data protection, hosting and security

SchoolPost is usually provided as a securely hosted 'in the cloud' application, although there is also an option to host the database in-house if preferred. In either case we take the security of your data very seriously.

Customer data and privacy

All data (for example including but not limited to contact data, SchoolPost messages and publications) remains the property of the customer. Data is not shared with or passed to any third party without express permission. Employee access to any sensitive or confidential data is strictly limited to only that which is necessary in the execution of duties e.g. technical support, and all staff with any access to contact data are DBS checked. All customer data is returned and/or deleted on request or on termination of a contract.

Data Protection Act 1988

Empetus Limited is registered under the terms of the Data Protection Act 1998, registration no. Z1559972, and complies with all obligations imposed under the act. We will only act on instructions from you in relation to the processing of any personal data by us on your behalf. We have appropriate security measures in place to protect against unlawful or unauthorised processing of personal data, and against loss or corruption. All customer data is returned and/or deleted on request or on termination of a contract.

General Data Protection Regulation (GDPR)

All schools/customers have now been sent a copy of our new Data Processing Agreement which sets out out how we will only process data on your instructions, and in compliance with the GDPR. The schedules to the agreement also set out the types and categories of data we process, the nature and purpose of the processing, details of sub-contractors, and the security measures that we have in place. In summary, we will comply with all obligations imposed on us as a Data Processor and will:

only process personal data on instructions from the controller, and only for the purposes of providing SchoolPost services;
not share personal data with any third parties without prior written consent;
ensure that personnel authorised to process personal data are committed to confidentiality;
ensure appropriate security measures are in place;
assist the controller in complying with data subject rights and fulfilling any breach notification obligations;
delete or return all personal data after the end of the processing (on termination of a contract or otherwise on request);
not transfer personal data outside the EEA without prior written consent (in fact all our hosting is UK based).

Please contact us if you require any further information.