GovernorHub is compliant with GDPR requirements for the deadline of 25th May 2018. GovernorHub is currently fully compliant with all UK and European Data Protection regulations.
The operators of GovernorHub, Ortoo Technologies Ltd, act as a data processor on behalf of the schools, multi-academy trusts, charities, local authorities and independent organisations which subscribe to use the GovernorHub system as data controllers. GovernorHub data processing is conducted on the basis of contractual obligation to data controllers who are subscribing to use system.
The subscribers to the system, as data controllers, have full access to create, update and delete the data under their control. The subscribers can obtain copies of their data in a portable format at any time and can revoke user access and delete users at any time. When a user subscription to GovernorHub expires, Ortoo Technologies Ltd will delete any remaining user data within an agreed lapse period at the end of the subscription term.
Ortoo Technologies Ltd use sub-processors to provide data centre and infrastructure services as follows: Amazon Web Services, Google Cloud Platform, Microsoft Azure and Object Rocket / Rackspace. GovernorHub processing takes place in sub-processor data centres within the European Economic Area (EEA) in Dublin, South Wales and London. Our data centre providers, Google, Amazon, Microsoft and Rackspace all hold ISO27001 certification (copies of which can be provided on demand).
Data within the GovernorHub system is encrypted during transit using TLS/HTTPS and is encrypted at rest in our database. Access to the infrastructure, including access and audit logs is limited to GovernorHub developers. Underlying operating systems and container images are regularly updated in accordance with supplier recommendations.
Backups are maintained through daily snapshots of the database, which are periodically tested for recovery. Additionally we take copies of database changes which can be used for more fine grained recovery and instant recovery. The recovery processes are periodically tested. Records are kept of all data processing activities.
Ortoo Technologies Ltd will only act to access or change data on the written instructions of the data controller, for example to add a new academy board to a MAT subscription. Routine data control actions can be completed by subscribers. The company is registered with the ICO and has breach notification procedures in place. Any data breach would be reported to the relevant data controllers.
Data Controllers are able to download data on demand in response to subject access requests (SARs). Ortoo Technologies Ltd can assist with SAR data identification and download requests.
The staff and any contractors at Ortoo Technologies Ltd are trained in data protection and receive regular refresher training. Privileged access rights are tightly controlled and recorded. The company employs a Data Protection Officer.