Compass and Information Security

We take information security very seriously at Compass, and the platform is designed to have the highest level of data protection and related safeguards. We are fully compliant with the requirements of GDPR, and adhere to the principles of privacy by design and by default. This document sets out a bit more about what we’re doing.


Compass has achieved Level One compliance with the Payment Card Industry Data Security Standard (PCI DSS) - a key indicator of our commitment to ensuring the data of those who use Compass is kept secure.

Our team works every day to maximise the security and protection of our customers’ data. PCI DSS is a key part of our broader information security strategy, so we’re extremely proud to have achieved full Level One compliance.

The assessment process involved a rigorous five month review of the company's information security posture, and included not only interrogation of our governance approach. But also penetration testing of our payment platform software by an independent security firm.


Technical Specifications

Network

Compass’s network includes intrusion detection, firewalls and active monitoring systems. The security sub-layer is capable of detecting anomalies within the system to proactively prevent malicious activities and alert our security staff. Compass regularly conducts penetration and threat modeling to ensure our network is properly secure and up-to-date. 

Hosting

Our hosting is handled by Amazon Web Services in London.

Encryption

We use Transport Layer Security (TLS 1.2) for encrypted data transfer over the internet, and all data is encrypted at rest.

Explore Features

Physical security

Where we have our own physical offices, they have secure access control, CCTV and 24 hour security.

Back ups

The live compass environment stores data in MongoDB (for Personally Identifiable Information); SQL server (for other data) and a file system (for images/documents). MongoDB is backed up by Atlas every minute, allowing point-in-time restoration for up to seven days of data. SQL Server is backed up daily to Amazon FSx, with additional changelogs taken every 15 minutes throughout the day. The file system is backed up daily using AWS Backup. Additional snapshots of all three databases are taken periodically (i.e. daily/weekly/monthly) and retained for up to 7 years. All backups are stored in London on AWS. 

Explore Features

System Access

Passwords

All system users access Compass using a secure password, with role based permissions to ensure users only have access to areas of the system they need.

Sessions

Staff are logged out from browser sessions after a period of inactivity of 3 days or more.

Explore Features

Support

Our engineers and support team only access the personally identifiable information of a school with the explicit permission of the school.

Two Factor Authentication

All schools have the option to secure their portal with two factor authentication.

Explore Features

Compliance

Subject Access requests

We make it easy for you to generate the information needed to comply with subject access requests.

ICO

Compass are registered with the Information Commissioner’s Office. You can see our registration here.

Explore Features

PCI

Compass has achieved the PCI/DSS Level 1 data security standard for payments.

Explore Features