Security & Data Protection FAQ
For school procurement officers, IT leads, and data protection officers. Last updated February 2026.
Hosting & Infrastructure
Where is data hosted?
All school data (teacher accounts, school configuration, class data, pupil records, and pupil progress data) is hosted on Supabase, which runs on Amazon Web Services (AWS) in the eu-west-2 region (London, United Kingdom). Data does not leave the United Kingdom for processing or storage.
Who is your hosting provider?
Our primary infrastructure provider is Supabase Inc., a managed backend platform built on top of Amazon Web Services. Supabase provides our database (PostgreSQL), user authentication, file storage, and serverless functions, all within the eu-west-2 (London) AWS region. The teacher portal website is hosted on Vercel, which serves content from edge locations with the United Kingdom as the preferred region.
Do you have a Service Level Agreement (SLA)?
Supabase provides a 99.9% uptime SLA on their Pro and Enterprise plans. We will provide our own SLA to schools covering service availability and support response times as part of the subscription agreement. The Spell & Grow mobile app functions offline for spelling practice — pupils can continue to practise school-assigned word lists even without an internet connection, with progress synced when connectivity is restored.
Encryption & Data Protection
Is data encrypted in transit?
Yes. All data transmitted between clients (the mobile app, the teacher portal) and our servers is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints. HTTP Strict Transport Security (HSTS) headers are applied to prevent downgrade attacks.
Is data encrypted at rest?
Yes. All data stored in the database and file storage is encrypted at rest using AES-256 encryption, managed by AWS. This includes database records, file storage, and backups.
How are passwords stored?
Teacher and school administrator passwords are hashed using bcrypt with an appropriate cost factor. Plaintext passwords are never stored or logged. Password reset is handled via secure, time-limited email tokens.
Authentication & Access Control
How do teachers log in?
Teachers authenticate via email and password through the teacher portal. Authentication is managed by Supabase Auth, which issues signed JSON Web Tokens (JWT) with appropriate expiry times. All authentication occurs over HTTPS.
How is school data isolated?
We use PostgreSQL Row-Level Security (RLS) policies to enforce data isolation at the database level. Each school’s data is logically separated — a teacher at School A cannot access any data belonging to School B, even if they were to manipulate API requests. Teachers with the “teacher” role can only access classes they have been assigned to. School administrators can access all classes within their school. RLS policies are enforced by the database engine itself, not just the application layer, providing defence in depth.
How do pupils authenticate?
Pupils do not have accounts. The pupil’s parent links the child’s app profile to a school class by entering a 6-character join code in the parent-controlled area of the app. The app transmits only the child’s first name and an application-generated anonymous identifier to the server. No email address, password, date of birth, surname, or device identifier is collected from pupils.
GDPR Compliance
What is your lawful basis for processing?
Teacher data: Performance of contract (the subscription agreement between the school and Igloo Labs). Pupil data: Legitimate interest (educational provision). The school, as data controller, determines the lawful basis for processing pupil data. Igloo Labs processes pupil data solely on the school’s instructions as data processor.
Who is the data controller?
The school is the data controller for pupil data. Igloo Labs acts as the data processor, processing data only on the school’s behalf and in accordance with the school’s instructions, as documented in our Data Processing Agreement.
Do you have a Data Processing Agreement (DPA)?
Yes. Our DPA is available for download and follows the ICO’s guidance on controller-processor contracts under Article 28 of the UK GDPR. It covers scope and purpose of processing, categories of data subjects and types of personal data, processor obligations, data subject rights, data retention schedule, termination and data return/deletion, security measures appendix, and sub-processor list. Schools may countersign our standard DPA or request amendments.
How do you support Data Subject Access Requests (DSARs)?
Teacher data: School administrators can view and export all teacher account information via the portal. Pupil data: School administrators and teachers can view and export all pupil data (first name, anonymous identifier, progress records) in CSV format. Parents can view their child’s school-linked data in the app and unlink at any time. For erasure: school administrators can delete individual pupil records, entire classes, or all school data. Parents can unlink their child, which triggers server-side deletion of the pupil record.
Children’s Data
What data do you collect from children?
We collect the absolute minimum data necessary for the educational service: first name (displayed to the teacher for identification), an anonymous identifier (a random code generated by the app to prevent duplicate records — it is not a device ID or personal identifier), and spelling progress (words attempted, accuracy, and completion status for school-assigned lists).
What data do you NOT collect from children?
We do not collect: surname, date of birth, email address, home address, device identifiers (IDFA, GAID, or similar), IP addresses linked to pupil records, photographs, voice recordings or biometric data, location data, browsing behaviour or analytics data, or any special category data.
Is the app COPPA and GDPR-K compliant?
Yes. Children do not create accounts, provide email addresses, or set passwords. The app does not include any third-party analytics, advertising, or tracking libraries. The app is entirely ad-free. Subscription management is within the parent-controlled area. There are no social features, messaging, or user-generated content from children. The join code is entered by the parent in the PIN-protected parent area, constituting verifiable parental involvement.
How does the Age Appropriate Design Code apply?
The app is designed with the ICO’s Age Appropriate Design Code (Children’s Code) in mind. The service exists solely for educational benefit (best interests of the child). Only strictly necessary data is collected (data minimisation). Privacy is protective by default. This FAQ, our DPA, and our privacy policy clearly explain what data is collected (transparency). The parent area is PIN-protected with full visibility and control (parental controls). Spelling progress is used solely for educational display, not profiling (no profiling). The app does not use manipulative design patterns (no nudge techniques).
Backup & Disaster Recovery
How often are backups taken?
Supabase performs daily automated backups of all database data. Additionally, Point-in-Time Recovery (PITR) is available, enabling restoration to any specific point within the retention window.
Where are backups stored?
Backups are stored within the same AWS region (eu-west-2, London) and are encrypted at rest using AES-256.
What is your RPO and RTO?
With Point-in-Time Recovery, our Recovery Point Objective (RPO) is effectively near-zero (minutes). Our target Recovery Time Objective (RTO) is 4 hours for full service restoration. The mobile app continues to function offline during any service disruption, so pupil spelling practice is not interrupted.
Security Testing & Certifications
Do you conduct penetration testing?
Penetration testing is planned prior to the launch of Spell & Grow for Schools and will be conducted annually thereafter. Results (or an executive summary) will be made available to schools on request under NDA.
Do you have Cyber Essentials certification?
Cyber Essentials certification is planned and we are working towards certification. We will update this page when achieved.
Do you have ISO 27001 certification?
Not currently. As a small company, we follow information security best practices aligned with ISO 27001 principles but have not yet pursued formal certification.
Data Retention
How long do you keep pupil data?
Active academic year: pupil records and progress data are retained for the duration of the current academic year. Historical data: pupil progress from previous academic years is retained for 12 months after the end of the academic year, then automatically deleted. On subscription lapse: if the school’s subscription expires or is cancelled, all school data is retained for 30 days to allow for data export, then permanently deleted.
How long do you keep teacher data?
Teacher account data is retained for the duration of the school’s subscription, plus 30 days after termination to allow for data export. It is then permanently deleted.
Can we request earlier deletion?
Yes. School administrators can delete individual pupil records, classes, or all school data at any time via the teacher portal. For complete account deletion, contact schools@spellandgrow.app.
Incident Response
What is your incident response process?
We maintain a documented incident response procedure covering: (1) Identification — detection via monitoring, logging, and reports; (2) Containment — immediate steps to limit scope and impact; (3) Eradication — removal of the root cause; (4) Recovery — restoration of affected systems; (5) Post-incident review — analysis and implementation of preventive measures.
How quickly will you notify us of a data breach?
In accordance with our DPA, we will notify the school within 24 hours of becoming aware of a Personal Data Breach affecting the school’s data. The notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to address the breach.
Sub-processor list
Third-party services that process data on behalf of Spell & Grow for Schools.
| Sub-processor | Purpose | Data Location | Data Processed |
|---|---|---|---|
| Supabase Inc. | Database, auth, file storage | AWS eu-west-2 (London) | Teacher accounts, school data, pupil progress, audio |
| ElevenLabs Inc. | Text-to-speech audio generation | US (word text only, no PII) | Word and sentence text only |
| Vercel Inc. | Website and portal hosting | Edge (UK preferred) | Teacher portal sessions |
| Stripe Inc. | Payment processing | EU/UK | School billing contacts only |
View the full sub-processor list at spellandgrow.app/schools/sub-processors. We notify schools at least 30 days before adding a new sub-processor.
Company details
Company name
Igloo Labs Ltd
Registered address
London, United Kingdom
Data protection contact
Schools enquiries
Website
Response time
Within 2 working days
Need more detail?
If you have additional security questions or require documentation for your procurement process, please get in touch.