Introduction

JustMaths has several responsibilities as a data processor under the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR). We are registered with the Information Commissioners Office (ICO) with registration reference C1478973.

Whilst there can be no such thing as a completely secure system, JustMaths will endeavour to take all reasonable measures to ensure that data integrity and security is maintained at all times.

This policy was last updated on 28th February 2018.

The service

JustMaths is a cloud-based service currently running on servers controlled by WPEngine based within the UK. WPEngine computing environments employ a number of virtual, physical and environmental controls to maintain data security and are ISO 27001:2013 certified. Further information about how WPEngine maintains the security of their environment can be found on their website.

We may also use other third parties in order to provide services, we will carefully select these third parties to ensure they have appropriate security measures in place to ensure your data security and integrity.

GDPR

The GDPR applies from 25th May 2018. As part of this, here are some useful things you may wish to know:

  • JustMaths is defined as a ‘processor’ with respect to school data. This means we will always act upon any authorised requests to add, update and delete data from JustMaths wherever possible.
  • JustMaths has decided not to process any data that falls under article 9 of the GDPR (Special categories of personal data). This means we do not process data such as ethnicity, political opinions, genetic data etc.
  • JustMaths’s data protection representative is Faisal Khawaja. He can be contacted via fize@justmaths.co.uk.
  • JustMaths does not process schools data based on consent, nor does it recommend that schools do so. Our legal basis’s for processing schools data are as follows:
    • The processing is necessary because of a legal obligation that applies to you. Schools have a legal obligation to provide students with an education. JustMaths are working on behalf of schools to help them support them in providing this.
    • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions. Schools provide a public function and JustMaths are working on behalf of those schools. o The processing is in accordance with the “legitimate interests” condition. Schools have asked JustMaths to process this data and there is no “prejudicial effect on the rights and freedoms, or legitimate interests, of the individual”.
    • The processing is necessary in relation to a contract the individual has entered into. JustMaths would expect every stakeholder to have signed a contract with the school explaining the IT services that are necessary as part of the education services provided, therefore this fourth legal basis will apply in most cases.

Subject access requests

Under the DPA & GDPR, all individuals who are the subject of personal data held by JustMaths are entitled to:

  • Ask what information the company holds about them and why
  • Ask how to gain access to it
  • Be informed how to keep it up to date

JustMaths will provide school administrators with an automated subject access requests routine that will enable them to retrieve data related to stakeholders in the system. If we receive any requests directly, we may pass these back to the school’s JustMaths administrator where relevant, or will provide the requested information within 30 days of the request (provided we can verify the identity and authority of the person making the request).

Deletion of data

Upon the cancellation of a subscription, we will delete all personal data relating to your school from our JustMaths servers within 30 days.

We will keep a history of contact with the school for a period of up to 5 years after cancellation, to allow us to accurately answer any questions that may arise in the future.

3rd party processors

In order to provide our service, we work with trusted 3rd parties. Currently these are as follows: WPEngine, AWS, Apple, Microsoft, Google and Campaign Monitor. JustMaths will ensure that any 3rd parties have appropriate security credentials such as ISO 27001 certification and EU-US Privacy Shield compliance.

Security measures

We will endeavour to ensure that:

  • A SSL connection between the JustMaths.co.uk service and the client’s computer is active at all times for any logged in user
  • All JustMaths servers will have security updates applied regularly
  • All JustMaths servers will use a firewall that enforces strict rules on who can access what services
  • All JustMaths servers will have appropriate security settings to minimise the opportunities for malicious activity to take place
  • When a user changes their own password, it is encrypted, using the secure hashing and salting method
  • Administration passwords to the JustMaths.co.uk servers are not shared with any 3rd parties or employees who do not need access as part of their role
  • Any personally identifiable information provided by schools is not shared with any 3rd parties.
  • Access to the JustMaths offices are secured with appropriate physical measures
  • All JustMaths office computers and mobile devices use disk encryption
  • All JustMaths office computers and mobile devices have strong passwords or another secure authentication method
  • When sold or passed on, all JustMaths office computers and mobile devices will have their data securely erased
  • JustMaths staff will receive adequate training on data security and intrusion prevention
  • JustMaths staff will delete copies of school data from their own computers as soon as they no longer need it.

Redundancy, backup and disaster recovery

We will endeavour to ensure that:

  • The main JustMaths.co.uk database has a mirror database, ready to take over or restore from in the case of problems with the main database
  • We also keep daily server-level backups
  • Additional database-level backups are taken four times a day
  • Backup and restoration procedures are tested on a regular basis
  • Load balancing is employed when necessary
  • All servers are actively monitored for any disruption
  • Any disruption reported is investigated as soon as possible
  • Any disruption found is resolved as soon as possible

Changes to this policy

Changes may be made to this policy at any time, without prior notice.