Disaster Recovery Statement

Pupil Asset has a fully documented Disaster Recovery policy aligned to the ISO/IEC 27001:2013 standards.

The Pupil Asset Management Information System (MIS) is a fully Cloud-based Software-as-a-Service (SaaS) and therefore hosted remotely from the client(s) site(s). We take security and data protection legislation extremely seriously and for this reason we have chosen to use two United Kingdom located Cloud hosting Infrastructure-as-a-Service (IaaS) providers.

We ensure data confidentiality, integrity and availability through a robust combination of policies, processes and independent evaluation.

Data is hosted in and does not leave the European Economic Area (EEA).

Rackspace and Bytemark provide our Cloud hosting. Relevant accreditations include Crown Commercial Services (formerly G-Cloud) framework provider, PSI DSS, ISO/IEC 27001 Information Security Management, ISO 9001 Quality Management and ISO 14001 Environmental Management.

The approach to our Cloud hosting architecture affords us excellent resilience in the context of Business Continuity, Disaster Recovery (DR) and High Availability (HA). We have chosen two different Cloud infrastructure suppliers based in geographically separate locations to maximise failover and load balance options.

Pupil Asset LTD follow the ISO/IEC 27001:2013 – Information Security Management standard. This means that we have to maintain a relevant Business Continuity and Disaster Recovery Plan. This plan is subject to regular internal review. We have an Information Security Management System (ISMS) group which meets regularly and by exception. The ISMS group includes Director level membership.

As part of this methodology, recovery exercises are performed on a regular basis simulating disaster recovery scenarios. In the rare event that a system failure does occur, in conjunction with our Cloud hosting providers, we use an aggressive, root cause analysis process to deeply understand the cause. Implementation of improvements learned from such an event is a top priority for us. We will provide post-mortems for every customer-impacting incident upon request, should one occur.

Furthermore, Business Continuity and Disaster Recovery feature in our day-to-day operational processes as part of our commitment to excellent IT service management through the adoption and embedding of the ITILv3 framework for IT support.

We conduct tests against our Business Continuity and Disaster Recovery plans at least annually, after a significant change and release and in event of something such as an office move.

Our MIS service including the infrastructure to support it, together with our Information Security Management System (ISMS) and related policies and procedures are independently audited at least annually, or after a major change.

Pupil Asset LTD is registered with the Information Commissioner’s Office (ICO) and comply purpose of compliance with the Data Protection Act (DPA) legislation. Our registration number is: Z259587X. We also subscribe to the ICO news feeds including Decision Notices, News and Enforcement (see here for more information). We have a number of employees fully trained in the DPA (and forthcoming GDPR) and Freedom of Information Act (FOI) and responsible for ensuring that all Pupil Asset employees understand their obligations.

Pupil Asset are actively involved with DfE groups including MIS and Data working groups and subscribe to the various information feeds including for data privacy and security. As a Cloud SaaS provider, we actively encourage schools to review the latest DfE guidance (10/2014 read it here) for schools wanting to embrace Cloud services and of course ensure that all of our services meet the latest regulation and advice.

Backups at Pupil Asset

The entire of Pupil Asset is cloned overnight, every night, to two locations physically distinct from the core data centre in Manchester.

We keep backup information for up to three years (or longer, if there is a valid business requirement) and have procedures for the restoration of information should that be absolutely required by a school or group.