There were no results for your search.



Under the UK GDPR a Customer using the Platform is considered "data controller" of their data and the Company is a "data processor".

What personal data is stored?

Who can access data?

Data Retention and Your Data Rights


Cookie Source Purpose Necessary or Optional?
Google Load Balancing Managing network traffic between user devices and DFL servers in order to provide The Services Necessary
Sentry An error monitoring tool to help DFL improve The Customer experience of The Service Necessary

Fair Usage Policy

DFL is committed to the Platform being used for constructive learning purposes but we reserve the right to either temporarily or permanently suspend either teacher or student accounts for any misuse of the Platform including but not limited to:

When a student account has been suspended, it may only be reinstated at the request of a teacher at that student's school, and not via the student or their parent directly.

ICO Data Protection Complaints

Our ICO (Information Commission Office) number is ZA739389. You have the right to make a complaint to the ICO on any data protection matter. This can be done by visiting www.ico.org.uk. We'd be grateful if you could discuss the matter with us first to we can resolve the issue where appropriate.

Further Information About Safeguarding or Data Protection

Please contact support@drfrost.org for any further queries.

NCSC Cloud Security Principles Response

What follows is DFL's response to the National Cyber Security Centre's Cloud Security Guidance. It is intended to help organisations understand how DFL protects their data.

Principle 1: Data in transit protection

The Platform uses a minimum of TLS 1.2 used for all site traffic between user device and Platform endpoints.

Data in transit internally to DFL systems can only travel via Virtual Private Cloud (VPC) which is not accessible externally except by a small number of admin users over SSL tunnel.

Principle 2: Asset protection and resilience

Data are physically located in a Google Cloud secured data centre in the UK.

DFL does not use any PII for marketing purposes, machine learning, AI or any purpose other than providing The Services. The Platform database uses “encrypted at rest” data storage.

DFL does not store user data on any other physical medium and user data never leaves the Google Cloud data centre except for transmission in the provision of The Services.

Principle 3: Separation between customers

DFL is not able to provide physical separation of user data or compute. Information about other users in a given school or trust organisation is only available to other users in that organisation. This separation is provided in software only and not at a physical or hardware level.

Principle 4: Governance framework

DFL’s technical governance structure includes:

  • CEO and Data Protection Officer: Dr. Jamie Frost
  • Chief Technology Officer: Mr. Gareth Jones

The CEO/DPO regularly reports to the board on risk and governance issues. DFL has adopted the IRGC Risk Governance Framework and maintains a risk register in accordance with that framework.

Principle 5: Operational security

DFL will take all reasonable measures to address any vulnerabilities within a reasonable period of time. To that end, we use an automated build process to maintain up-to-date patch levels on the Virtual Machines that host The Platform.

Principle 6: Personnel security

DFL limits access to user data to a small number of support and development staff. All staff are required to have multi-factor authentication enabled on their administrative accounts.

All DFL employees are subjected to DBS checks.

Principle 7: Secure development

DFL is continually improving its development workflow and uses an automated release process to provide an auditable trail of software released through development and production environments.

All configuration is managed in source control or Google Cloud Platform Secrets Manager wherever appropriate.

Principle 8: Supply chain security

No customer data is made available to third parties for any reason.

Principle 9 & 10: Secure user management, identity and authentication

DFL offers authentication via Google and Microsoft O365 SSO and strongly recommends that users utilise this wherever possible.

Principle 11: External interface protection

The only external interfaces available to access DFL systems are the Google Cloud service console and direct database access over SSL tunnel to a specific bastion server.

Both are only accessible by a small number of DFL employees and use Google Cloud RBAC to limit permissions only to what is needed for each individual. Multi-factor authentication is enforced on all DFL Google Workspace accounts.

Principle 12 & 13: Secure service administration and auditing

The Platform records actions taken by school staff, such as user deletion, class data imports, changes to class membership and so on. This audit data can be viewed by any teacher at that school on the "Audit Log" tab of the settings page.