Data Processing and Security Policy

Introduction

Purple is a secure data and impact analysis platform designed for use by schools, multi academy trusts and education partners.

This policy explains how Purple processes, stores and protects personal data when delivering platform services.

Data Controller and Data Processor Responsibilities

When using Purple:
• Schools, trusts and partner organisations act as Data Controllers
• Purple acts as a Data Processor

Purple processes personal data only on documented instructions from the relevant Data Controller and in accordance with its contractual agreements.

The Data We Process

Student Data

Depending on the service provided, this may include:
• Demographic information
• Attendance data
• Behaviour data
• Achievement and attainment data
• Intervention and provision information
• Vulnerability indicators
• Safeguarding and wellbeing indicators

Staff Data

This may include:
• Staff names
• Staff roles
• School-issued email addresses
• User permissions and access levels

Survey and Evaluation Data

This may include:
• Student feedback
• Staff feedback
• Parent or carer feedback
• Programme evaluation information
• Impact measurement data

Purple processes only the information necessary to deliver the agreed service.

How Data Is Used

Personal data is processed to:
• Deliver dashboards, reporting and analytics
• Support intervention tracking and impact analysis
• Enable secure platform access
• Maintain platform performance and reliability
• Deliver onboarding, training and support services
• Monitor security and prevent misuse

Sub-processors

Purple uses carefully selected third-party providers to support service delivery, including:
• Wonde Limited – MIS data integration
• Microsoft Azure (UK regions) – cloud hosting and infrastructure

All sub-processors:
• Operate under contractual agreements
• Are subject to appropriate data protection obligations
• Process data only as required to deliver services
• Maintain recognised security standards

Purple remains responsible for all approved sub-processors.

Data Hosting and International Transfers

• Data is primarily hosted within Microsoft Azure UK data centres (including UK South and UK West regions)
  • Wonde processes data within AWS infrastructure located in Ireland
  • Where personal data is processed outside the UK, appropriate safeguards are implemented in accordance with UK GDPR requirements

Data Accuracy

Purple relies on information provided by schools, trusts and authorised integrations.

Purple cannot be responsible for inaccuracies resulting from incorrect, incomplete or inconsistent data supplied by third parties.

Data Retention

• Data is retained only for as long as necessary to deliver services and meet legal, contractual and operational requirements
• Standard retention periods may be up to five (5) years where required for audit, compliance, safeguarding, system integrity or contractual obligations
• Organisations may request data exports in accordance with contractual agreements
• Following termination, data will be securely returned or deleted in accordance with agreed terms
• Data is securely deleted once retention requirements have been met

Data Subject Rights

Individuals have rights under UK GDPR, including rights of access, rectification, restriction and erasure where applicable.

Requests relating to school data should normally be directed to the relevant school, trust or organisation acting as Data Controller.

Data Breach Management

Purple maintains documented incident response procedures.

In the event of a personal data breach:
• Appropriate containment measures will be implemented immediately
• Relevant organisations will be informed without undue delay
• Notification obligations under UK GDPR will be followed where applicable
• Corrective actions will be taken to minimise risk and prevent recurrence

Platform Access and Support

Purple may access user accounts and platform data where reasonably necessary to:
• Provide technical support
• Investigate issues
• Monitor security
• Maintain and improve services
• Investigate suspected misuse

Access is restricted to authorised personnel, is logged and monitored where appropriate, and is subject to confidentiality and data protection obligations.

Security Measures

Access Control and Segregation

• Role-based permissions
  • Least-privilege access principles
  • Segregation between organisations

Encryption and Infrastructure

• Encryption in transit using TLS
  • Encryption at rest using industry-standard methods
  • Secure UK-based hosting infrastructure

Monitoring and Testing

• Continuous monitoring and alerting
  • Vulnerability scanning
  • Regular security reviews
  • Independent penetration testing

Personnel with access to sensitive pupil information are subject to appropriate recruitment, safeguarding and confidentiality requirements.

Business Continuity and Disaster Recovery

Purple maintains documented business continuity, backup and disaster recovery procedures designed to support service resilience and data availability.

Regular backups are performed and recovery procedures are reviewed periodically to support the restoration of services, minimise disruption and protect data integrity following an unexpected event.

Artificial Intelligence (AI)

Purple may use AI-enabled technologies to support insight generation, pattern identification and benchmarking.

We ensure that:
• AI supports analysis and insight generation but does not make decisions about individuals
• No solely automated decisions are made about individuals
• AI-generated insights are intended to support professional judgement and informed decision-making
• Personal data is not used to train general AI models without appropriate approval and safeguards
• Human oversight remains in place at all times

Contact

For questions relating to data protection or information security, please contact:

Purple (Think for the Future Ltd)
Email: info@purple.education

Last updated: June 2026 

Next review due: June 2027