Compass and Information Security

We take information security very seriously at Compass, and the platform is designed to have the highest level of data protection and related safeguards. We are fully compliant with the requirements of GDPR, and adhere to the principles of privacy by design and by default. This document sets out a bit more about what we’re doing.

An illustration of a man holding a lock icon in front of user windows

Compass has achieved Level One compliance with the Payment Card Industry Data Security Standard (PCI DSS) – a key indicator of our commitment to ensuring the data of those who use Compass is kept secure.

Our team works every day to maximise the security and protection of our customers’ data. PCI DSS is a key part of our broader information security strategy, so we’re extremely proud to have achieved full Level One compliance.

The assessment process involved a rigorous five month review of the company’s information security posture, and included not only interrogation of our governance approach. But also penetration testing of our payment platform software by an independent security firm.

Parent and teacher communication plays a significant role in a child’s learning experience. The Compass app enables parents to engage closely with school to see how their child is performing and feeling, book their next teacher conference, pay fees easily, and get ready for the next excursion. The Compass app gives busy parents access to everything they need to know.

Technical Specifications


Compass’s network includes intrusion detection, firewalls and active monitoring systems. The security sub-layer is capable of detecting anomalies within the system to proactively prevent malicious activities and alert our security staff. Compass regularly conducts penetration and threat modeling to ensure our network is properly secure and up-to-date. 


Our hosting is handled by Amazon Web Services in London.


We use Transport Layer Security (TLS 1.2) for encrypted data transfer over the internet, and all data is encrypted at rest.

Physical security

Where we have our own physical offices, they have secure access control, CCTV and 24 hour security.

Back ups

The live compass environment stores data in MongoDB (for Personally Identifiable Information); SQL server (for other data) and a file system (for images/documents). MongoDB is backed up by Atlas every minute, allowing point-in-time restoration for up to seven days of data. SQL Server is backed up daily to Amazon FSx, with additional changelogs taken every 15 minutes throughout the day. The file system is backed up daily using AWS Backup. Additional snapshots of all three databases are taken periodically (i.e. daily/weekly/monthly) and retained for up to 7 years. All backups are stored in London on AWS. 

System Access


All system users access Compass using a secure password, with role based permissions to ensure users only have access to areas of the system they need.


Staff are logged out from browser sessions after a period of inactivity of 3 days or more.


Our engineers and support team only access the personally identifiable information of a school with the explicit permission of the school.

Two Factor Authentication

All schools have the option to secure their portal with two factor authentication.


Subject Access requests

We make it easy for you to generate the information needed to comply with subject access requests.


Compass are registered with the Information Commissioner’s Office. You can see our registration here.


Compass has achieved the PCI/DSS Level 1 data security standard for payments.

Get in touch with Sales