Carousel takes GDPR and Data Privacy very seriously. You can find out more about our approach in two documents, which are both available online:
We do not have a separate Data Processing Agreement (DPA), but you will find all the information about our approach to data processing that you need in both of the above documents.
Maintain a secure, cloud-based product, with all data hosted using Amazon Web Services in Ireland.
Process the data received from schools for the purposes of education and school improvement ONLY, and we store and process the minimum data required to provide our services. For example, students access Carousel using a secure link plus their first name / last name as defined by a teacher. There is no other student data stored in the product. If you wish to keep student data out of the product entirely, you can do so by giving students nicknames or code words / numbers for their first name / last name.
Transport and store all personal data originating from schools using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, and secure access for all end users.
Only retain data for as long as required, and delete all your data if you ask us to do so.
Ensure that all data is held securely by taking steps so that data is not corrupted or lost.
Pledge to Report any significant breaches of security to the Data Controller, the Information Commissioner’s Office (ICO) and other authorities.
We DO NOT:
- Store or transport personal data outside of the EEA or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission.
- Share your data with any third parties except where explicitly requested by you or required by law.
- Use Your data, made available via the Carousel platform, for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to You.
- Transport personal data originating from schools in an unencrypted format.
- Claim ownership or exclusive rights over any of the data processed or created as part of services provided to You.