Security & Data Residency Compliance Charter
1. Purpose and Scope
This Security & Data Residency Compliance Charter outlines how Boarding School Software (BSS) protects personal data, respects privacy, and aligns with global best‑practice data protection standards. It is designed as a high‑level assurance document for schools and does not replace contractual terms. Further detail regarding data handling, legal responsibilities, and service terms is provided in our Privacy Policy and Terms & Conditions.
2. Global Privacy Framework Alignment
BSS aligns its data protection practices with leading international privacy and security frameworks, including but not limited to: GDPR (EU & UK), Australian Privacy Principles (APPs), New Zealand Privacy Act, CCPA and COPPA (USA), PIPEDA (Canada), PDPA (Asia‑Pacific), POPIA (South Africa), and comparable regional laws. We have drawn from the strongest elements of these frameworks to establish a unified, best‑practice model as we operate across jurisdictions.
3. Data Residency & Regional Hosting
Schools select the geographic region in which their data is stored. Customer data is designed to remain within that chosen region and is not transferred across borders unless explicitly requested by the school.
Supported regions include Australia, New Zealand, European Union, United Kingdom, United States, Canada, Asia‑Pacific, Africa, and the Middle East. Each region operates independently.
4. Cloud Infrastructure & Availability
All customer data is hosted within Amazon Web Services (AWS) regional data centres. Each deployment uses multiple availability zones to ensure resilience, fault tolerance, and load balancing. This architecture supports high availability and continuity of service.
5. Suppliers and Development Partners
BSS may engage third‑party suppliers such as cloud infrastructure providers, security services, and development partners where necessary to deliver and support the platform. All suppliers with potential access to personal data are required to operate under contractual terms, confidentiality obligations, and data‑processing agreements aligned with GDPR or equivalent international standards. These obligations may include standard Terms of Service, Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), non‑disclosure agreements, and supplier security policies.
Our development partner operates under formal services agreements, confidentiality provisions, and restricted access controls.
6. Information Security Controls
BSS implements layered security controls including encryption of data at rest and in transit, secure network design, role‑based access controls, multi‑factor authentication, and continuous infrastructure monitoring. Backup and recovery processes ensure that data can be restored in a timely manner following technical or physical incidents.
7. Incident Readiness & Response
BSS maintains an Incident Management Procedure designed to detect, assess, contain, and remediate information security incidents. Where a personal data breach is likely to result in a high risk to individual rights and freedoms, BSS will support school notification obligations and act within applicable regulatory timeframes, including the 72‑hour standard under GDPR where relevant.
8. Individual Rights & School Responsibility
Data protection laws grant individuals specific rights, including access, correction, erasure, portability, and withdrawal of consent. BSS contracts directly with schools, not with parents, students, staff, or other individuals. Schools act as the primary data controllers for student and staff information and are responsible for obtaining appropriate consents and managing individual requests. BSS provides the technical tools that enable schools to fulfil these obligations.
9. Controller and Processor Roles
BSS acts as a data controller where it determines the purpose and means of processing personal data, such as managing customer accounts, authentication, billing, and support communications. BSS acts as a data processor when schools use the platform to manage student, staff, and boarding‑related data. In this role, BSS processes personal data strictly in accordance with customer instructions and configured controls.
10. Data Deletion & Service Exit
Upon service termination, schools may request a structured export of their data. Active customer data is then securely deleted, and backup copies are managed to expire under controlled lifecycle policies.
11. Continuous Improvement
BSS regularly reviews security practices, infrastructure updates, regulatory developments, and boarding‑sector requirements. Our security approach is aligned with internationally recognised standards but is not presented as a formal ISO certification.
12. Contact & Review
Schools may request a technical or regional review covering data residency, access controls, authentication policies, and deletion processes. Demonstration environments may be provided upon request.