Information for Due Diligence and DPIAs

No. Signal acts as a Data Processor, not a co-Controller. Your organisation instructs Signal to process data on its behalf — there is no data sharing arrangement. The DPA covers the controller-processor relationship.

Yes. Signal maintains a designated Data Protection Officer contactable at dpo@signalschools.co.uk. The DPO oversees our data protection compliance programme and is the primary point of contact for data protection enquiries.

Yes. We maintain Records of Processing Activities as both a Controller (for our own business data) and as a Processor (for customer safeguarding data), in accordance with UK GDPR Article 30.

All staff with access to customer data receive data protection and security awareness training. This training covers UK GDPR principles, data handling procedures, incident reporting, and the specific sensitivity of safeguarding data.

After receiving your setup information, we provision a dedicated tenant for your organisation. Your school decides which categories of personal data to import. Data can be imported via secure file upload or entered manually by your staff.

We provide comprehensive onboarding including video tutorials and documentation. Our support team is available to assist with setup and ongoing use of the platform.

• Student information: Names, dates of birth, identifiers, year groups
• Safeguarding records: Incident descriptions, categories, severity levels, concerns
• Special category data: Health information, safeguarding concerns, wellbeing data
• Staff information: Names, roles, contact details
• Parent/guardian data: Contact information and relationship details
• Documents: Uploaded files and attachments

Full details are set out in our Data Processing Agreement.

All customer data is encrypted and stored in the United Kingdom using Microsoft Azure UK South and UK West data centres. Data is never transferred outside the UK without explicit consent and appropriate safeguards.

Yes. All data is encrypted at rest using AES-256 encryption and encrypted in transit using TLS 1.3 or higher.

All sub-processors are bound by data processing agreements compliant with UK GDPR Article 28. We provide at least 30 days' notice before engaging new sub-processors.

Microsoft Azure hosts our infrastructure but does not have access to unencrypted customer data. Resend processes only the email addresses and content necessary for transactional email delivery, with a 30-day retention period.

As Data Processor, Signal supports schools in responding to DSARs. Requests received directly by Signal are referred to the relevant school as Data Controller. We provide tools within the platform to facilitate data export and search capabilities to assist with DSAR fulfilment.

Data subjects (students, parents, staff) should direct their requests to the school as Data Controller. If Signal receives a request directly, we will promptly refer it to the relevant school and assist as needed.

Signal will notify affected customers without undue delay and within 24 hours wherever possible of becoming aware of any personal data breach. Notification will be made by email to the designated contact. We will provide details of the nature of the breach, affected data categories, and measures taken or proposed to mitigate harm.

Yes. We will investigate the breach, take appropriate measures to contain and remediate it, and provide reasonable assistance to the school in meeting their breach notification obligations to the ICO and data subjects.

Signal's security practices are informed by industry standards including ISO 27001 principles. We are not currently ISO 27001 certified. We implement comprehensive technical and organizational measures covering:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control with granular permissions
• Multi-factor authentication and passwordless login (WebAuthn/passkeys)
• Comprehensive audit logging
• Web Application Firewall protection
• DDoS mitigation and rate limiting

Microsoft Azure, our hosting provider, maintains SOC 2 Type II and ISO 27001 certifications.

Yes. Automated security testing is integrated into our software development lifecycle. This includes static code analysis, vulnerability scanning, and automated dependency scanning to ensure third-party components remain secure and up to date.

Access to customer data within Signal is strictly limited to personnel who require it for service delivery and support. All access is subject to role-based controls and comprehensive audit logging. All staff undergo DBS (Disclosure and Barring Service) checks and receive data protection training.

Signal targets 99.9% uptime using Microsoft Azure's multi-region UK infrastructure with automated failover. We maintain 24/7 monitoring with automated alerting. Our Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 1 hour.

Automated daily backups are performed with point-in-time recovery capability. Backups are encrypted and stored in geographically separate Azure UK regions to protect against regional outages.

Upon termination, customer data is retained for 60 days to allow for data retrieval or transition to another system. After this period, all customer data is permanently and irreversibly deleted, including backups (which may persist for up to 90 days from the deletion date due to Azure backup schedules). Schools may request early deletion at any time.

As Data Processor, Signal retains data for as long as the school instructs. Schools typically retain safeguarding records until a student reaches age 25, in line with statutory guidance. The school as Data Controller determines the appropriate retention period.

We recommend that organisations conduct a Data Protection Impact Assessment when implementing any system that processes children's safeguarding data, as it involves special category data and data relating to vulnerable individuals. This document, along with our DPA and supplier information page, provides the information you need to complete your assessment.

• This due diligence information document (what you're reading now)
• Data Processing Agreement — controller-processor obligations
• Supplier Information — detailed technical and security information
• Privacy Policy — how we handle personal data
• Terms and Conditions — full service agreement

If you require any additional information for your DPIA, please contact us.