2Simple Data Protection: Frequently Asked Questions
Updated
by
Matt Besant
These Data Protection FAQs are intended to support customers in understanding how 2Simple approaches data protection across its products and services. They address common questions raised by schools and organisations, including those that may arise during Data Protection Impact Assessments (DPIAs), and are designed to provide clear, practical reassurance about how personal data is handled.
1. What data protection laws does 2Simple comply with?
We comply with the UK GDPR, Data Protection Act 2018, and relevant ICO guidance and applicable data protection laws and guidance in other jurisdictions.
2. How does 2Simple protect personal data?
2Simple uses appropriate technical and organisational measures, including encryption in transit, access controls, secure authentication, monitoring, backups, vulnerability management, secure development practices, staff training, and incident response processes.
3. Is 2Simple a data controller or data processor?
For pupil, parent, staff personal data processed through 2Simple products we usually act as a data processor and our customers usually act as the data controller.
4. Does 2Simple carry out Data Protection Impact Assessments (DPIAs)?
We assess privacy risks for our platform and support customers with information needed for their own Data Protection Impact Assessments, including details about data categories, purposes, hosting, sub-processors, retention, and security measures.
Use of 2Simple products by our customers does not involve processing special category personal data. On this basis a data protection impact assessment by an education provider would not normally be required under data protection law. However, some customers may choose to undertake DPIAs and we are happy to provide information to support this. Please contact support@2simple.com with any questions.
5. Does 2Simple have a Data Processing Agreement?
Yes, our Data Processing Agreement includes UK GDPR Article 28 terms, including documented instructions, confidentiality, security, sub-processors, breach support, data subject rights assistance, audits, deletion or return, and international data transfer safeguards.
6. Does 2Simple use personal data for advertising or marketing?
2Simple does not use pupil, learner, or classroom data for advertising or profiling for marketing purposes.
7. Does 2Simple sell customer personal data?
2Simple does not sell customer personal data or share it with any third parties except its sub-processors to support provision of 2Simple products and services.
8. Where does 2Simple host personal data?
2Simple uses secure cloud infrastructure within the European Economic Area. Where data is transferred outside the UK, we use appropriate safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum.
9. How does 2Simple handle data subject rights?
Where 2Simple acts as a data processor, we support education providers with requests from pupils, parents, staff, or other individuals. Where 2Simple acts as a data controller, we respond directly to requests in accordance with UK data protection law.
10. How long does 2Simple retain personal data?
2Simple retains personal data only for as long as needed to provide the service, meet contractual and legal obligations, maintain security, and support agreed backup or deletion processes.
11. Does 2Simple follow age-appropriate design principles?
2Simple considers the ICO Children’s Code and apply proportionate safeguards, including privacy by design, data minimisation, clear controls, and avoiding unnecessary profiling.
12. Further questions
Please contact support@2simple.com with any further questions on data protection.
