Data Security & Protection

Technical and organisational security measures
We apply appropriate technical and organisational measures to protect the confidentiality, integrity, and availability of personal information throughout your whole experience with us: during storage, processing, and transit. Throughout the group, we’ve implemented a wide range of measures to control and monitor access to certain resources. Our team keep up to date with recent developments and emerging threats in the field and are quick to deploy solutions should the need arise.

Protecting your data at all times
Our Information Security Team operate an ISO27001 certified security programme to help always protect your data.

What is ISO27001?
ISO27001 is an international standard which lays out how to implement and manage an Information Security Management System (ISMS). Our certification applies to functions of ParentPay Group such as our dedicated Data Security Team and the ParentPay product. The scope of the ISMS is however wider and covers the management of information and business activities in the group. The scope includes staff and assets within associated business functions, including software and product development, IT and infrastructure hosting, service desk and support facilities, sales and marketing, finance functions, and HR. The scope also includes company offices and server hosting facilities.

Regular audits and security checks
We are a Level 1 PCI-DSS certified organisation and are subject to regular and comprehensive security audits.

What is PCI DSS Level 1?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit payment card information maintain a secure environment. Those entities in the group that process payment card data, and therefore fall under PCI DSS, are assessed for compliance at least annually; ParentPay and Schoolcomms, because of the large number of payments that they process, undergo a full on-site assessment from an external Qualified Security Assessor Company (QSAC) to attest PCI Level 1 compliance. The PCI standard requires over 250 controls and requirements that span all areas of the business, including physical security, visitor management, awareness training, network scanning, security penetration testing, auditing and logging, networks and firewalls, endpoint security such as anti-malware, disk encryption, special development processes, and technical security specific criteria.

ParentPay Group is certified to Level 1, which is the highest level of assessment available under PCI.

Specific Privacy Notices for each of our products
Our Privacy Notices are specifically written for each of our products and their use of personal information. They are easily accessible on the relevant product websites.

We understand our responsibilities to your data
All of our employees have had specific GDPR and Data Protection training relevant to their products. We all understand our obligations to Data Protection and the confidentiality of Personal Information.

We have a number of staff trained to Certified EU General Data Protection Regulation Practitioner (EU GDPR P) or Foundation (EU GDPR F) levels. All staff of ParentPay Group receive training (and annual refreshers) on data protection.

ParentPay Group delivers security awareness training to all employees. This training is conducted on a regular basis, with frequent tests including simulated phishing attacks. This ensures that our employees are able to identify real-world threats and are able to then follow the correct procedures.

Due to the sensitive nature of the data that we collect and process, all employees must undergo a
Disclosure Barring Service (DBS) background check upon employment.

A dedicated information security team.
ParentPay Group’s information security team ensures that all business units in ParentPay Group comply with legislation and compliance standards such as ISO27001, PCI-DSS, and GDPR, and answer any queries from staff or customers.

A member of staff from the security team is available 24/7 in order to respond to any security incidents that may occur.

Contact details for our Data Protection Officer (DPO): dpo@parentpay.com