Under the UK GDPR a Customer using the Platform is considered "data controller" of their data and the Company is a "data processor".
Cookie Source | Purpose | Necessary or Optional? |
---|---|---|
Google Load Balancing | Managing network traffic between user devices and DFL servers in order to provide The Services | Necessary |
Sentry | An error monitoring tool to help DFL improve The Customer experience of The Service | Necessary |
Google Analytics | Google analytics help us continually improve the Dr Frost platform and we appreciate your support in allowing these cookies. We use this data internally and never share it with third parties for commercial purposes though we may occasionally share limited anonymised data for the express purpose of assessing Dr Frost's impact on improving educational outcomes. | Optional |
DFL is committed to the Platform being used for constructive learning purposes but we reserve the right to either temporarily or permanently suspend either teacher or student accounts for any misuse of the Platform including but not limited to:
When a student account has been suspended, it may only be reinstated at the request of a teacher at that student's school, and not via the student or their parent directly.
Our ICO (Information Commission Office) number is ZA739389. You have the right to make a complaint to the ICO on any data protection matter. This can be done by visiting www.ico.org.uk. We'd be grateful if you could discuss the matter with us first to we can resolve the issue where appropriate.
Please contact [email protected] for any further queries.
What follows is DFL's response to the National Cyber Security Centre's Cloud Security Guidance. It is intended to help organisations understand how DFL protects their data.
The Platform uses a minimum of TLS 1.2 used for all site traffic between user device and Platform endpoints.
Data in transit internally to DFL systems can only travel via Virtual Private Cloud (VPC) which is not accessible externally except by a small number of admin users over SSL tunnel.
Data are physically located in a Google Cloud secured data centre in the UK.
DFL does not use any PII for marketing purposes, machine learning, AI or any purpose other than providing The Services. The Platform database uses “encrypted at rest” data storage.
DFL does not store user data on any other physical medium and user data never leaves the Google Cloud data centre except for transmission in the provision of The Services.
DFL is not able to provide physical separation of user data or compute. Information about other users in a given school or trust organisation is only available to other users in that organisation. This separation is provided in software only and not at a physical or hardware level.
DFL’s technical governance structure includes:
The CEO/DPO regularly reports to the board on risk and governance issues. DFL has adopted the IRGC Risk Governance Framework and maintains a risk register in accordance with that framework.
DFL will take all reasonable measures to address any vulnerabilities within a reasonable period of time. To that end, we use an automated build process to maintain up-to-date patch levels on the Virtual Machines that host The Platform.
DFL limits access to user data to a small number of support and development staff. All staff are required to have multi-factor authentication enabled on their administrative accounts.
All DFL employees are subjected to DBS checks.
DFL is continually improving its development workflow and uses an automated release process to provide an auditable trail of software released through development and production environments.
All configuration is managed in source control or Google Cloud Platform Secrets Manager wherever appropriate.
No customer data is made available to third parties for any commercial purpose ever. We may, however, occasionally share limited anonymised data with for the express purpose of assessing Dr Frost's impact on improving educational outcomes.
DFL offers authentication via Google and Microsoft O365 SSO and strongly recommends that users utilise this wherever possible.
The only external interfaces available to access DFL systems are the Google Cloud service console and direct database access over SSL tunnel to a specific bastion server.
Both are only accessible by a small number of DFL employees and use Google Cloud RBAC to limit permissions only to what is needed for each individual. Multi-factor authentication is enforced on all DFL Google Workspace accounts.
The Platform records actions taken by school staff, such as user deletion, class data imports, changes to class membership and so on. This audit data can be viewed by any teacher at that school on the "Audit Log" tab of the settings page.