Skip to content

Our GDPR Commitment

The European legislation called the General Data Protection Regulation (GDPR) is designed to protect all European citizens' personal data and is law in every European country. In 2016 we worked towards GDPR compliance updating our internal processes and procedures as well as updates to the MySchool platform itself.

MySchool processes all data in compliance with GDPR requirements.

You can reach our Data Protection Officer by emailing

MySchool GDPR readiness

MySchool began preparing for the GDPR in 2016 by ensuring it's internal data protection practices measured up to globally recognised security standards with it's ISO/IEC 27001:2013 certification.
Through ISO27001, we have over 110 annually audited security 'controls' in place which govern our operations, including risk management processes, business continuity and disaster recovery procedures, full data encryption and strict back-up procedures.
We have appointed a Data Protection Officer (DPO) to oversee all data privacy-related activities.
We have rewritten our Privacy Policy which primarily affects visitors to our website
We have updated our incident response and breach reporting procedures to be compliant with GDPR.
We have added a Data Protection Impact Assessment (DPIA) procedure to our development processes where sensitive data is concerned.

We have a GDPR compliant Data Processing Addendum available for our European customers. (please contact us if you wish to sign the DPA)
All 'service data' is processed in the EU. 'Service data' is all data our customers process and store in MySchool.
All sub-processors have been vetted and are fully GDPR compliant. We do not and will never use sub-processors that do not measure up to strict data protection standards, including those of the GDPR.


What do our customers need to do?

In data protection language, Schools are known as 'controllers' and have ultimate responsibility and control over their student, parent and staff personal data. MySchool is a 'processor' and acts only on instructions given by controllers. MySchool has ensured it's technology and practices are in line with the GDPR. 

Although the MySchool system is compliant with GDPR, like any tool or system, it does not automatically make our customers GDPR compliant. You must ensure your own policies and procedures are in compliance with the new regulations.


MySchool uses certain specialised sub-processors in order to provide the highest possible quality service to its customers. A sub-processor is a third-party provider used to process data within the MySchool ecosystem. MySchool uses a diligent selection process to choose which third-party providers it will work with to ensure each one meets GDPR requirements and that our customer's personal data is properly protected.

For customers that have signed the MySchool DPA, MySchool will provide notice via email of updates to its sub-processors. A customer may raise an objection, describing its legitimate reason for the objection to the appointment of a new sub-processor, within 30 days of receiving the notice. If no such objections are raised, MySchool will deem the sub-processor decision to be accepted. MySchool reserves the right to address the situation in any of the following ways: a) cease use of the sub-processor, b) modify its use of the sub-processor such that it removes the original objection c) cease provision of all services to the customer or the specific part of the service that the customer has objected to.

The following is a list of sub-processors used by the MySchool application to process 'service data'.

Sub-Processor Activity Location
Amazon Web Services Cloud Services Dublin, Ireland, EU
Zendesk Support Platform San Francisco, California, USA
Twilio Communication San Francisco, California, USA
Mailchimp Communication Atlanta, Georgia, USA