Frog Education GDPR FAQ
At Frog, we take the security of your data very seriously. Frog Education Ltd has worked in education for over 20 years and already has many robust procedures in place, as you would expect from any credible business working in this sector. As you have put your trust in us to process personal data that you are responsible for, we aim to be as clear and open as we can about the way we handle security.
If you have additional questions regarding security, we are happy to answer them. Please write to dataoffice@frogeducation.com and we will get back to as quickly as we can.
Table of Contents
Frog Staff and Confidentiality
Data Encryption In Transit and At Rest
Incident Management & Response
Frog Staff and Confidentiality
We conduct Enhanced DBS background checks on all employees and ensure they are cleared before they start work at Frog.
We place strict controls over staff access to our customers data in Frog products, and we are committed to making sure that any data, not just Personal Data covered by GDPR, is not seen by anyone who should not have access to it.
All of our employees are bound by our internal policies regarding data protection and security and, given the sector we work in, we treat these matters very seriously. All staff have received specific GDPR training to comply with the regulations.
In order to run and support the Frog products, some employees need to have access to the systems which store and process your data, for example, in order to diagnose and resolve an issue which a user may be experiencing with Frog services or products. Many support issues are not related to Personal Data and can resolved through the standard Frog interface without our staff needing access any confidential data but, should the resolution of the issue require access to and/or modification of Personal Data, this will be discussed with the customer prior to any action being taken.
Should the issue require deeper investigation and direct access to the databases holding Personal Data be required, a third-line engineer will be tasked with the job. Direct access to the databases is restricted to a central access system which is IP locked to specific machines here at Frog and access to this system requires a dedicated account backed with hardware based 2 Factor Authentication so external access, or access by unauthorised personnel is impossible.
Company provided machines are encrypted via Windows Bitlocker or Apple FileVault.
Data is not transferred by mobile device for staff use off premises, but accessed via the Intranet or secure VPN and resaved to the secure network drives upon completion, mitigating accidental loss or theft of data from or of the mobile device.
Access levels to the secure network drives are hierarchical and users are only granted read/write access to the specific data necessary to perform their duties.
Confidential documents are stored in locked cabinets with key holders limited only to those persons who require access to such information. Documents are shredded via a multi cut cross shredder. Confidential paper records will not be left unattended or in clear view anywhere with general access.
Physical Environment
Frog solutions are deployed to a tier-1 data centre; ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards. All standard measures to ensure redundancy and failover are in place – from physical server redundancy, to replication as part of a hybrid cloud solution. This ensures that data integrity is supported locally by RAID and hardware level redundancy, but encrypted cloud provisioned storage. A level of geographic redundancy for critical services exists to ensure all SLA targets are exceeded
Access to the equipment housed in the data centre is only available by appointment and is only granted to 3 members of Frog staff.
https://www.equinix.co.uk/locations/united-kingdom-colocation/manchester-data-centers/ma2/
Frog’s on-premise servers at their Dean Clough offices in Halifax used for ‘day to day business’, are housed in a dedicated server room. This room is kept locked with key access only available to a limited number of Frog staff.
The whole of Dean Clough has an Access Control System - External doors auto-lock with access provided by individually assigned RFID fobs, and timings are logged. 24 hour security is in operation and full CCTV recording.
Compliance
Our internal systems and procedures follow ISO27001 and industry best-practice, having been implemented by a Home Office licenced security professional. We are continually challenging ourselves to remain at the forefront of our sector in terms of protective security and are Cyber Essentials Plus certified. (https://www.cyberessentials.ncsc.gov.uk/)
Your Frog platform (and therefore schools data) is deployed and housed at the Equinix data centre facilities in Manchester which are certified to ISO 27001, PCI-DSS, HIPPA, ISO 9001, ISO 22301, and ISO 50001.
Data Encryption In Transit and At Rest
Frog support the latest recommended secure protocols to encrypt all traffic in transit.
We monitor best practices in these protocols closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as quickly as reasonably possible after they are discovered. We do this while also balancing the need for compatibility for older clients.
All stored data is protected by username and password, stored on encrypted drives where required and securely transferred by TLS/SSL protocol where required. Passwords are strong, regularly refreshed, and we use systems such as KeePass to protect access to core passwords and in addition, we utilise 2 Factor Authentication tokens to systems where elevated protection is deemed necessary.
Systems are in place to encrypt, secure and compartmentalise data and information, so no single point of entry or single user at any level in the company has access to everything alone.
Availability
We understand that you rely on the Frog services to be an available service that you can count on. Our infrastructure runs on systems that are fault tolerant. Our operations team proactively monitor all our core servers and services in order to detect anomalies and rectify them before they become an issue.
Disaster Recovery
We have well-tested backup and restoration procedures, which allow recovery from a major disaster.
“Business” data held at our main office in Halifax is backed up daily to separate dedicated servers.
“Customer” data held on our hosted system is held in our Data Centre in Manchester and is backed up daily to separate dedicated servers.
Central disaster recovery backups for business, core services and hosted customer data are stored in encrypted Google Cloud Storage with a secondary encrypted backup securely located in our Doncaster Office.
All user and configuration data is backed up at regular intervals and stored both locally and on geographically redundant cloud storage. All data that is held offsite is encrypted, both in transit and at rest. All encryption keys are stored locally.
Local backups and snapshots are kept for up to 12 months depending on storage availability and a minimum of 3 months are stored. Backups to cloud storage are only kept for 1 week.
For users who host their own solutions where a local repository is used for backup, restoration of data is immediate.
In the event of disaster recovery, data restoration is limited only by available bandwidth dedicated to retrieving content from the cloud storage platform.
Network Protection
As well as system monitoring and logging, redundant firewalls are configured according to industry best practices and any ports not required to deliver or support the Frog services are blocked.
Patch Management
We regularly patch our host operating systems, databases and other supporting services. Critical security patches will be applied as soon as is reasonably possibly, whilst other patches will align with our regular release schedule.
Incident Management & Response
In the event of a security breach, Frog will promptly notify you of any unauthorised access to your Personal Data. Frog has incident management policies and procedures in place to handle such an event.