Security measures at Sparx
Information on how Sparx protects school data can be found on our Security Information for Schools document. This is a pdf should you wish to download a copy for your records.
We run nightly backups for both school and usage data.
Below are the most common headings with additional about our security arrangements.
We store our data ringfenced in the EEA
We store our data ringfenced in the EEA
Sparx uses Google Cloud Platform (GCP) for cloud computing services, including hosting our platform and storing student, teacher and parent personal data. All our user data is stored on GCP servers that are located in the European Economic Area, including back-ups. Our primary storage servers are Belgium, GCP Europe server EUROPE-WEST1. Our backups are hosted under google's European Multi-regional bucket. This means that google can choose which of its servers they use but it can never leave the EU. You can read more about GCP servers or 'storage buckets' here.
All application data is encrypted at rest and is transmitted encrypted using https for secure communication. Cryptographic keys are stored securely under carefully restricted access and secrets are rotated periodically.
We have never had a data breach notifiable to the ICO
We have never had a data breach notifiable to the ICO
Sparx has never had a breach notifiable to the ICO across any of its products. We have internal data protection policies and procedures in place that provide clear instructions to Sparx employees on the standards expected of them when processing personal data and which include a clear process for employees to follow in the event of a personal data breach.
Data retention and research
Sparx keeps school data for 2 years
Sparx keeps school data for 2 years
Parent data is deleted as soon as their child is no longer an active user.
Personal data relating to students and teachers is kept for 2 years after they are no longer active users. This is so we can restore school data if a school re-subscribes with us or so we can answer such queries as Subject Access Requests. After this period all personal data is anonymised and kept for research purposes. You may request data to be deleted sooner if required.
Further information on our data retention schedule can be found in the Terms and Conditions > Section C: Data handling agreement > Duration of processing. We have developed our data retention policy in line with ICO & DFE guidelines.
We also keep anonymised data for research purposes
We also keep anonymised data for research purposes
After our retention period, anonymised student data is kept for research purposes. This includes a student’s Sparx ID, their school & class, year of birth and their question-answer history or ‘Usage data’.
Personal information such as name, UPN, date of birth and IP address are all deleted and destruction logs are maintained. As such, it is no longer personal data. The usage data is vital for us to provide personalised homework. The 200 million plus data points feed in behind the scenes to help us understand how difficult or how long questions are likely to take students with a given ability.
We do evaluation and product research
We do evaluation and product research
Sparx uses an anonymised dataset on live students wherever possible to improve our products. When doing insights work internally or for external publication that may require one or more identifiable fields - any group of students that are small enough to be identifiable are discounted. That is to say, students would not be individually identifiable through aggregation. E.g. Disregarding international students when looking at completion rates based on location OR removing non-binary students from the study when looking at correlations of age and gender with completion.