Data Privacy FAQs

Please don’t hesitate to get in touch if you have questions. You can email us at or give us a call at 020 8506 6100.

This document is designed to answer some of the questions schools ask before deciding to use our platform. If you feel at all uncertain about your responsibilities, we strongly suggest that you first read the ICO guidance for education providers, and the ICO data protection guidance for schools.

Are you registered as a technical partner with our MIS supplier?

Yes, we only ever work with MIS vendors using their official partnership programmes.  

  • Capita SIMS: we are a SIMS Technical Partner. You can find us listed under “Ark UK Programmes” on the Capita website. This means we’ve been checked and verified to read data from SIMS.
  • Facility CMIS: we are an Advanced Learning Technical Integration Partner.
  • Bromcom: we are a Bromcom partner. 
  • ScholarPack: we are software partners with ScholarPack. 
  • RM Integris: we are a registered partner on RM Integris Datashare. 
  • Arbor: we are official partners with Arbor. 

How do we control what data is extracted from our MIS?

The Assembly Platform helps you share specific pieces of data with applications of your choice in a secure manner. We never extract personal data from your MIS unless you’ve explicitly granted us authorisation to do so through a  Data Access Request. Each app’s Data Access Request will tell you exactly what data will be shared before you choose whether or not you wish to authorise it.

Do you share our data with anyone else?

We never rent or sell your data for marketing purposes, and only share sensitive information with third parties in instances where we are specifically requested to do so by you. For example, some services on our Platform allow the sharing of your data with third parties (e.g. school improvement charities and curriculum providers). In such circumstances, information is only shared if you give permission, and you control these permission settings through the Platform. Access to data is managed via “bearer tokens". These can be revoked at any time and must be refreshed frequently to remain active. Third party applications on the platform are subject to the Terms of Service and Privacy Policy of the relevant third party, and it is important you read and understand these before engaging with any third party services through our Platform.

Are you General Data Protection Regulation (GDPR) compliant?

We are fully GDPR compliant. For example, consent to access your data requires a positive opt in and we already make it possible, and clear, to withdraw that consent. For more information, consult our  terms

I want to use the Assembly Platform but other members of staff have concerns.

The fact they have concerns is evidence that they take privacy and security very seriously, which is something we’re always pleased to see. When thinking about whether or not to use the Assembly Platform, we encourage schools to consider the security of their current data sharing practices, and how you might fulfil the task for which you wish to use Assembly if you do not adopt our platform. Given the wide range of security features built in to the Assembly platform, compared to most other data sharing methods, the Assembly Platform will be a security upgrade rather than a security concern. If you or a colleague have any concerns that remained unanswered having browsed this FAQ, we encourage you to get in touch and we would be delighted to field any questions you may have.

Where is our data stored and how do you ensure it is stored and processed securely?

Our servers are hosted in the Amazon eu-west-1 region (in Ireland). We go to great lengths to ensure that your data is stored and processed securely. All personal and sensitive data is kept and transported within EU or countries which are granted to have Adequate Levels of Protection as defined by the European Commission. As well as this, all external data transmissions to and from the Assembly Platform are encrypted using modern SSL/TLS protocols and ciphers. We also encrypt data at rest (when it’s stored on a laptop or disk) and have field-level encryption in our database of personally identifiable student-level fields such as name and UPN, as well as the names and contact details of related parents/ guardians.

What is your data removal policy?

You have the right to have all your data removed from the Assembly platform at any point in time. If you wish to do this then you should give us notice by emailing with the relevant details, and we will delete the data within 5 working days. 

I think I’ve discovered a bug that makes the platform insecure. What should I do?

Please let us know straightaway on Whilst we’re confident that our platform is highly secure, any potential weakness will be taken seriously and addressed urgently.

Do you look at our data or gain insight from it?

We do not look at the data that you choose to store or transport via the platform. The only exception to this is if it is necessary to do so for support or debugging purposes. If we need to look at the underlying data, we will ask you explicitly to grant authorisation before doing so. We will revoke this permission once we’ve finished, or you can revoke it yourself at any time. The only ‘insight gathering’ that we do is by using software such as Google Analytics, but this only tracks non-sensitive metadata (such as what type of user you are, or how long you stayed on a page).

Third parties may look at your data or an anonymised version of it, for example to assess the impact of an intervention programme. Where this is the case they should tell you through their privacy policy. We will provide a link to their privacy policy before you permission the app, so you can always check these things in advance. If you think anything is unclear, always ask the relevant organisation. It is your duty as the data controller to make sure you know what data sharing entails.

Should we tell parents that we’re using Assembly?

As the data controller, it is your responsibility to inform parents about your school’s approach to data protection. If you have a policy in place that covers this, it may already explain your school's approach to data sharing in a way that covers your use of Assembly. If you are unsure about whether your current policies cover your use of Assembly, you should consult the ICO or a lawyer.

What is your ODP Data Protection registration number?

Our ODP registration number is Z9683573.

What third party services do you use for collecting data?

We use the following third party services to collect data in the following ways:

  1. Google Analytics for website analytics. The service collects masked IP addresses.
  2. Convox for IP address whitelisting to prevent DDoS attacks. The service collects IP addresses.
  3. Sentry for monitoring exceptions and errors. IP addresses are collected only when exceptions and errors are generated, and the process is handled entirely in AWS, so there is no external data transfer.
  4. Papertrail for logging. No personal data or IP addresses are recorded.
  5. Full Story to track browser sessions for bugs and issues. Full Story collects IP addresses so that it can associate browser sessions with users. However, we do not send any personal or sensitive data to Full Story: we explicitly block such data from being transferred to the service. Users may also opt out of Full Story being able to track their sessions using this opt out link.

Where can I find your full terms of service?

Please see the  Terms of Service on our website.