Data Protection

1Our Commitment to Data Protection

The School Governance Assurance Framework™ (GAF) is committed to protecting the privacy and security of all personal data we process. We understand that data protection is not just a legal requirement under UK GDPR and the Data Protection Act 2018, but a fundamental responsibility that underpins trust in our service.

This Data Protection Policy explains how we collect, use, store, and protect personal data when you use the School Governance Assurance Framework. It describes your rights under UK GDPR and how we ensure compliance with data protection legislation.

We apply data protection principles by design and by default, meaning privacy and security considerations are built into every stage of our service delivery, from initial service design through to ongoing operations and eventual deletion of data.

2Data Controller Information

About Us

The School Governance Assurance Framework is operated by Joshua Mangas, a sole trader registered in the United Kingdom. For data protection purposes, Joshua Mangas is the Data Controller for the School Governance Assurance Framework service.

Data Controller Details

Data Protection Officer

As a small organisation, we do not have a dedicated Data Protection Officer. However, all data protection queries can be directed to the Data Controller contact details above.

ICO Registration

Joshua Mangas is registered with the Information Commissioner's Office (ICO) as a Data Controller under UK GDPR. ICO registration is pending confirmation of registration number. Our registration details will be publicly available on the ICO's register once confirmed.

3Legal Framework

The School Governance Assurance Framework's data protection practices are governed by the following UK legislation:

UK General Data Protection Regulation (UK GDPR)

The UK GDPR applies to all processing of personal data. This regulation provides individuals with comprehensive rights over their data and requires organisations to process data lawfully, fairly, and transparently.

Data Protection Act 2018

The Data Protection Act 2018 supplements the UK GDPR by setting out specific rules for sensitive personal data processing and provides exemptions in certain circumstances, particularly relevant to education and public authorities.

Other Relevant Legislation

• Education (Pupil Information) (England) Regulations 2005 – Where governance data involves pupil information, this statutory framework applies
• UK GDPR Article 6 – Lawful basis for processing personal data
• UK GDPR Article 9 – Processing of special category data where applicable
• Privacy and Electronic Communications Regulations 2003 – For any direct marketing communications

Our Obligations

As a Data Controller, we must:

• Process personal data lawfully, fairly, and transparently
• Collect data for specified, explicit, and legitimate purposes
• Ensure data is adequate, relevant, and limited to what is necessary
• Keep data accurate and up to date
• Keep data in a form which permits identification of data subjects for no longer than necessary
• Process data securely and maintain integrity and confidentiality
• Be accountable and demonstrate compliance with these principles

4Data We Process

The School Governance Assurance Framework processes personal data across 8 platform tools: Board Assurance Audit, Website Check, Website Assurance, Board Intelligence Report, Meeting Agendas, School Progress Assurance, Statutory Assurance, and Headteacher Report. The table below outlines the types of data, purposes, legal basis, and retention periods:

Basis for Processing

We process personal data based on the following lawful bases:

• Performance of Contract (Article 6(1)(b)): Processing necessary to provide the School Governance Assurance Framework service to schools and governors
• Legitimate Interests (Article 6(1)(f)): Where processing supports service improvement, security, fraud prevention, and analytics
• Legal Obligation (Article 6(1)(c)): Where required by law, such as HMRC record-keeping and ICO compliance
• Consent (Article 6(1)(a)): Where explicitly provided by users for specific purposes, such as marketing communications

5Data Processing for Schools

Our Role as Data Processor

When schools use the School Governance Assurance Framework, the school (or its governing board) is the Data Controller of governance-related data entered into the platform. The School Governance Assurance Framework acts as a Data Processor on behalf of the school across all 8 platform tools: Board Assurance Audit, Website Check, Website Assurance, Board Intelligence Report, Meeting Agendas, School Progress Assurance, Statutory Assurance, and Headteacher Report.

Data Processing Agreement

Schools using the School Governance Assurance Framework enter into our terms of service, which establish our relationship and set out data processing arrangements. Key points include:

• The school remains the Data Controller of all data entered into the assessment
• GAF processes data only on the school's instructions and in accordance with their data protection obligations
• GAF implements appropriate technical and organisational security measures
• GAF does not share school data with third parties except as necessary for service provision
• Schools retain the right to access, export, and delete their data
• GAF cooperates with Data Subject Access Requests (DSARs) initiated by individuals

School Responsibilities

As Data Controllers, schools are responsible for:

• Ensuring they have lawful basis for processing data they input into the assessment
• Obtaining necessary consents from governors and staff whose data is included
• Providing privacy notices to data subjects about how their data is processed
• Complying with their own data protection obligations under UK GDPR
• Keeping their user account secure
• Notifying GAF of any data breaches involving data processed through the platform

Sub-processors

The School Governance Assurance Framework engages the following sub-processors to provide infrastructure, security, and service delivery:

• Supabase — Database hosting and authentication services
• Stripe — Payment processing
• Resend — Transactional email delivery
• Vercel — Application hosting and deployment
• Google — OAuth authentication provider
• Microsoft — OAuth authentication provider
• Anthropic — AI processing for governance document analysis
• Cloudflare — CDN, DNS, and DDoS protection for the marketing site
• EmailJS — Contact form email delivery (marketing site only)
• Google Fonts — Typography delivery for the marketing site

Full details of sub-processors and their data processing locations are available upon request from info@governanceassurance.co.uk.

Data Ownership and Portability

Schools retain full ownership of all assessment data they input into the platform. Schools can request data export in machine-readable format (typically CSV or JSON) at any time. Upon request or account closure, schools can retrieve all their data or request deletion subject to applicable retention requirements.

6Technical and Organisational Measures

We implement comprehensive technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.

Technical Security Measures

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher protocol
• Encryption at Rest: Sensitive data stored in our database is encrypted at rest using industry-standard encryption algorithms
• Database Security: Our database is hosted on Supabase's EU-hosted infrastructure with automatic backups and disaster recovery capabilities
• Access Control: User authentication uses passwordless methods: email one-time codes via Supabase Auth, or OAuth sign-in through Google or Microsoft. No passwords are stored
• Session Management: User sessions are protected with secure tokens and expire after periods of inactivity
• API Security: All API endpoints are secured with authentication tokens and rate limiting to prevent abuse
• HTTPS Only: The entire platform operates over HTTPS with HSTS headers enabled
• Web Application Firewall: Our infrastructure includes DDoS protection and web application firewall rules
• Security Logging: All access to sensitive systems is logged for audit and security monitoring purposes
• Vulnerability Management: We conduct regular security assessments and promptly patch known vulnerabilities

Organisational Security Measures

• Data Protection Awareness: The data controller ensures appropriate data protection awareness and maintains confidentiality obligations for all personnel with access to personal data
• Access Control Policies: Personnel access to personal data is restricted to those with a legitimate need and appropriate role-based permissions
• Data Processing Instructions: Clear data processing policies and procedures govern how personal data is handled
• Incident Response Plan: We maintain documented procedures for responding to and reporting data breaches
• Privacy by Design: Data protection is considered during the design and development of all features and updates
• Regular Audits: We conduct periodic security reviews and vulnerability assessments
• Third-party Vetting: Any sub-processors and third-party providers are assessed for data security capabilities before engagement

Supabase Infrastructure

The School Governance Assurance Framework uses Supabase for database hosting and authentication services. Supabase provides:

• PostgreSQL database hosting in EU data centres, ensuring data residency within the UK/EU
• Enterprise-grade security with SOC 2 Type II compliance
• Automated daily backups with point-in-time recovery
• Network-level security with VPC isolation
• Comprehensive audit logging of database access
• Row-level security policies for granular access control

7International Data Transfers

Data Location

The primary database (Supabase) is hosted within the European Union. The school portal application (Vercel) is configured to the London region. However, some processing does involve international data transfers to the United States, as detailed below.

International Transfers

The following sub-processors transfer data outside the UK and EU:

• Anthropic (United States) — AI processing of uploaded documents and governance data. Data is processed via the Anthropic API and retained by Anthropic for up to 30 days for trust and safety purposes, then deleted. Anthropic does not use API data to train its models. Covered by Anthropic's Standard Contractual Clauses (SCCs) and SOC 2 Type II certification.
• Resend (United States) — transactional email delivery for account notifications and one-time codes. Covered by Resend's SCCs and data processing agreement.
• Google (United States / Global) — OAuth authentication provider. Authentication tokens are processed through Google's global infrastructure. Covered by Google's SCCs and data processing terms.
• Microsoft (United States / Global) — OAuth authentication provider. Authentication tokens are processed through Microsoft's global infrastructure. Covered by Microsoft's SCCs and data processing terms.
• Stripe (United States) — payment processing and subscription management. Covered by Stripe's SCCs and PCI DSS compliance.

Safeguards

All international transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner
• Each provider's own compliance frameworks and data processing agreements
• Technical measures including encryption in transit and at rest
• Where applicable, data minimisation to limit the volume of data transferred

EU-UK Data Flows

Where data is stored in EU infrastructure (Supabase), such transfers are permitted under UK GDPR on the basis that the EU has been determined to provide an adequate level of data protection.

Changes to Data Location

Should we change our infrastructure providers or data locations in future, we will notify existing users and ensure appropriate safeguards are in place before any new transfer begins. Any such changes will be made in compliance with UK GDPR requirements and users will be given reasonable notice.

8Your Rights Under UK GDPR

Under UK GDPR, individuals have the following rights in relation to personal data held about them:

Right of Access (Subject Access Request)

You have the right to request confirmation of whether we hold personal data about you and, if so, to obtain a copy of that data. Subject Access Requests (SARs) should be made in writing to info@governanceassurance.co.uk. We will respond within 30 calendar days. If your request is complex, we may extend this to 60 days with written notice.

Right to Rectification

If you believe personal data we hold about you is inaccurate or incomplete, you have the right to request correction or completion. You may be able to update certain information directly through your account dashboard. For other updates, please contact info@governanceassurance.co.uk.

Right to Erasure ("Right to be Forgotten")

In certain circumstances, you have the right to request deletion of personal data. This right applies when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the lawful basis)
• You object to processing and we have no overriding legitimate interest
• The data has been unlawfully processed
• Deletion is required by law

However, erasure may be restricted where data must be retained for legal, compliance, or legitimate business reasons. Contact info@governanceassurance.co.uk to exercise this right.

Right to Restrict Processing

You may request that we limit how we process your personal data. This is useful when you believe data is inaccurate (while we verify), when processing is unlawful (but you prefer restriction to deletion), or when you contest the processing. During restriction, we will store the data but not actively process it beyond keeping it secure.

Right to Data Portability

You have the right to request your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit that data to another service. This right applies where processing is based on consent or contract. To exercise this right, contact info@governanceassurance.co.uk.

Right to Object

You have the right to object to processing of your personal data on the basis of legitimate interests. Following a valid objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests and rights. Contact info@governanceassurance.co.uk to lodge an objection.

Rights Related to Automated Decision-Making

You have rights in relation to automated decision-making, including profiling, that produces legal or similarly significant effects. The School Governance Assurance Framework does not use automated decision-making to make decisions that affect users' legal status or significant interests. However, we provide assessment scores and recommendations generated algorithmically from responses you provide. These are intended as guidance to support human decision-making by governance boards, not to replace human judgment.

Right to Withdraw Consent

Where we process data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent given before withdrawal. To withdraw consent, contact info@governanceassurance.co.uk.

Exercising Your Rights

To exercise any of the above rights, please contact us at info@governanceassurance.co.uk with clear details of your request and the right you are exercising. We will respond within 30 calendar days and may ask for proof of identity to verify your request. There is no charge for exercising these rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to respond.

9Data Protection Impact Assessment

DPIA Overview

A Data Protection Impact Assessment (DPIA) is a process for identifying and mitigating risks associated with data processing. Given the nature of the School Governance Assurance Framework and the types of data processed, we have conducted a DPIA covering the following areas:

Processing Activities Assessed

• Collection and storage of governor personal data and governance assessment responses
• Use of authentication data for account access and identification
• Analytics and usage tracking for service improvement
• Sub-processing through Supabase infrastructure
• Data retention and eventual deletion procedures

Risk Assessment

Our DPIA identified the following risks and corresponding mitigation measures:

• Risk: Unauthorised access to assessment data. Mitigation: Encryption in transit and at rest, access controls, authentication requirements, audit logging
• Risk: Data loss due to system failure. Mitigation: Automated daily backups, multi-region redundancy, disaster recovery procedures
• Risk: Unintended data sharing or disclosure. Mitigation: Data minimisation practices, sub-processor agreements, access control policies, staff training
• Risk: Retention of data beyond necessary period. Mitigation: Documented retention schedule, automated deletion procedures, audit trails
• Risk: Insufficient transparency. Mitigation: Clear privacy notices, detailed data protection policies, easy access to data subject rights

Conclusion

The DPIA concludes that processing by the School Governance Assurance Framework presents a low to medium residual risk level, with identified risks adequately mitigated by the technical and organisational measures in place. The processing is proportionate to the legitimate aims of providing a governance board audit tool to UK schools.

DPIA Review

We review our DPIA annually and following any significant changes to our processing activities, infrastructure, or sub-processors. A detailed DPIA document is available on request from info@governanceassurance.co.uk.

10Data Breach Notification

Our Breach Response Procedure

We take data security very seriously and maintain documented procedures for responding to any data breach or suspected breach of personal data security. A data breach is any incident where personal data is lost, stolen, corrupted, or accessed by unauthorised individuals.

Breach Detection and Notification Timeline

Upon becoming aware of a data breach, we will:

• Immediately: Isolate affected systems and prevent further unauthorised access
• Without undue delay: Conduct a preliminary investigation to determine the scope, nature, and likely consequences of the breach
• Within 72 hours: Notify the Information Commissioner's Office (ICO) where a breach is likely to pose a risk to rights and freedoms of individuals
• Without undue delay: Notify affected data subjects where a breach is likely to result in high risk to their rights and freedoms

Breach Assessment

When determining whether to notify, we assess whether a breach is "likely to result in a risk to the rights and freedoms of natural persons," considering factors such as:

• The nature and scope of the data compromised
• The number of individuals affected
• Whether identification is possible
• The likelihood and severity of the harm
• Whether the data was encrypted or otherwise protected
• Whether the breach has already caused demonstrable harm

Notification Content

Where notification to data subjects is required, we will provide clear information including:

• The name and contact of our Data Controller
• A description of the likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm
• The contact point for further information

School Notification

For schools using the School Governance Assurance Framework, we will notify the school's nominated contact immediately upon discovery of any breach affecting their data, regardless of whether ICO notification is required. Schools are responsible for assessing whether they must notify their own data subjects (governors, staff, or pupils) based on their obligations as Data Controller.

Investigation and Records

All suspected and confirmed data breaches are investigated and documented. We maintain a breach register recording the date, facts, effects, and remedial actions for each incident. This information is available to the ICO upon request and is used to identify patterns and improve security over time.

Reporting a Breach

If you suspect a data breach or security incident affecting the School Governance Assurance Framework, please report it immediately to info@governanceassurance.co.uk with as much detail as possible.

11Children's Data

Direct Processing of Children's Data

The School Governance Assurance Framework does not directly collect or process personal data from children. The primary users of the platform are governors and school leaders aged 18 and over. We do not knowingly process information that directly identifies children.

Indirect References to School Performance Data

The Headteacher Report and Board Intelligence Report may contain aggregate school performance data such as attendance rates, exclusion numbers, and progress measures. This data:

• Is aggregated at whole-school level and does not identify individual pupils
• Is entered by the school (as Data Controller) or sourced from publicly available DfE datasets
• Remains under the school's control and responsibility as Data Controller

School Responsibilities

Schools using the School Governance Assurance Framework remain responsible for:

• Ensuring they have appropriate lawful basis to enter any school performance data into the platform
• Only entering aggregate school-level data, not individual pupil records
• Complying with the Education (Pupil Information) (England) Regulations 2005 where applicable

Children's Access to Accounts

Governance accounts are created for school staff aged 18 and over. If we become aware that a child has created an account or provided personal information, we will take steps to delete such information and notify appropriate parties. Schools should ensure governance portals are accessed only by authorised adults.

Age Verification

By creating an account and using the School Governance Assurance Framework, you confirm that you are aged 18 or over. We do not intentionally collect data from anyone under 18 for the purpose of providing the service.

12Changes to This Policy

Policy Updates

We may update this Data Protection Policy from time to time to reflect changes in our processing activities, legal requirements, or security practices. The date at the top of this policy indicates when it was last updated.

Notification of Changes

When we make material changes to this policy, we will notify users of the School Governance Assurance Framework by email or through an in-app notification. Material changes include those that:

• Alter our processing purposes or legal basis
• Introduce new sub-processors or third-party services
• Change data retention periods
• Affect users' rights or our security practices
• Require user action or consent

Continued Use

Your continued use of the School Governance Assurance Framework following notification of changes constitutes your acceptance of the updated policy. If you do not accept changes, you have the option to delete your account and cease using the service.

Policy Versions

Previous versions of this policy are available on request from info@governanceassurance.co.uk.

13Making a Complaint

Internal Complaint Process

If you have concerns about how the School Governance Assurance Framework processes your personal data or believe we have breached UK GDPR or the Data Protection Act 2018, please contact us first:

Data Controller:
Joshua Mangas
Email: info@governanceassurance.co.uk

We will acknowledge your complaint within 7 business days and provide a substantive response within 30 days. If your complaint is complex or requires investigation, we may extend our response timeline and will notify you of the revised timeframe.

Information Commissioner's Office (ICO)

You have the right to lodge a complaint with the Information Commissioner's Office, the UK's independent data protection authority. This right exists regardless of any internal complaint process:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: +44 1625 545745
Email: casework@ico.org.uk
Website: https://ico.org.uk

Cooperation with ICO

We fully cooperate with ICO investigations and will provide requested information and documentation to assist the ICO in investigating complaints. We will not hinder or obstruct any ICO investigation.

Other Regulatory Bodies

If your complaint relates to education law or school governance more broadly, you may also wish to contact:

• Ofsted (Office of Standards in Education) for concerns about school governance standards
• Department for Education for policies affecting school governance
• Your local authority for local school governance issues

14Contact Us

For any questions, requests, or concerns relating to this Data Protection Policy or our data protection practices, please contact the Data Controller:

Data Protection Queries

The following types of queries can be directed to the contact above:

• Questions about this Data Protection Policy
• Requests to exercise GDPR rights (access, rectification, erasure, portability, etc.)
• Subject Access Requests (SARs)
• Data breach reports or security concerns
• Complaints about data processing practices
• Requests for information about sub-processors or data locations
• Requests to review Data Protection Impact Assessment documents
• Feedback on our privacy and data security practices