Student Radar
BESA Awards 2026 — Start-up of the Year shortlist
Security & data protection

Built to hold your most sensitive data safely

Student Radar handles attendance, behaviour, SEND and safeguarding records — some of the most sensitive data a school holds. Security isn’t a feature bolted on afterwards; it shapes how the platform is built. Here is what that means in practice, with the full evidence pack available for your procurement team.

UK data residency

Your data stays in the UK. The primary database is hosted in the UK (London, eu-west-2). Student records are not routinely transferred outside the UK/EEA.

Encrypted end to end

All data is encrypted with AES-256 at rest and TLS 1.2 or higher in transit.

Strict access control

Mandatory multi-factor authentication (AAL2) for every staff account, role-based access control, and database row-level security.

Cyber Essentials certified

Certified under the UK Cyber Essentials scheme, demonstrating compliance with core security controls.

DfE digital standards

Self-certified against the Department for Education “meeting digital and technology standards in schools and colleges”.

You stay the data controller

Your school remains the data controller; SENDlink Ltd acts as your processor under a UK GDPR-compliant Data Processing Agreement.

AI and pupil data

AI features are optional and enabled by your school. Before any data is sent to an external AI service, personally identifiable information is tokenised or removed, so the service receives de-identified data and cannot build a profile of a child. Student Radar makes no automated decisions about pupils under Article 22 of the UK GDPR — every recommendation is advisory and reviewed by a member of staff before it is acted on.

Sub-processors

Three sub-processors are core to running the platform: Supabase (UK-hosted database, authentication and storage), Vercel (application hosting) and Wonde (your MIS integration). Optional services — Twilio, Resend, OpenAI and Sentry — are only used when your school enables them. The complete, current list is in our downloadable Sub-Processor List.

Retention and resilience

Your school controls retention. When a subscription ends, pupil and staff data is securely deleted — within 30 days unless you instruct otherwise. Encrypted backups are kept for disaster recovery for up to 90 days, and we maintain a documented incident response process so any security event is handled quickly and transparently.

Documentation for procurement

Everything your data protection and procurement teams need is ready to download: our Data Processing Agreement, DPIA, Information Security Policy, Sub-Processor List, Data Retention Policy, Business Continuity Summary, Cyber Essentials evidence, and more.

Browse the procurement document library

Questions about data protection? Email our Data Protection Lead at dpo@studentradar.com.