Alternate Text
Information Security

Calmcloud Information Security Policy

 

Purpose

 

The purpose of this policy is to ensure the security, confidentiality, and integrity of all information collected, stored, and processed by the Calmcloud app. As a tool supporting children’s wellbeing in schools, Calmcloud has a responsibility to protect sensitive personal data, particularly that of minors, against unauthorized access, misuse, loss, or disclosure.

 

Scope

 

This policy applies to:

 

  • All Calmcloud data, whether stored electronically or physically.
  • All users, including school staff, administrators, and Calmcloud team members.
  • All devices and systems used to access Calmcloud data.

 

Objectives

The objectives of the Calmcloud app are to:

 

  • Safeguard children’s emotional and wellbeing data.
  • Ensure compliance with UK GDPR, Data Protection Act 2018, and safeguarding standards.
  • Prevent unauthorized disclosure or modification of sensitive information.
  • Ensure that schools, staff, and parents trust Calmcloud to securely manage data.

 

Roles & Responsibilities

The roles and responsibilities of the Calmcloud team are as follows:

  • Calmcloud Management: Ensure policies are enforced and resources allocated.
  • Data Protection Officer (DPO): Oversee compliance with data protection regulations and respond to data subject requests.
  • Developers & IT Team: Maintain secure coding practices, encryption, backups, and security monitoring.
  • School Staff/Users: Protect login credentials, use the system responsibly, and report any security concerns.

 

 

Key Policy Areas

 

5.1 Data Security

  • All personal data is encrypted at rest and in transit (AES-256, TLS 1.2+).
  • Sensitive data (children’s wellbeing inputs, emotional check-ins) is stored securely in compliance with GDPR.
  • Access to student data is role-based (teachers see their pupils, administrators see anonymized reports).

 

5.2 Access Control

 

  • Multi-factor authentication (MFA) is required for administrative access.
  • Passwords must meet strong complexity standards and be changed regularly.
  • User accounts are reviewed and disabled promptly when staff leave a school.

 

5.3 Acceptable Use

 

  • Users must not share login credentials.
  • Calmcloud may only be used for its intended educational and wellbeing purposes.
  • Personal devices used to access Calmcloud must have basic protections (PIN/password, lock screen, and antivirus).

 

5.4 Network & Infrastructure Security

 

  • Calmcloud is hosted on secure, GDPR-compliant servers within the UK.
  • Firewalls, intrusion detection, and monitoring tools are maintained to detect suspicious activity.
  • Regular vulnerability scans and penetration tests are conducted.

 

5.5 Incident Response

 

  • All suspected data breaches must be reported immediately to the DPO.
  • Calmcloud will notify affected schools and, if required, the ICO (Information Commissioner’s Office) within 72 hours.
  • Incident logs will be maintained and reviewed.

 

5.6 Business Continuity & Disaster Recovery

 

  • Encrypted backups are performed daily and tested monthly.
  • In the event of system failure, service restoration procedures aim to resume within 24 hours.

 

5.7 Compliance & Monitoring

 

  • Regular audits ensure compliance with GDPR and safeguarding standards.
  • All data processing agreements (DPAs) with third parties are reviewed annually.

 

Training & Awareness

 

  • Calmcloud staff receive annual training on data protection, safeguarding, and information security.
  • Schools using Calmcloud will be provided with guidance on safe use and protecting student privacy.

 

Enforcement

 

Violations of this policy may result in withdrawal of access to the Calmcloud app and its contents, contract termination, or legal action.

 

Review

 

This policy will be reviewed annually or whenever there are major changes in legislation, technology, or operational requirements.