We take information security very seriously at Compass, and the platform is designed to have the highest level of data protection and related safeguards. We are fully compliant with the requirements of GDPR, and adhere to the principles of privacy by design and by default. This document sets out a bit more about what we’re doing.
Compass’s network includes intrusion detection, firewalls and active monitoring systems. The security sub-layer is capable of detecting anomalies within the system to proactively prevent malicious activities and alert our security staff. Compass regularly conducts penetration and threat modeling to ensure our network is properly secure and up-to-date.
Our hosting is handled by Amazon Web Services in London.
We use Transport Layer Security (TLS 1.2) for encrypted data transfer over the internet, and all data is encrypted at rest.
Where we have our own physical offices, they have secure access control, CCTV and 24 hour security.
The live compass environment stores data in MongoDB (for Personally Identifiable Information); SQL server (for other data) and a file system (for images/documents). MongoDB is backed up by Atlas every minute, allowing point-in-time restoration for up to seven days of data. SQL Server is backed up daily to Amazon FSx, with additional changelogs taken every 15 minutes throughout the day. The file system is backed up daily using AWS Backup. Additional snapshots of all three databases are taken periodically (i.e. daily/weekly/monthly) and retained for up to 7 years. All backups are stored in London on AWS.
All system users access Compass using a secure password, with role based permissions to ensure users only have access to areas of the system they need.
Staff are logged out from browser sessions after a period of inactivity of 3 days or more.
Our engineers and support team only access the personally identifiable information of a school with the explicit permission of the school.
All schools have the option to secure their portal with two factor authentication.
We make it easy for you to generate the information needed to comply with subject access requests.
Compass are registered with the Information Commissioner’s Office. You can see our registration here.
Compass has achieved the PCI/DSS Level 1 data security standard for payments.