Client Privacy

1 Who this policy applies to

This Client Privacy policy applies to schools, academies, multi-academy trusts (MATs), and governing boards using the School Governance Assurance Framework platform at portal.governanceassurance.co.uk. This covers all eight tools: Board Assurance Audit, Website Check, Website Assurance, Board Intelligence Report, Meeting Agendas, School Progress Assurance, Statutory Assurance, and Headteacher Report.

The policy covers the school leadership, governors, trustees, clerks, and other school staff members who are authorised by the school to access the platform and complete governance assessments.

This policy is separate from our general Privacy Policy, which covers the marketing website and contact forms. For website data, see Privacy Policy.

2 What assessment data we collect

When your school uses the GAF platform tools, we collect and store the following data:

3 Data ownership and roles

3.1 Your school is the Data Controller

Your school is the data controller for all assessment data submitted to the GAF platform. This means:

• Your school decides what data is entered, when assessments are completed, and how the assessment findings are used within the school
• Your school determines the lawful basis for processing governance data (typically legitimate interests in maintaining board governance standards)
• Your school is responsible for ensuring that any evidence notes comply with UK GDPR and do not contain inadvertent personal data
• Your school controls who within your organisation has access to the platform and your assessment data

3.2 School Governance Assurance Framework is the Data Processor

School Governance Assurance Framework (operated by Joshua Mangas) acts as a data processor on behalf of your school. This means:

• We process assessment data only on your instruction and for the purpose of providing the board audit tool
• We do not use your data for any secondary purpose (marketing, analytics, comparison with other schools, or research) without your explicit prior consent
• We implement appropriate technical and organisational security measures to protect your data
• We comply with UK GDPR Chapter V requirements for sub-processors
• We provide you with the access, export, and deletion capabilities you need to exercise control over your data

3.3 Data Processing Agreement

Subscribing schools have a Data Processing Agreement (DPA) in place that sets out the terms of our data processor relationship. Contact us at info@governanceassurance.co.uk to request a copy of the Standard DPA or discuss your school's specific requirements.

4 How we use your assessment data

We use your assessment data only for the following purposes:

• Providing the board audit tool — storing your responses, generating your governance assessment report, and enabling you to review and update your assessment over time
• Generating reports — creating a PDF or online report of your assessment results for your governance records
• Platform administration — notifying our operational team when a school submits an assessment so we can verify completion and provide any requested support
• Service improvement — anonymised usage data (e.g., "60% of schools selected Secure for question 1.2") may be used in aggregate to improve the framework questions and platform usability, with your prior consent if required
• Customer support — responding to requests for help accessing or exporting your data

We do not:

• Share your assessment responses with other schools or with Ofsted, the Department for Education (DfE), or local authorities
• Use your data for marketing or to target you with advertising
• Sell your data or share it with third-party analytics providers
• Use your data for benchmarking or comparison reports without your explicit consent
• Share individual school scores with any external body

5 Data isolation and access control

5.1 Row-level security

The GAF platform uses database row-level policies so that:

• Each school account can only read and write its own assessment data
• A school's data is completely isolated from all other schools' data at the database level
• Multi-school users (e.g., governance professionals or MAT staff with access to multiple schools) see only the schools they are explicitly added to
• Users cannot access data from schools they are not assigned to, even if they know the school ID

5.2 User access management

Your school manages user access to the platform. When you add a user to your school account:

• That user signs in via passwordless authentication via email one-time codes, or OAuth sign-in through Google or Microsoft (School Portal)
• The user can access only your school's assessment data (and any other schools you authorise)
• Your school can remove user access at any time, and the user will no longer be able to sign in
• All user actions (viewing, updating responses) are logged and can be audited

5.3 Administrative access

The School Governance Assurance Framework operator (Joshua Mangas) has separate administrative access to:

• View service-level metrics and usage (e.g., number of active schools, submissions per week)
• Access individual school data only when explicitly requested by the school for support or technical troubleshooting
• Respond to data subject access requests (SARs) and deletion requests

Administrative access is logged and restricted to authorised personnel only.

6 Who can see your data

6.1 Your school's users

Only the users (governors, staff, clerks) that your school has explicitly added to your account can see your assessment data. Your school controls this access list.

6.2 School Governance Assurance Framework support team

The GAF support team can access your data only to:

• Respond to your support request (e.g., "I can't access my assessment")
• Troubleshoot technical issues
• Fulfill data subject access requests or deletion requests

Support staff do not routinely view school data and do so only when necessary for these purposes.

6.3 Who cannot see your data

Your assessment data is not accessible to:

• Ofsted or other school inspectorates
• The Department for Education (DfE)
• Local authorities
• Governor services, consultants, or third-party governance providers (unless you manually export and share your report with them)
• Other schools or MATs
• Marketing, analytics, or advertising partners

7 Data sharing — we don't share with Ofsted, DfE, or LAs

7.1 Clear policy: no automatic sharing

We do not automatically share your school's assessment data with any external body. This includes:

• Ofsted — your GAF assessment is not sent to Ofsted and does not form part of any inspection dataset
• Department for Education (DfE) — your data is not shared with the DfE
• Local authorities — your data is not shared with your local authority
• Governor services and third-party providers — your data is not sold or provided to external companies

7.2 You control sharing

You have complete control over whether and how to share your assessment findings:

• Internal sharing within your school — you decide who within your leadership team, governors, and staff can see your assessment results
• Exporting your report — you can export your assessment summary as a PDF report (see section 9) and share this with whoever you choose (e.g., your local authority, an external governance consultant, or for inspection preparation)
• External partnerships — if you choose to share your assessment with a third party (e.g., a governance service or consultant), that is your decision and responsibility

7.3 Legal obligations

We may disclose your data if required by law, court order, or lawful authority (e.g., a police investigation). We will inform you of such a request where legal constraints permit.

7.4 Sub-processors

We use third-party infrastructure providers to operate the School Governance Assurance Framework (see section 11). These providers may have access to encrypted or anonymised metadata but do not have access to the content of your assessment responses in unencrypted form (with the exception of our database processor, Supabase, and AI processor, Anthropic, which are explicitly named in this policy).

8 Data retention and deletion

8.1 How long we retain your data

8.2 How to request deletion

Your school can request deletion of all assessment data at any time:

• Contact info@governanceassurance.co.uk and request deletion of your school account
• Specify which data you wish to delete (all data or specific assessments)
• We will delete the data within 30 days and confirm completion to you
• Deletion is permanent and cannot be reversed — ensure you have exported your data if you need to keep a copy

8.3 Right to erasure

Under UK GDPR Article 17, your school has the right to request erasure of personal data. We will delete your assessment data and user records upon request unless a legal obligation requires us to retain the data.

9 Data export and portability

9.1 Exporting your assessment

Your school can export your assessment data at any time from the platform:

• PDF report — download a formatted governance assessment report showing your school name, assessment date, status for each question, and any evidence notes you have added
• Data portability request — request your assessment data in machine-readable format (CSV or JSON) containing all responses and metadata

9.2 Requesting data portability

Under UK GDPR Article 20, you have the right to data portability. To request your assessment data in a structured, machine-readable format:

• Contact info@governanceassurance.co.uk with a data portability request
• Include your school name or account ID
• Specify the format (CSV, JSON, or other)
• We will provide the data within 30 days

9.3 Data format

Exported data will include:

• Organisation profile information (name, postcode, headteacher / CEO, Chair of Governors / Trustees)
• All assessment responses (question ID, status, evidence text)
• Submission timestamps and user information
• Any action log or development plan entries

Data is provided in a format suitable for import into other governance or compliance tools, or for storage in your own records.

10 Security measures

10.1 Data encryption in transit

All communication between your browser and the GAF platform is encrypted using TLS 1.2 or higher. This applies to:

• Sign-in and authentication
• Assessment data submission
• Data export and report generation

10.2 Data encryption at rest

Assessment data stored in the Supabase database is protected by Supabase's standard encryption and physical security measures.

10.3 Access controls

• Passwordless authentication — users sign in via email one-time codes, or OAuth sign-in through Google or Microsoft (School Portal). No passwords are stored
• Session tokens — user sessions are authenticated with secure, expiring tokens stored in the browser
• Row-level database policies — the database enforces that users can only query their own school's data
• Administrative access — limited to named staff with strong authentication and audit logging

10.4 Vulnerability management

We monitor platform security through:

• Regular security updates to platform dependencies
• SSL/TLS certificate management and renewal
• Server and database hardening
• Incident response procedures

10.5 What you can do

To protect your school's data:

• Keep your sign-in email address secure and do not share it with unauthorised users
• Only add staff to your account who need access to the assessment
• Do not enter personal data about pupils, staff, or parents in assessment evidence notes
• Review your user access list periodically and remove users who no longer need access
• Report any suspected data breach or security incident to info@governanceassurance.co.uk immediately

11 Sub-processors we use

11.1 Supabase (database and authentication)

Role: Data processor
Data processed: School profile, user email addresses, assessment responses and evidence, timestamps, action logs
Location: EU-hosted PostgreSQL database (Ireland region)
Security: Supabase provides encryption in transit and at rest, access controls, and standard data centre security
More information: supabase.com/privacy

11.2 Cloudflare (website hosting and content delivery)

Role: Sub-processor (hosting and CDN)
Data processed: HTTP request metadata (IP addresses, request logs), authentication requests
Location: Global content delivery network
Security: Cloudflare provides DDoS protection, TLS termination, and standard server security
More information: cloudflare.com/privacypolicy

11.3 Vercel (application hosting)

Role: Sub-processor (hosting and serverless functions)
Data processed: HTTP request metadata, server-side rendered pages, API requests
Location: Global edge network (primary region: EU/London)
Security: Vercel provides TLS encryption, DDoS protection, and SOC 2 compliant infrastructure
More information: vercel.com/privacy-policy

11.4 Resend (email delivery)

Role: Sub-processor (email delivery)
Data processed: Email address, one-time code tokens, notification content
Security: Email in transit is encrypted where supported by receiving systems
Retention: Email provider logs follow their standard retention policies
More information: resend.com/privacy-policy

11.5 Stripe (payment processing)

Role: Sub-processor (payment processing)
Data processed: Billing email, payment card details (handled entirely by Stripe), subscription status, invoices
Location: EU and US infrastructure
Security: Stripe is PCI DSS Level 1 certified. Payment card details are never stored on the GAF platform
More information: stripe.com/gb/privacy

11.6 Google (OAuth authentication)

Role: Sub-processor (identity provider)
Data processed: Email address and basic profile information during OAuth sign-in
Security: Google OAuth 2.0 with industry-standard security controls
More information: policies.google.com/privacy

11.7 Microsoft (OAuth authentication)

Role: Sub-processor (identity provider for School Portal)
Data processed: Email address and basic profile information during OAuth sign-in
Security: Microsoft OAuth 2.0 / OpenID Connect with enterprise-grade security
More information: privacy.microsoft.com

11.8 Anthropic (AI-assisted document processing)

Role: Sub-processor (AI processing)
Data processed: Document text submitted for AI-assisted extraction or generation (e.g., School Improvement Plan data). Data is processed transiently and not retained by Anthropic for training purposes
Security: Anthropic provides enterprise-grade API security with encryption in transit and SOC 2 compliance
More information: anthropic.com/privacy

11.9 Google Fonts

Role: Third-party service (not a processor of assessment data)
Data processed: IP address and user agent (as part of serving font files)
Purpose: Loading typefaces for the website and platform UI
More information: Google Fonts privacy

11.10 EmailJS (contact form email delivery)

Role: Sub-processor (email delivery)
Data processed: Contact form submissions (name, email, message content) routed via client-side email service
Location: EU/US
Security: TLS encryption in transit
More information: emailjs.com/privacy-policy

11.11 Data Processing Agreements

All sub-processors are contractually bound to protect your data and comply with UK GDPR Chapter V requirements. Members have access to a complete list of sub-processors and their Data Processing Agreements. Contact us at info@governanceassurance.co.uk to request this information.

12 Your rights under UK GDPR

As your school is the data controller for assessment data, your school (and individual staff members as data subjects) has the following rights under UK GDPR:

12.1 Right of access

Your school can access all assessment data stored in your account at any time by signing into the platform. You can also request a formal Subject Access Request (SAR) for a structured export of your data. We will respond within 30 days.

12.2 Right to rectification

If assessment data is inaccurate or incomplete, your school can:

• Update responses and evidence directly in the platform
• Request correction of profile information (name, postcode, headteacher / CEO details)

12.3 Right to erasure ("right to be forgotten")

Your school can request deletion of all assessment data at any time. We will delete the data within 30 days. Deletion is permanent and cannot be reversed.

12.4 Right to restrict processing

Your school can request that we restrict processing of your data (e.g., pause access to the platform while a dispute is resolved). Contact info@governanceassurance.co.uk to arrange this.

12.5 Right to data portability

Your school has the right to request assessment data in a structured, machine-readable format (CSV or JSON) suitable for transfer to another service. See section 9 for details.

12.6 Right to object

Your school can object to processing of assessment data based on legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds (e.g., legal obligation). Contact us to exercise this right.

12.7 How to exercise your rights

To exercise any of the above rights:

• Contact info@governanceassurance.co.uk with your request
• Include your school name and account email
• Specify which right you are exercising and what data your request relates to
• We will respond within 30 days and at no cost to you
• We may ask you to verify your identity before fulfilling a request

12.8 Right to lodge a complaint

If you believe the School Governance Assurance Framework is not complying with UK GDPR or this policy, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13 Contact

13.1 Questions about this policy or your data

For questions about how the School Governance Assurance Framework handles your school's assessment data, or to exercise your rights:

• Email: info@governanceassurance.co.uk
• Subject line: "Client Privacy Request" or "Data Subject Access Request"
• Response time: We aim to respond within 10 working days for general enquiries and within 30 calendar days for formal data requests

13.2 Data Protection Officer (DPO)

The School Governance Assurance Framework does not currently employ a designated DPO. For data protection matters, contact Joshua Mangas (the platform operator) at info@governanceassurance.co.uk.

13.3 Changes to this policy

We may update this Client Privacy policy from time to time to reflect changes to our service, legal requirements, or security practices. Material changes will be communicated to active schools by email or in-app notification where practicable.

The "Last updated" date at the top of this page reflects the most recent version.

13.4 Related policies

• General Privacy Policy — covers data collection on the marketing website and contact forms
• Terms of Use — terms for using the GAF platform and website
• Cookie Policy — how cookies and localStorage are used
• Data Protection — additional data protection information