Answers to the commonly asked questions about Smart Revise:
What is your company name / address / co. number?
See our entry filed with Companies House:
IT systems
What IT system is used to store data?
Microsoft Azure cloud services.
Authentication
What options for account integration are available?
Microsoft Enra Id / Office 365 or Google.
Is multi factor authentication available?
Two-factor authentication protects all administration accounts.
Users can enable 2FA by using the SSO options from Microsoft or Google.
Policies, standards and training
Do you have cyber security policies?
Yes, reviewed annually by our compliance officer, Sam Sargent.
What standards do you comply with?
Cybersecurity essentials: proves to organisations that newly certified team members understand fundamental security principles and operations, network security and access controls and that they have the skills to meet and exceed performance standards in their roles.
We are exploring ISO270001 and Cyber Essentials Plus.
We comply with DPA/GDPR and the children's code.
What training do your staff receive on data handling?
All receive annual data protection and data handling training organised and monitored by our compliance officer, Sam Sargent.
What is your password policy?
Administrator accounts are protected by 2FA. Student & teacher accounts can use Microsoft or Google SSO and their minimum password strength requirements. If no third party SSO authentication is used, a minimum of 8 characters is required. This allows teachers to avoid the frustration of students not being able to log in or remember their password as they can use the password required by the school to log into the school network. Although using the same password for multiple systems should be discouraged, with some students this is required for accessibility.
Are there sufficient and appropriately trained personnel to protect the data and/or service at issue and respond to incidents?
Yes, our technical director and lead developer has 30 years experience developing cloud based IT systems for national infrastructure.
Do you have human resources practices e.g. background screening employees, cybersecurity training, monitoring for unauthorised access and the handling of terminations?
Yes. Appropriate references are sourced for all employees. Access to systems is limited and opened as their experience develops. All employees have annual cyber security training. Systems have appropriate logs. Access to systems is immediately rescinded when employment is terminated.
Do you have change control management?
Code undergoes peer review before being staged on a testing server. If QA is passed build are held on a staging server. Change control is provided by Azure Dev Ops. Only senior developers have the capability and knowledge to deploy new builds to live production. These can be rolled-back as necessary.
Testing
What regular testing do you run on your systems?
Vulnerability scans are run on a regular basis on the Azure estate by Azure Defender and codebase build process. Development tools include checks for vulnerable libraries. This includes white-hat penetration testing.
Service levels
Have you experienced any cybersecurity incidents in the past?
No.
Do you have incident response plans including the collecting and retention of data to be presented to a court?
There are internal plans to handle response to serious incidents. This would include the retention of relevant data to be presented to a court should that ever be necessary.
What is the service level agreement including uptime levels?
We do not currently provide SLAs on uptime but historically it has been better than 99% with only one unplanned outage to date due to global infrastructure issues beyond our control. We do have regular updates (once or twice a month) out of schools hours - normally 11pm on a Friday - that last between 10-30 minutes and a two day maintenance downtime on a weekend in the summer holidays.
How timely are security issues resolved?
Within 7-14 days at a minimum. We endeavour to fix any issues on the day they are discovered.
What levels of resilience do you have built in for business continuity/failover?
Estate is hosted on Microsoft Azure. Extra server instances are automatically added to webfarm based on demand with monitoring and automatic swap for unhealthy instances. CI/CD architecture and public facing security layer provided by Cloudflare means that in the event of a catastrophic datacentre event, the entire estate can be redeployed to a new datacentre and traffic redirected within 48-72 hours.
What DoS / DDoS protection do you have?
Cloudflare.
Backup, recovery and retention
How is data backed up and how often is this done?
Backups are zone redundant (not geographically spread, but spread across three different regions in case of datacentre disaster) Full backups are made weekly, differential back-ups either 12 or 24 hours depending on activity. Transaction log backups approximately every 10 minutes.
what is the backup retention policy?
7 days.
Are there any backup requirements for the school to consider?
No.
What are the Recovery Point Objective (RPO) & Recovery time objective (RTO) for the data you hold on our behalf?
20 minutes.
What is the data retention period?
Accounts are deleted after 5 years if they become inactive. Progress data is stored for a maximum of 4 years to cover a course with a shelf-life of 3 years and a year for teachers to download data. In any case, progress data is deleted 1 year after a course series expires. E.g. Summer 2025 exam data expires in Summer 2026.
Delete queries run on the database.
Data transfer / EDI
Is any data transfer required (either regularly or one off)?
No.
None. Teachers and students create their own accounts on Smart Revise and link to each other via a Smart Revise class code.
What security arrangements are there for data at rest and in transit?
Estate is held on Microsoft Azure SQL instances. Data is encrypted at rest and in transit via HTTPS. Direct access to servers instances is restricted by firewall. Digital certificates and asymmetric encryption are used.
Does personal data leave the Smart Revise system, i.e. to third-party vendors?
No. Data required for AI marking is anonymous. Stripe is used to process the purchase of course vouchers by credit/debit card although PO/invoice is an alternative option for schools to pay by BACS.
Authorised access to data
What levels of access do you have for different users?
Users sign up as teacher or student. Administration accounts are restricted to seven employees at CraignDave Ltd. Teachers can approve other teachers to join shared classes to see login and progress data for their students. Students can join a class if the class code is shared by the teacher.
Do you apply principle of least privilege?
Yes, we adopt principle of least privilege. Not all our directors, employees and developers have access to the underlying data. They have access to what they need to fulfil their role only.
Data location and hosting
Where is data stored?
On the Microsoft Azure estate in the United Kingdom and Ireland.
Do you use dedicated hosting?
Yes.
What physical security do you have?
Data is held on Microsoft Azure. No data is held locally. All resilience and disaster recovery is provided by Microsoft.
Remote access
What remote access to school systems is required?
None.
Software
Is any client software required?
A web browser.
What are the device support requirements?
None.
What are the device hardware requirements?
Any device capable of running a web browser.
How often is the software updated?
Usually once per month.
Secondary use of data
Is there any secondary use of data?
There is no secondary use of data beyond the requirements to deliver and update the platform. E.g. identifying questions in the global data set that are are being answered least well may indicate we can improve the wording of the question.