ParentPay Limited

GDPRiS (GDPR in Schools)

A cost-effective service, driven by our GPDRiS software, specifically designed to support DPOs and DP Leads with the monitoring management of data protection within schools ensuring on-going compliance with the GDPR and DPA2018.

Features

• GDPRiS compliance auditing tool
• GDPRiS compliance dashboard monitor
• GDPR role based training and awareness courses
• Cloud hosted multi-site solution
• Single Sign On (SSO) compatible
• Multi-factor authentication (MFA)

Benefits

• Comprehensive reporting
• Ensuring awareness of data protection and duties with all staff
• 4,500 pre-populated supplier data maps (RoPA) available
• Pre-populated Data Impact Assessment (DPIA) templates and guidance

£795 a unit a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nicola.howard@parentpay.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

239728185604292

Contact

Nicola Howard
07881915899
nicola.howard@parentpay.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No specific constraints at this time
• System requirements: Up to date versions of web browser, Java script enabled

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: All emails or online tickets get an automated response with additional guidance for self-service of support. Staffed support is 9 am - 4.30pm Mon to Thursday and 9am - 3.30pm on Fridays, exclusive of Bank Holidays.; Response time is based on the severity and during working hours:; Urgent/Critical - 4hr; High - 8hr; Normal - 16hr; Low - 24hr
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We operate a single level customer service contract to all clients as part of the cost of the platform. This includes a team of Customer Service agents to support pre-sales technical advice, onboarding, online training, service and support issues, and account management.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Welcome email sent out upon signing up. Welcome email gives instructions to support initial logging in to access the portal. It also provides links to guidance and resources to help customers get started.; ; Customers will receive a call from the Customer Success Team to arrange a session for online product training and to establish the scope to proceed.; After the training, they will receive a post training email with further guidance and how to access more resources and support.; ; Depending on the outcome of the initial onboarding call, we will guide you through populating the platform. Within the portal, we provide access to a wide range of resources on best practice and general information on GDPR. These are designed to help guide the customer through the compliance journey. Our Customer Support Team will help you every step of the way.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The standard user interface allows data to be extracted via reporting engine.
• End-of-contract process: All end-of contract activities are included within the price. All data is removed from the platform after 30 days post contract expiry, except where data needs to be retained to allow GDPR in Schools to complete any legal requirements.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Screen size is device responsive
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: GDPRiS presents a web user interface which allows users to manage their GDPR compliance, e.g. creating and maintaining their data ecosystem (datamaps), performing DPIAs, managing breaches and subject requests, running user training, questionnaires and audits, comprehensive resource bank of templates, extensive knowledge base and training resources to cover all aspects of school life.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Our development aims at AA level compliance with WCAG 2.1.; There are currently known gaps. Testing takes place with tooling (Axe Tools)
• API: No
• Customisation available: Yes
• Description of customisation: Customers upload their logo. By mapping their data ecosystem within GDPRiS, customers tune their experience for DPIAs and for data protection audits.; Users customise which notifications they wish to receive from the system.(e.g. breaches, incidents, subject requests)

Scaling

• Independence of resources: The service is hosted on an auto-scaling platform with generous headroom. Resource pressures on the service are being monitored and addressed by our technical team.

Analytics

• Service usage metrics: Yes
• Metrics types: GDPRiS has in-built reporting features to allow schools to monitor their own use of the tool and measure progress on their data protection journey.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: There exist various tabular data reports in the standard web user interface.These can saved into spreadsheet formats.; Additionally GDPRiS support can set up scheduled - and user defined -reports for customers that get delivered, e.g. to users' mailboxes.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Open office xml
• Data import formats:
  • CSV
  • Other
• Other data import formats: Open office xml

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The service is available 24/7. We take out-of-hours maintenance outages from time to time, and these are usually announced to the customers beforehand. While we make no guarantees about our up-time, our record since July 2019 shows no unplanned outages of the core application.
• Approach to resilience: The service is hosted on Microsoft Azure on an auto scaling, and self-maintaining compute platform. In that way, the platform both scales out to meet spikes in demand, but also experiences no outages or service degradation during routine maintenance tasks.
• Outage reporting: The service is externally monitored - in-app notification to admins and email. The hosting platform itself sends notification emails on severe events. Depending on our assessment, we can choose to inform users of an outage(e.g. via email)

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access restrictions can be set by the customer (access revocation)
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Amtivo Group Limited, trading as British Assessment Bureau
• ISO/IEC 27001 accreditation date: 11/04/2023
• What the ISO/IEC 27001 doesn’t cover: Schools, councils, other customers, and end users' own local computer systems and networks - and their associated physical locations, are outside of the ISMS scope.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ParentPay Group operates an ISO 27001 certified Information Security Management System (ISMS) - this has been certified by a UKAS accredited certification body. A dedicated security team of qualified specialists maintain, monitor and enforce technical and organisational security controls. We are audited by independent specialist third parties at least four times per year. ParentPay operate a comprehensive catalogue of security policies, processes and procedures; Including but not limited to: Security Policy. ISMS Manual. Acceptable Use Policy. Access Control and Onboarding-Offboarding. Business Continuity Strategy. Business Continuity Plans. BYOD Policy. Capacity Management Policy. Change Control Process. Clear Desk Policy. Cryptography, Certificates and Key Management Policy. Data Protection Policy. Data Retention and Disposal Policy. Development Process Standards and Practices. Firewall & Router Configuration Strategy. Incident Response Procedures. Information Classification and Handling. IT Decommission Process. ParentPay Fraud and AML Strategy. Password Policy. Patch and Vulnerability Management Strategy. Physical Security Policy. Security within Project Management. Remote Working and Mobile Device Policy. Security Considerations for Key Decision Makers. Social Media Policy. Supplier and Third Party Management Policy. System Build Standards. IT Documented Operating Procedures.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Full change control process is applied to the product and hosting infrastructure. This applies to all assets. Changes require CAB review and approval. Security considerations are specifically identified as a strict requirement.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: 1. Policies define requirements for vulnerability assessments and response to findings; 2. Using only managed services for core application (patching by service provider) ; 3. Using Azure's native vulnerability detection system ; 4.Using O365/Intune for vulnerability and patch level detection on endpoints.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We operate network and host based intrusion detection systems. All infrastructure components and logging is supported by a SIEM platform, including User-Behaviour-Analytics (UBA) capabilities. Endpoint and back-office systems run DLP controls to help detect and prevent data loss events. External breach indicators are also independently monitored on an ongoing basis. Canary tokens and honeypot technology is also applied. We operate, train and regularly test a comprehensive Incident Response Programme - including forensics evidence collection capabilities. Security Incidents are responded to immediately following identification, by a dedicated security team.
• Incident management type: Supplier-defined controls
• Incident management approach: Our detailed Incident Response Programme has developed a full array of specific response processes for particular events. We operate, train and regularly test the full process - including forensic evidence collection processes. Security Incidents are responded to immediately following identification, by a dedicated security team. All employees are required to report any confirmed or suspected security incidents. The security team can be contacted by customers, users or employees at any time via email or telephone. Detailed incident reports are provided as necessary - including an executive summary, event timeline, investigative and containment steps, root cause analysis, remediation and lessons learned.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Environmentally friendly solution, low carbon emissions, recycled decommissioned equipment. Offers are assessed on an individual basis and dependent on client's priorities and strategic objectives.

  Tackling economic inequality

  Offers are assessed on an individual basis and dependent on client's priorities and strategic objectives.

  Equal opportunity

  We are an equal opportunities employer. We support our clients in promoting digital skills. Offers are assessed on an individual basis and dependent on client's priorities and strategic objectives.

  Wellbeing

  Offers are assessed on an individual basis and dependent on client's priorities and strategic objectives.

Pricing

• Price: £795 a unit a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nicola.howard@parentpay.com. Tell them what format you need. It will help if you say what assistive technology you use.