About this document
What follows is Dr Frost Learning's (DFL) response to the National Cyber Security Centre's Cloud Security Guidance.
It is intended to help organisations understand how we protect their data and to assist them in completion of their DPIAs, when required.
Principle 1: Data in transit protection
The Platform uses a minimum of TLS 1.2 used for all site traffic between user device and Platform endpoints.
Data in transit internally to DFL systems can only travel via Virtual Private Cloud (VPC) which is not accessible externally except by a small number of admin users over SSL tunnel.
Principle 2: Asset protection and resilience
Data are physically located in a Google Cloud secured data centre in the UK.
DFL does not use any PII for marketing purposes, machine learning, AI or any purpose other than providing The Services. The Platform database uses encrypted at rest data storage.
DFL does not store user data on any other physical medium and user data never leaves the Google Cloud data centre except for transmission in the provision of The Services.
Principle 3: Separation between customers
DFL is not able to provide physical separation of user data or compute. Information about other users in a given school or trust organisation is only available to other users in that organisation. This separation is provided in software only and not at a physical or hardware level.
Principle 4: Governance framework
DFLs technical governance structure includes:
- CEO: Ms. Katharine Jackson
- Data Protection Officer: Dr. Jamie Frost
- Chief Technology Officer: Mr. Piotr Blaszczyk
The CEO and DPO regularly report to the board on risk and governance issues. DFL has adopted the IRGC Risk Governance Framework and maintains a risk register in accordance with that framework.
Principle 5: Operational security
DFL will take all reasonable measures to address any vulnerabilities within a reasonable period of time. To that end, we use an automated build process to maintain up-to-date patch levels on the Virtual Machines that host The Platform.
Principle 6: Personnel security
DFL limits access to user data to a small number of support and development staff. All staff are required to have multi-factor authentication enabled on their administrative accounts.
All DFL employees are subjected to DBS checks.
Principle 7: Secure development
DFL is continually improving its development workflow and uses an automated release process to provide an auditable trail of software released through development and production environments.
All configuration is managed in source control or Google Cloud Platform Secrets Manager wherever appropriate.
Principle 8: Supply chain security
No customer data is made available to third parties for any commercial purpose ever. We may, however, occasionally share limited anonymised data with for the express purpose of assessing Dr Frost's impact on improving educational outcomes.
Principle 9 & 10: Secure user management, identity and authentication
DFL offers authentication via Google and Microsoft O365 SSO and strongly recommends that users utilise this wherever possible.
Principle 11: External interface protection
The only external interfaces available to access DFL systems are the Google Cloud service console and direct database access over SSL tunnel to a specific bastion server.
Both are only accessible by a small number of DFL employees and use Google Cloud RBAC to limit permissions only to what is needed for each individual. Multi-factor authentication is enforced on all DFL Google Workspace accounts.
Principle 12 & 13: Secure service administration and auditing
The Platform records actions taken by school staff, such as user deletion, class data imports, changes to class membership and so on. This audit data can be viewed by any teacher at that school on the Audit Log accessible from the Classes page.