitive data such as passwords are encrypted. Other data is not encrypted but is held in a secure data centre.
- All transit of data is via secure, encrypted methods and at no time is data transferred between data centres without encryption. Our email traffic uses SMTPS to secure traffic using TLS.
- We strictly limit the amount of personal data stored and ensure that it is only retained for the minimum duration necessary.
- Users can request a copy of their own data. This will be provided to them within 30 days of their request.
- We destroy all the copies of a school’s data within 90 days of the end of a contract, or upon request during the contract.
- Our service is backed up as a minimum every 24 hours. This ensures that all user data can be restored if required.
- Data is exclusively hosted within the European Economic Area.
- We do not serve advertisements or carry-out any advertisement-related data mining.
- We do not use or pass on any personal data or meta data for any commercial purpose.
Processing, data subjects and personal data
In line with the UK Information Commissioner’s guidance, MarvellousMe is the Data Processor, not the Data Controller, in relation to the personal data that we collect and process in the course of providing our service.
Our sub-processor (technical partner) is CloudThing Limited, a company incorporated under the laws of England with registered number 07510381, whose registered address is 14 The Square, Feckenham, Redditch, Worcestershire, B96 6HR, UK.
Nature and purposes of the processing
MarvellousMe collects and stores personal data from registered schools (clients) and users of the MarvellousMe website and apps to enable schools to send messages to parents and guardians (in particular to inform parents and guardians on their children’s progress and achievements), and to monitor communications sent home from school staff.
Categories of data subject
The categories of data subjects are teachers and school staff, parents, guardians and pupils.
Type of personal data
To provide the core service, MarvellousMe processes the following personal data:
- Pupils: First and last name, unique pupil number, school registration group/classes.
- Teacher/school staff: Name, email, registration group/classes.
- Parent/guardian: Name, email, device ID.
Our policies and procedures
We updated our policies and procedures to comply with GDPR:
- We updated our School Terms and Conditions, incorporating the government’s own GDPR Contract Clauses (published by the Crown Commercial Service – Dec 2017) in our Data Processing Schedule with school clients. This is available to schools on request.
- We updated our Sub-Processor agreement, ensuring that any third-party processing personal data on our behalf is GDPR.
Should you require any further information, please contact us.
Last updated: February 2019