TASC Software GDPR Compliance Statement

Introduction

TASC Software Solutions Ltd is committed to protecting the privacy, security, and rights of individuals whose data we process. As a trusted provider of software solutions to the education sector, we comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement summarises how we meet our responsibilities as both a Data Processor (for customer data within our products) and a Data Controller (for business operations such as CRM, support, and marketing).

Our Commitment to Data Protection

We maintain comprehensive policies, procedures and security controls to ensure personal data is processed lawfully, fairly, and securely. Our compliance approach includes:

• Regular GDPR and data protection training for all staff
• A maintained Record of Processing Activities (ROPA)
• Clear identification of lawful bases for all processing activities
• Formal procedures for data handling, deletion, Data Subject Access Requests (DSARs) and objections
• Ongoing assessment of privacy risks and security measures
• Regular review of contracts, supplier agreements and third‑party processors
• Strong alignment with our Information Security Management System (ISMS)

Role of TASC as Data Processor

When schools and organisations use TASC products, they act as the Data Controller and TASC acts as the Data Processor. This means the school determines the purpose and nature of the data processing, and TASC processes that data only on their documented instructions.

As a Data Processor, we:

• Process customer data securely and only for agreed purposes
• Apply encryption in transit and at rest
• Maintain strict access controls and audit trails
• Host customer data within the UK using Amazon Web Services (AWS)
• Support customers’ Article 30 documentation and data governance
• Ensure staff handling customer data are vetted and trained
• Assist with DSARs, data exports and secure deletions on request

Role of TASC as Data Controller

TASC is the Data Controller for limited categories of business-related data, such as CRM contact information, support queries, and marketing communication preferences. In these cases, we:

• Process data only for legitimate business purposes
• Provide clear privacy information to individuals
• Honour all UK GDPR data subject rights
• Retain data only for as long as necessary
• Secure all internal systems following ISO 27001 principles

Data Hosting and Security

Our products and customer data are hosted within the UK on AWS infrastructure. AWS provides high-assurance physical and technical safeguards, including certifications such as ISO 27001, SOC 2 and CSA STAR. TASC applies additional layers of security, including:

• Encryption, firewalls and access monitoring
• Secure software development and testing practices
• Regular vulnerability assessments
• Backup and resilience measures
• Strict control of access to production systems

Technical Support and Customer Data Transfers

In some cases, and only with customer agreement, we may receive database extracts or files to investigate support issues. We treat this data with the highest level of care. Our responsibilities include:

• Secure transfer using approved encrypted channels
• Restricted access to authorised personnel only
• Processing solely for troubleshooting purposes
• Secure deletion immediately after investigations conclude
• Logging and oversight of temporary data handling activities

Customer Responsibilities

As Data Controllers, schools and organisations remain responsible for ensuring the lawful collection and use of data within their systems. They must determine the lawful basis of processing and ensure appropriate privacy notices are communicated to individuals.  

Our software supports this by providing dedicated tools that allow Data Controllers to review and document lawful bases for data categories used in the platform.

Retention and Deletion

We store customer data only for as long as required to provide contracted services. All data remains the property of the customer. At the end of a contract, customers may export their data, and TASC will permanently delete all hosted copies in accordance with our Data Protection Policy and secure deletion procedures.

Contact

For GDPR or data protection enquiries, please contact:

Stuart James

Email: sales@tascsoftware.co.uk

Address: Creative Industries, Wolverhampton Science Park, Wolverhampton, WV10 9TG

You may also lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.