Groupcall and Data Protection

Read below to find out how we're dealing with GDPR compliance.

Our compliance

Groupcall has standardised policies to manage and protect the data that we process on behalf of our customers. We have significant experience in the education sector and in cloud computing, processing data for around 7.5 million students every day - our policies are driven by this experience, our ISO 27001 and ISO 9001 accreditations and our existing data protection compliance through our ICO registration.

As part of your preparation for GDPR we want to help you be fully aware of the steps Groupcall take to protect personal data throughout its lifecycle.

If you are an existing customer, we would encourage you to ensure you have read and digested our published addendum to your contract, available here:

Our parent company's position on Brexit no deal

Read more

How does Groupcall classify data?

Groupcall categorises data in two sets and each is treated with the same high level of discipline:

  • Customer data: this is the data we are processing on behalf of a Data Controller. This includes selected MIS data that has been made available to Groupcall in order to enable the products schools have purchased, and includes the data generated by use of Groupcall products by a customer, such as text messages. It is data that we are trusted custodians of but that we don’t own. In some cases, customer data doesn’t even reach Groupcall platforms because the processing takes place using our software installed in your school and in some cases it’s forwarded to other organisations, such as Xporter partners, based upon the Data Controller’s instruction to us. In all cases when handling customer data we only retrieve the minimum necessary data to achieve the duties asked of us. 

  • Business data: this is data which Groupcall is Data Controller for which we use to operate our business, such as billing and invoice information, anonymised product usage data, support cases, and marketing engagement. 

Personal data


Where customer data reaches our platforms, we store it exclusively on approved and compliant cloud infrastructure. We operate our products on Microsoft Azure Europe to ensure customer data is retained within the European Economic Area (EEA). The Microsoft Azure platform in Europe and the UK is rated “official” by the UK Government. We also use multiple protective layers within the Microsoft Azure platform to protect our services, including SQL and storage encryption, access rights management, service auditing, and firewalling. While Microsoft provides a secure platform through Azure, the security of our software is our own responsibility. Our product owners are all formally GDPR qualified and our design processes have security at their core. We routinely carry out vulnerability and penetration testing on our platforms and promptly address any issues identified.

We store business data within selected cloud platforms, including services like Salesforce. Our usage of these platforms is subject to our approval of their information security practices. We also work with and store selected business data at our premises in London and where appropriate we hold frequent disaster recovery backup copies of our business data with suitably secure cloud services within the EEA.

All transfers of customer data and business data use TLS 1.2 and/or AES encryption while being transferred. All of our computer devices are BitLocker encrypted to protect data in the event of theft.


Our retention policy permits a maximum of 12 months retention of customer data after a customer ceases services, unless we are instructed to securely dispose of it sooner. In the event of legal requirement or legal instruction we may retain it for longer. In practice we store most customer data for less than the maximum time, for example any customer data that becomes unrequired during service is typically retained for a maximum of six months before being disposed of, such as when a student leaves a school or a parental contact changes. Any customer data that is being held exclusively for the purposes of transfer to an approved third party, for example an Xporter partner, is disposed of within 30 days. 

We retain our business data in compliance with the multiple legal requirements that apply to UK businesses and, where relevant, the non-UK markets we operate in.


Customer data is ultimately obtained from the Data Controller, typically a school. If there is an error in customer data then it is usually best to resolve it in the school system, e.g. the MIS, and then synchronise this data with us to propagate the correction to our services and any connected services. In any other case we provide means to correct data generated within our systems, although we cannot alter audit logs or historic data such as messages that have already been sent. Any errors in Business Data can be corrected by contacting


All Groupcall products include access controls to allow you to control what data is accessible to your own users. On occasions where it is necessary to access customer data on behalf of a school, for example to investigate a specific support case, only approved Groupcall support and technical staff can access it. Groupcall staff are vetted and are subject to contractual data access policies and confidentiality clauses. We carry out DBS checking where appropriate.

In order to carry out business activities authorised Groupcall staff can access business data subject to access controls.

How does Groupcall monitor adherence to our policies?

  • Groupcall is externally audited every year for ISO 27001 and ISO 9001 accreditations
  • Our dedicated Data Protection Officer ensures our day-to-day compliance
  • We are Cyber Essentials certified - which means Our ICT defences protect agaisnt the vast majority of common cyber-attacks


           ISO-9001-colour.jpg      Groupcall is ISO 27001 certified

Cyber essentials badge

How do I make a Subject Access Request or implement
Right to be Forgotten?

Where Subject Access Requests and/or Right to be Forgotten are applicable to Customer Data in a Groupcall Product we provide, or will provide, means for authorised customer users to carry out such activities directly. If you wish to make a Subject Access Request regarding Business Data held by Groupcall please contact

If you would like further information on GDPR compliance in Groupcall products then please contact your Groupcall account manager. If you’re interested in tools to manage your own organisation’s GDPR compliance, please download our GDPR e-book:

Monitor the data you share with your 3rd party suppliers with Xporter on Demand

 Sign up today