Data Security and the GDPR
Under the GDPR, Sumdog is a data controller (see more below).
Sumdog is committed to data security and privacy, and complies with laws in all countries and territories in which we operate.
The following document addresses how we deal with data with respect to the GDPR and Data Protection Act 2018.
Our Privacy Code of Conduct:
- At Sumdog we will ensure our users data is processed lawfully, fairly and in a transparent manner.
- The data will only be collected and processed for legitimate purposes.
- The amount and kind of data that we collect is limited to the data deemed necessary to use Sumdog.
- We will ensure that the data is accurate and kept up to date.
- If it comes to our knowledge that data is inaccurate or that we should no longer hold it then this will be erased or rectified without delay.
- We will only keep your data for the amount of time that it is necessary. This is usually for as long as you hold a Sumdog account.
- We ensure that we deal internally with data in a way that ensures protection against unauthorised or unlawful processing.
- We will never transfer data outwith the EU to a third country without ensuring one of the appropriate safeguards is in place.
The below FAQs set out to answer any questions you may have about our data security and privacy procedures.
Is Sumdog a data processor or a data controller?
As we control the data we collect and how this is used, it transpires that Sumdog is a data controller. The processing is either carried out by an employee of Sumdog (who would then be the data processor), or a third party data processor (see more about third parties below).
In most cases we are a joint data controller with the school.
If we decide to change the type of data we collect and what we use the data for, we will communicate this to Sumdog’s user base.
What are the categories of personal data that Sumdog holds?
What is the legal basis for holding this personal data?
Our legal basis for holding this personal data is through legitimate interest. The provision of the Sumdog service is intended to help children and parents or guardians with their child’s education and development. The Sumdog service also assists schools and teachers to educate their pupils.
Is the data held in the UK?
Some of the data is held in the UK. Our servers are based in the United States. We ensure that our contracts with these cloud service providers contain the standardised EU model clauses for international data transfer. This approach is recognised in the GDPR as an appropriate safeguard when internationally transferring data.
Is backup data held in the UK?
Our backup data is held on our servers which are located in the USA. We ensure that our contracts with these cloud service providers contain the standardised EU model clauses for international data transfer. This approach is recognised in the GDPR as an appropriate safeguard when internationally transferring data.
What is the retention period and when is data destroyed?
How does Sumdog ensure payment details are securely stored?
At Sumdog we never see any or hold any of your payment data. This data is collected and held by a company called Braintree. We have a data sharing agreement with them and we are convinced of their compliance with all of the applicable privacy laws. You can find out all about their commitment to data privacy here. They are a validated service provider at the highest level and are recognised by Visa and Mastercard for their
General Policy and Procedure
What data protection policies does Sumdog adhere to?
What procedures are used to manage the processing of personal data within Sumdog?
We consistently develop and update our procedures when it comes to processing personal data within Sumdog, to ensure that they are best practice and are compliant with all privacy law. We have procedures in place that govern the way we would deal with personal data, new processors, breaches, subject access requests and data audits.
Is personal data ever passed on to third parties?
We may share stastics derived from information accumulated through use of Sumdog to third parties. The data in this situation is anonymised and the third parties are not able to identify users from this data.
What technical and security measures do you have in place? Does Sumdog test the systems?
Sumdog encrypts user data using SSL when transferring data to our servers. This helps to protect it whilst in transit.
Do you have an information management accreditation?
AWS, who host our server, have ISO27001 accreditation. More information on their compliance can be found here. Sumdog does not currently hold an information management accreditation.
How do you ensure that your staff adhere to confidentiality?
Sumdog will be ensuring that all staff go through training to inform them of the responsibilities that the GDPR puts onto organisations who have data subjects within the EU. They will be made aware of the changes to policies and the importance of adhering to specific procedures that apply to the data privacy principles set out by the GDPR.
Does Sumdog undertake marketing?
Sumdog does undertake marketing. This is to allow us to communicate information, including features, offers, educational data and tips, to registered Sumdog users.
What type of marketing is carried out?
Sumdog undertakes marketing via email, post, social media and search engine. The marketing undertaken is only ever related to the Sumdog service. We do not market other services to our users.
What is the legal basis for marketing?
It is in Sumdog’s legitimate interest to communicate with our users. This is important to us because we rely on a subset of users who subscribe to our premium features. This allows us to maintain a free service to a larger user base. For our users this means they will receive information on how to use the service more effectively and data on the educational progress of their students. If you subscribe then you benefit from marketing information around subscriptions. If you do not subscribe then you will benefit from others who have, as a result of the same marketing communications. These pay to support your continued free use of Sumdog.
How can a user opt out of marketing? How is this process managed?
You can choose to opt out of marketing when you initially sign up to Sumdog. You may also do this via the link in our marketing emails or by signing in to your Sumdog account and changing your preferences. When you opt out of receiving these emails you will be taken off our marketing list.
How is consent acquired regarding cookies?
Our website will automatically store functional cookies.
For any remarketing cookies you will have the option to accept these when you first visit the website.
Is any personal data published on the website? If yes, is permission sought? How is the permission gained?
Any personal data published on the website will only be posted when we have express permission from the person to whom the data belongs, either in writing or by email.
Does Sumdog agree to gain the consent of their clients before engaging with another processor?
As a controller, Sumdog have the ability to decide which processors we engage with. When engaging with another processor we must ensure that we are satisfied with their compliance to all relevant data privacy laws. If that processor is located outwith the EU, we ensure we have model clauses for the international transfer of data in our data sharing agreements with them. It is not possible for Sumdog to gain the consent of all of their users before engaging with another processor and as a data controller this is not an obligation required by law.