Security & Data Protection Impact Assessment
Last updated: 19 March 2026
This document provides an overview of the security measures, data protection impact assessment (DPIA), and compliance posture of the Chapter Schools platform. It is intended for school procurement teams, Data Protection Officers, and IT leads evaluating Chapter Schools for use within their institution or trust.
1. Data Protection Impact Assessment summary
1.1 Purpose of processing
Chapter Schools processes personal data to provide a comprehensive careers education management platform for UK secondary schools, academies, sixth form colleges, and multi-academy trusts. Processing activities include managing student career profiles, tracking Gatsby Benchmark evidence, facilitating guidance sessions, generating AI-assisted lesson content, communicating with parents and staff, and producing compliance reports for Ofsted.
1.2 Necessity and proportionality
All personal data processed is necessary for the delivery of careers education services as directed by the subscribing school (the Data Controller). Data collection is limited to what is required for the platform to function effectively. Schools control which data is uploaded and can configure the platform to match their specific needs. AI features use anonymised context only — no identifiable student data is sent to third-party AI providers.
1.3 Data subjects affected
- Students aged 11–18 (Key Stage 3, Key Stage 4, and Key Stage 5)
- School staff including careers leads, teachers, administrators, and senior leaders
- Parents and guardians who receive communications via the platform
1.4 Volume of data
Typically 500–2,000 student records per school, with associated staff accounts (5–30 per school) and parent contact records. Multi-academy trusts may have aggregated data across multiple schools.
2. Risk assessment
The following risks have been identified and assessed, with corresponding mitigations in place:
2.1 Data breach
Risk: Unauthorised disclosure of student personal data through system compromise or vulnerability exploitation.
Mitigation: All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-Level Security (RLS) policies enforce strict data isolation between schools. Regular dependency audits and security patching. Infrastructure hosted on SOC 2 and ISO 27001 certified platforms.
2.2 Unauthorised access
Risk: Individuals accessing data they are not authorised to view, either through compromised credentials or privilege escalation.
Mitigation: Role-based access control (RBAC) with least-privilege principles. JWT-based authentication with short-lived access tokens (1-hour expiry). Supabase RLS policies ensure every database query is scoped to the authenticated user's school. Password hashing using bcrypt.
2.3 Data loss
Risk: Permanent loss of school data due to infrastructure failure or accidental deletion.
Mitigation: Daily automated backups managed by Supabase. Point-in-time recovery (PITR) available. Data hosted on redundant infrastructure within the EU (Ireland) region.
2.4 AI data leakage
Risk: Student personal data being exposed to or retained by third-party AI providers.
Mitigation: No personally identifiable information (PII) is sent to AI models. All AI features (Chappy assistant, lesson plan generation, worksheet creation) use anonymised and contextual data only. Anthropic does not train on API inputs and does not retain request data.
2.5 Third-party sub-processor risk
Risk: Sub-processors failing to adequately protect personal data or processing data outside agreed terms.
Mitigation: Data Processing Agreements (DPAs) signed with all sub-processors. Primary data hosting within the EU/UK. EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) in place for any US-based processors. Sub-processor register maintained and reviewed (see Section 5).
3. Technical security measures
3.1 Infrastructure
- Application hosting: Cloudflare Workers — globally distributed edge deployment with enterprise-grade DDoS protection and WAF
- Database: Supabase PostgreSQL — hosted in EU (Ireland, eu-west-1) with managed infrastructure
- CDN and edge security: Cloudflare — automatic HTTPS, HTTP/3, bot management
3.2 Authentication
- Supabase Auth with JWT-based session management
- Short-lived access tokens (1-hour expiry) with secure refresh token rotation
- Password hashing using bcrypt with appropriate cost factor
- Secure, HTTP-only session cookies
- Invite-based onboarding for school staff (no open registration)
3.3 Authorisation
- Row-Level Security (RLS) policies on all database tables — every query is scoped to the authenticated user's school
- Role-based permissions (admin, careers lead, teacher, read-only)
- Least-privilege access principles enforced at the database level
- Trust-level access controls for multi-academy trust administrators
3.4 Encryption
- In transit: TLS 1.2+ enforced on all connections (HTTPS only)
- At rest: AES-256 encryption for all stored data (Supabase managed)
- Webhook verification: HMAC-SHA256 signature validation for all inbound webhooks
3.5 AI processing
- AI features powered by Anthropic Claude API
- No student PII transmitted to AI models — context is anonymised before processing
- Anthropic does not train on API data and does not retain inputs
- AI outputs are advisory only and subject to staff review
3.6 Email delivery
- Transactional email via Resend API
- Bounce and complaint handling with automatic suppression
- No marketing emails sent without explicit school-level consent
- Webhook verification for delivery status callbacks
4. Data hosting and residency
Chapter Schools is designed to keep data within the UK/EU wherever possible:
- Primary database: Supabase — EU (Ireland, eu-west-1). All student, staff, and school data resides here.
- Application hosting: Cloudflare Workers — global edge network with EU-compliant data handling. No persistent personal data stored at the edge.
- Email delivery: Resend — US-based infrastructure with EU Standard Contractual Clauses (SCCs) in place. Only transactional email metadata and recipient addresses are processed.
- AI processing: Anthropic — US-based. No student PII is transmitted. No data retention by provider. UK IDTA in place.
- Payment processing: Stripe — EU and US infrastructure. PCI DSS Level 1 compliant. Only school billing contacts processed (no student data).
No student personal data is stored outside the EU/UK. Where US-based sub-processors are used, appropriate transfer mechanisms (EU SCCs / UK IDTAs) are in place and data exposure is minimised.
5. Sub-processor register
The following sub-processors are engaged in the delivery of Chapter Schools:
| Sub-processor | Purpose | Location | DPA status |
|---|---|---|---|
| Supabase Inc. | Database hosting & authentication | EU (Ireland) | DPA signed |
| Cloudflare Inc. | Application hosting & CDN | Global (EU compliant) | DPA signed |
| Anthropic PBC | AI features (Chappy assistant) | US | DPA signed, no PII processed |
| Resend Inc. | Transactional email delivery | US | DPA signed, EU SCCs |
| Stripe Inc. | Payment processing | US / EU | DPA signed, PCI DSS Level 1 |
| Upstash | Task scheduling | EU | DPA signed |
| Wonde Ltd | MIS data sync | UK | DPA signed |
The Processor will notify subscribing schools of any changes to this sub-processor list with at least 30 days' notice, in accordance with our Data Processing Agreement.
6. Penetration testing and compliance
6.1 Testing
- Annual penetration testing planned with results available to subscribing schools on request
- Continuous dependency vulnerability scanning via automated tooling
- Regular security reviews of application code and infrastructure configuration
6.2 Sub-processor certifications
- Supabase: SOC 2 Type II certified
- Cloudflare: ISO 27001, SOC 2 Type II, PCI DSS certified
- Stripe: PCI DSS Level 1 certified
6.3 Regulatory compliance
- UK General Data Protection Regulation (UK GDPR) compliant
- Data Protection Act 2018 compliant
- Age Appropriate Design Code (Children's Code) considerations applied — platform designed for use with students aged 11–18
- Ofsted careers guidance requirements supported through Gatsby Benchmark tracking
7. Data retention and deletion
- Student data: Retained for the duration of the school's active subscription
- Data export: Available at any time on request in CSV and Excel formats via the platform's built-in export tools
- Post-termination: Schools have 30 days following subscription termination to export data. Full deletion of all school data completed within 90 days of termination.
- Audit logs: Retained for 12 months for security and compliance purposes, then automatically purged
- Right to erasure: Individual data subject erasure requests honoured within 30 days of receipt
- Backup retention: Backups containing deleted data are rotated and purged within the standard backup retention window
8. Incident response
Chapter Technologies Ltd maintains an incident response plan covering personal data breaches:
- Breach notification to ICO: Within 72 hours of becoming aware, as required by UK GDPR Article 33
- School notification: Affected schools notified within 24 hours of a confirmed breach, including details of the nature, scope, and remediation steps
- Incident response team: CTO, Data Protection Officer, and Customer Success lead
- Post-incident review: Root cause analysis conducted, remediation plan documented and shared with affected schools
- Communication: Clear, plain-language notifications sent to affected schools with guidance on any actions they may need to take
9. Contact information
For security inquiries, DPIA requests, or data protection questions:
- Data Protection Officer: To be appointed (contact via email below in the interim)
- Security inquiries: security@chapter.app
- General inquiries: hello@chapterschools.com
- ICO registration: Registration pending
Schools requiring a formal copy of this DPIA or additional security documentation for procurement purposes should contact us at hello@chapterschools.com with the subject line: Security Documentation Request — [School Name].