Built to hold your most sensitive data safely
Student Radar handles attendance, behaviour, SEND and safeguarding records — some of the most sensitive data a school holds. Security isn’t a feature bolted on afterwards; it shapes how the platform is built. Here is what that means in practice, with the full evidence pack available for your procurement team.
Public security and due-diligence evidence reviewed . Controls are described at their published boundary; the document pack distinguishes current policies, assurance summaries, certificates, and review templates.
UK-hosted primary database
The primary pupil database is hosted in London (eu-west-2), and routine school records remain there. Optional, user-triggered services can involve the documented safeguarded transfers described below.
Encrypted at rest and in transit
All data is encrypted with AES-256 at rest and TLS 1.2 or higher in transit.
Strict access control
Mandatory multi-factor authentication (AAL2) for every staff account, role-based access control, and database row-level security.
Cyber Essentials certified
Certified under the UK Cyber Essentials scheme. This evidences the core control baseline; it is not presented as Cyber Essentials Plus or ISO 27001.
DfE digital standards
Self-certified against the Department for Education “meeting digital and technology standards in schools and colleges”.
You stay the data controller
Your school remains the data controller; SENDlink Ltd acts as processor under the published Data Processing Agreement, designed to support school-controller duties under UK GDPR.
AI and pupil data
AI features inside the subscribed platform are optional and enabled by your school. Those flows tokenise or remove personally identifiable information where that technical control is implemented. Recommendations remain advisory and are reviewed by a member of staff; Student Radar makes no automated pupil decisions under Article 22 of the UK GDPR.
Our free public Echo and Sensory Profiler tools are separate, user-triggered services. Echo sends the tapped phrase and button text for interpretation and speech; Sensory Profiler sends only generic pattern and behaviour catalogue selections when the visitor requests generation. Its API rejects names, school details, SEND status, year group, settings and free text, so neither Student Radar nor OpenAI receives that pupil context through the generation request. PDF rendering accepts the selections and the validated generated result only when it carries a short-lived server signature; edited or client-authored profile text is rejected. Responses requests set store=false; provider abuse-monitoring logs may still be retained for up to 30 days unless approved Zero Data Retention applies. The exact working data and 10-minute ephemeral caches are described in our Privacy Policy.
Sub-processors
Four sub-processors are core to running the platform: Supabase (UK-hosted database, authentication and storage), Vercel (application hosting), Wonde (your MIS integration) and Upstash (short-lived, HMAC-pseudonymised rate-limit counters in its London region). Twilio, Resend, platform OpenAI features and Sentry are school-enabled options; OpenAI is also used when a visitor actively triggers the public Echo or Sensory Profiler tools. The complete, current list is in our downloadable Sub-Processor List.
Retention and resilience
Your school controls retention. When a subscription ends, pupil and staff data is securely deleted — within 30 days unless you instruct otherwise. Encrypted backups are kept for disaster recovery for up to 90 days, and we maintain a documented incident response process so any security event is handled quickly and transparently.
Documentation for procurement
Browse the reviewed documents currently published for due diligence, including our Sub-Processor List, AI Transfer Overview, Business Continuity Summary, Incident Response Policy and Cyber Essentials evidence. Documents still awaiting legal or control-owner review are clearly withheld from the current pack.
Browse the procurement document libraryQuestions about data protection? Email our Data Protection Lead at dpo@studentradar.com.
