Common use of Security Responsibilities Clause in Contracts

Security Responsibilities. Security is only as strong as the weakest link. We therefore need to work with you, the account holder, together with any staff and relatives you give permission to use Tapestry to ensure the overall system is secure. This annex explains what we do and what we hope you will do. The latest copy of this annex, together with our terms and conditions are always available in the control panel of your copy of Tapestry. Who are we? Tapestry is the name of a product that was conceived, developed and is owned by The Foundation Stage Forum Ltd., an early years organisation that has provided resources and support for the early years workforce since February 2003. We have contracts with many local authorities, some of which have been in place for ten or more years. The Foundation Stage Forum Ltd The Foundation Stage Forum Ltd is a VAT registered, private UK limited company. Our company number is 05757213. Our registered office is at: 0, Xxxxxxxxx Xxxxxx Xxxxx East Sussex BN7 1EL Our VAT registration number is 932933317. You can write to us at our registered office, or email us at xxxxxxxx.xxxxxxx@xxxx.xxxx. Our contracts are under UK law. We have two directors: Xxxxx and Xxxxxxx Xxxxxxx. Director: Xxxxxxx Xxxxxxx MSc Xxxxx is the founder of the FSF. He worked for many years as a technical manager for the telecommunications organisation Ericsson, having completed a Masters Degree in information systems. He became interested in the early years as a result of his wife (Xxxxx, see below) setting up a nursery in their home, and left Ericsson to set up the FSF in 2002 as a resource and support network for the early years workforce. He has been fully occupied with the FSF ever since, conceiving and driving the development of Tapestry as a part of this commitment. Xxxxx is the board member responsible for security. Director: Xxxxx Xxxxxxx DPhil Xxxxx has been working with young children since 1989, firstly as a primary school teacher, and then as a successful nursery owner/manager, followed by employment as a local authority advisor and university tutor, and more recently as an Ofsted inspector. She also holds the EYP status. Data Protection Officer: Xxxxxx Xxxxx Xxxxxx Xxxxx is our Data Protection Officer. Her direct email is xxx@xxxx.xxxx.xxx@xxxx.xxxx. Xxxxxx joined the Foundation Stage Forum in 2014 after graduating from the University of Birmingham. She was designated our data protection officer after completing GDPR training in November 2017. Data Protection Law We are compliant with UK data protection law. We describe our approach to data protection in Annex A. To summarise it in brief: You, the Tapestry account manager, own the data you put on Tapestry. We, Foundation Stage Forum Ltd, do not. In technical terms, you are the Data Controller, we are the Data Processor. We will only do things with data that you, or people that you give permission to, request. We will not access your data without your permission. We only use the data you enter to provide the service you see: an online learning journal that helps you to monitor the progress of children, communicate with parents and the government and manage your activities. To be absolutely clear: we don’t use the data for marketing; we don’t share the data with others to do marketing. You should be aware of your responsibilities as a data controller. You can find out more at the Information Commissioner’s Office website: xxxxx://xxx.xxx.xx/for-organisations/. You are responsible for making sure that you only put data on Tapestry where you have permission to do so. i.e., if a parent has agreed with you that no photos of their child should be taken, you are responsible for ensuring that none of the photos added to Tapestry depict that child. Access to data Only you, and those you authorise, will have access to your Tapestry accounts. You can restrict the people you authorise to only be able to view data about some children. If we need to access your account to sort out a problem you are having, we will ask your permission first. We will not give Tapestry account information, or access to your Tapestry account, to anyone other than those individuals you have set up as staff members. Relatives contacting us for access details will always be referred to you, the Tapestry account holder. Under the data protection act, individuals have a right to see a copy of information that an organisation holds about them. As the data controller, you will need to respond to those requests and we, as the data processor, will help you. This is normally easy, since you can always see and print the information you have entered. Deleting data when it is no longer needed You can modify and delete the data you enter. In the common case of children leaving your setting, you can move them into a ‘deleted’ area, where (after a delay of ninety days to avoid disastrous mistakes occurring) their data will be deleted (this includes relevant pictures, videos, journals and reports). You can instruct us to delete all your data at any time. But this is all or nothing. If you just want to delete some of your data, you will need to use the control panel in the system to do so yourself. If you let your subscription to Tapestry lapse, we will delete all data associated with it. We delay the deletion for 90 days in case your subscription has inadvertently lapsed (e.g., it happened while you are on holiday, or there was a delay in your Local Authority paying our invoice) but if you explicitly ask us to then we will delete your data immediately. Data will remain in our backups for 90 further days. If you wish, you can instruct us to to delete all your data from these backups. But it is all or nothing. We cannot delete some of your data on these backups. Once the data is deleted from our backups we can no longer recover it. Organisational data security ISO 27001 We are working towards becoming independently certified as ISO 27001 complaintcompliant. When we have achieved certification we will update this contract and provide you with access to the certification. Our data centercentre, Amazon Web Services, has been independently certified as ISO 27001 compliant. Staff We are careful in who we employ. All our staff with access to your data have been checked and cleared by the Disclosure and Barring Service (DBS) and we check their DBS status annually. The company that hosts our servers and databases, AWS, also vets their staff (though in practice we would never expect them to see your data). You are responsible for only giving access to Tapestry to people you trust and who actually need access. For instance, please remember to make staff inactive once they have left your service or if they are facing relevant disciplinary procedures. Please also ensure that, when you give access to relatives of children, you are careful to allocate them to the correct children, to enter their email address correctly, and to make them inactive once the child has left your setting. Procedures Our procedures are designed to minimise our access to your data. For example, we wouldn’t log into your account without your permission and even then would only do so if it was necessary to resolve a fault or problem you were experiencing. We are similarly careful with our suppliers. The company that hosts our servers and databases, AWS, operates on a similar principle of minimal access. They are ISO27001 accredited, which means they have a complete and appropriate set of security procedures. We would never expect them to need access to your data. It is important that you think about your procedures for what sort of data you put on Tapestry and what you allow your staff and relatives to do with it. For instance, you should think about: • Whether you give all staff access to data about all children, or just some children. • When it is appropriate for your staff to take and share photos and videos. • What instructions you should give to parents as to what is appropriate for them to add, and what they may do with material that you add (e.g., insisting no photos are uploaded to social media sites by parents without the written permission of the parents whose children are depicted in photos, videos or text.)

Security Responsibilities. Security is only as strong as the weakest link. We therefore need to work with you, the account holder, together with any staff staff, children and relatives you give permission to use Tapestry to ensure the overall system is secure. This annex explains what we do and what we hope you will do. The latest copy of this annex, together with our terms and conditions are always available in the control panel Control Panel of your copy of Tapestry. Who are we? Tapestry is the name of a product that was conceived, developed and is owned by The Foundation Stage Forum Ltd., an early years organisation that has provided resources and support for the early years workforce since February 2003. We have contracts with many local authorities, some of which have been in place for ten or more years. The Foundation Stage Forum Ltd The Foundation Stage Forum Ltd is a VAT registered, private UK limited company. Our company number is 05757213. Our registered office is at: 0, Xxxxxxxxx WaterCourt 00 Xxxx Xxxxxx Xxxxx East Sussex England BN7 1EL 1XG Our VAT registration number is 932933317. You can write to us at our registered office, or email us at xxxxxxxx.xxxxxxx@xxxx.xxxx. Our contracts are under UK English law. We have two directors: Xxxxx and Xxxxxxx Xxxxxxx. Director: Xxxxxxx Xxxxxxx MSc Xxxxx is the founder of the FSF. He worked for many years as a technical manager for the telecommunications organisation Ericsson, having completed a Masters Degree in information systems. He became interested in the early years as a result of his wife (Xxxxx, see below) setting up a nursery in their home, and left Ericsson to set up the FSF in 2002 as a resource and support network for the early years workforce. He has been fully occupied with the FSF ever since, conceiving and driving the development of Tapestry as a part of this commitment. Xxxxx is the board member responsible for security. Director: Xxxxx Xxxxxxx DPhil Xxxxx has been working with young children since 1989, firstly as a primary school teacher, and then as a successful nursery owner/manager, followed by employment as a local authority advisor and university tutor, and more recently as an Ofsted inspector. She also holds the EYP status. Data Protection Officer: Xxxxxx Xxxxx Xxxxxx Xxxxx is our Data Protection Officer. Her direct email is xxx@xxxx.xxxx.xxx@xxxx.xxxxxxx@xxxx.xxxx. Xxxxxx joined the The Foundation Stage Forum in 2014 after graduating from the University of Birmingham. She was designated our data protection officer after completing GDPR training in November 2017. Data Protection Law We are compliant with UK and EU data protection law. We describe our approach to data protection in Annex A. To summarise it in brief: You, the Tapestry account manager, own the data you put on Tapestry. We, The Foundation Stage Forum Ltd, do not. In technical terms, you are the Data Controller, we are the Data Processor. We will only do things with data that you, or people that you give permission to, request. We will not access your data without your permission. We only use the data you enter to provide provide, fix and improve the service you see: an online learning journal that helps you to monitor the progress of children, communicate with parents and the government and manage your activities. To be absolutely clear: we don’t use the data for marketing; we don’t share the data with others to do marketing. You should be aware of your responsibilities as a data controller. You can find out more at the Information Commissioner’s Office website: xxxxx://xxx.xxx.xx/for-organisations/. You are responsible for making sure that you only put data on Tapestry where you have permission to do so. i.e., if a parent has agreed with you that no photos of their child should be taken, you are responsible for ensuring that none of the photos added to Tapestry depict that child. Access to data Only you, and those you authorise, will have access to your Tapestry accounts. You can restrict the people you authorise to only be able to view data about some children. If we need to access your account to sort out a problem you are having, we will ask your permission first. We will not give Tapestry account information, or access to your Tapestry account, to anyone other than those individuals you have set up as staff members. Relatives contacting us for access details will always be referred to you, the Tapestry account holder. Under the data protection act, individuals have a right to see a copy of information that an organisation holds about them. As the data controller, you will need to respond to those requests and we, as the data processor, will help you. This is normally easy, since you can always see and print the information you have entered. Deleting data when it is no longer needed You can modify and delete the data you enter. In the common case of children leaving your setting, you can move them into a ‘deleted’ area, where (after a delay of ninety days to avoid disastrous mistakes occurring) their data will be deleted (this includes relevant pictures, videos, journals and reports). You can instruct us to delete all your data at any time. But this is all or nothing. If you just want to delete some of your data, you will need to use the control panel in the system Control Panel inside Tapestry to do so yourself. If you let your subscription to Tapestry lapse, we will delete all data associated with it. We delay the deletion for 90 days in case your subscription has inadvertently lapsed (e.g., it happened while you are on holiday, or there was a delay in your Local Authority paying our invoice) but if you explicitly ask us to then we will delete your data immediately. Data will remain in our backups for 90 further days. If you wish, you can instruct us to to delete all your data from these backups. But it is all or nothing. We cannot delete some of your data on these backups. Once the data is deleted from our backups we can no longer recover it. Organisational data security ISO 27001 We are working towards becoming independently certified as ISO 27001 complaintcompliantcompliant. When we have achieved certification we will update this contract and provide you with access to the certification. Our data centercentrecentre, Amazon Web Services, has been independently certified as ISO 27001 compliant. Staff We are careful in who we employ. All our staff with access to your data have been checked and cleared by the Disclosure and Barring Service (DBS) and we check their DBS status annually. The company that hosts our servers and databases, AWS, also vets their staff (though in practice we would never expect them to see your data). You are responsible for only giving access to Tapestry to people you trust and who actually need access. For instance, please remember to make staff inactive once they have left your service or if they are facing relevant disciplinary procedures. Please also ensure that, when you give access to relatives of children, you are careful to allocate them to the correct children, to enter their email address correctly, and to make them inactive once the child has left your setting. Procedures Our procedures are designed to minimise our access to your data. For example, we wouldn’t log into your account without your permission and even then would only do so if it was necessary to resolve a fault or problem you were experiencing. We are similarly careful with our suppliers. The company that hosts our servers and databases, AWS, operates on a similar principle of minimal access. They are ISO27001 accredited, which means they have a complete and appropriate set of security procedures. We would never expect them to need access to your data. It is important that you think about your procedures for what sort of data you put on Tapestry and what you allow your staff staff, children and relatives to do with it. For instance, you should think about: • Whether you give all staff access to data about all children, or just some children. • When it is appropriate for your staff to take and share photos and videos. • Whether you give access to children in school or at home, what guidance you give them about what is acceptable to add and what you will do if they add inappropriate material. • What instructions you should give to parents as to what is appropriate for them to add, and what they may do with material that you add (e.g., insisting no photos are uploaded to social media sites by parents without the written permission of the parents whose children are depicted in photos, videos or text.)

Security Responsibilities. Security is only as strong as the weakest link. We therefore need to work with you, the account holder, together with any staff and relatives you give permission to use Tapestry to ensure the overall system is secure. This annex explains what we do and what we hope you will do. The latest copy of this annex, together with our terms and conditions are always available in the control panel of your copy of Tapestry. Who are we? Tapestry is the name of a product that was conceived, developed and is owned by The Foundation Stage Forum Ltd., an early years organisation that has provided resources and support for the early years workforce since February 2003. We have contracts with many local authorities, some of which have been in place for ten or more years. The Foundation Stage Forum Ltd The Foundation Stage Forum Ltd is a VAT registered, private UK limited company. Our company number is 05757213. Our registered office is at: 0, Xxxxxxxxx Xxxxxx Xxxxx East Sussex BN7 1EL Our VAT registration number is 932933317. You can write to us at our registered office, or email us at xxxxxxxx.xxxxxxx@xxxx.xxxxxxxxxxxx.xxxxxxx@xxxx.xxxxxxxxxxxx.xxxxxxx@xxxx.xxxx. Our contracts are under UK law. We have two directors: Xxxxx and Xxxxxxx Xxxxxxx. Director: Xxxxxxx Xxxxxxx MSc Xxxxx is the founder of the FSF. He worked for many years as a technical manager for the telecommunications organisation Ericsson, having completed a Masters Degree in information systems. He became interested in the early years as a result of his wife (Xxxxx, see below) setting up a nursery in their home, and left Ericsson to set up the FSF in 2002 as a resource and support network for the early years workforce. He has been fully occupied with the FSF ever since, conceiving and driving the development of Tapestry as a part of this commitment. Xxxxx is the board member responsible for security. Director: Xxxxx Xxxxxxx DPhil Xxxxx has been working with young children since 1989, firstly as a primary school teacher, and then as a successful nursery owner/manager, followed by employment as a local authority advisor and university tutor, and more recently as an Ofsted inspector. She also holds the EYP status. Data Protection Officer: Xxxxxx Xxxxx Xxxxxx Xxxxx is our Data Protection Officer. Her direct email is xxx@xxxx.xxxx.xxx@xxxx.xxxxxxx@xxxx.xxxxxxx@xxxx.xxxx. Xxxxxx joined the Foundation Stage Forum in 2014 after graduating from the University of Birmingham. She was designated our data protection officer after completing GDPR training in November 2017. Data Protection Law We are compliant with UK data protection law. We describe our approach to data protection in Annex AAnnex A. To summarise it in brief: You, the Tapestry account manager, own the data you put on Tapestry. We, Foundation Stage Forum Ltd, do not. In technical terms, you are the Data Controller, we are the Data Processor. We will only do things with data that you, or people that you give permission to, request. We will not access your data without your permission. We only use the data you enter to provide the service you see: an online learning journal that helps you to monitor the progress of children, communicate with parents and the government and manage your activities. To be absolutely clear: we don’t use the data for marketing; we don’t share the data with others to do marketing. You should be aware of your responsibilities as a data controller. You can find out more at the Information Commissioner’s Office website: xxxxx://xxx.xxx.xx/for-organisations/. xxxxx://xxx.xxx.xx/for- organisations/xxxxx://xxx.xxx.xx/for-organisations/. You are responsible for making sure that you only put data on Tapestry where you have permission to do so. i.e., if a parent has agreed with you that no photos of their child should be taken, you are responsible for ensuring that none of the photos added to Tapestry depict that child. Access to data Only you, and those you authorise, will have access to your Tapestry accounts. You can restrict the people you authorise to only be able to view data about some children. If we need to access your account to sort out a problem you are having, we will ask your permission first. We will not give Tapestry account information, or access to your Tapestry account, to anyone other than those individuals you have set up as staff members. Relatives contacting us for access details will always be referred to you, the Tapestry account holder. Under the data protection act, individuals have a right to see a copy of information that an organisation holds about them. As the data controller, you will need to respond to those requests and we, as the data processor, will help you. This is normally easy, since you can always see and print the information you have entered. Deleting data when it is no longer needed You can modify and delete the data you enter. In the common case of children leaving your setting, you can move them into a ‘deleted’ area, where (after a delay of ninety days to avoid disastrous mistakes occurring) their data will be deleted (this includes relevant pictures, videos, journals and reports). You can instruct us to delete all your data at any time. But this is all or nothing. If you just want to delete some of your data, you will need to use the control panel in the system to do so yourself. If you let your subscription to Tapestry lapse, we will delete all data associated with it. We delay the deletion for 90 days in case your subscription has inadvertently lapsed (e.g., it happened while you are on holiday, or there was a delay in your Local Authority paying our invoice) but if you explicitly ask us to then we will delete your data immediately. Data will remain in our backups for 90 further days. If you wish, you can instruct us to to delete all your data from these backups. But it is all or nothing. We cannot delete some of your data on these backups. Once the data is deleted from our backups we can no longer recover it. Organisational data security ISO 27001 We are working towards becoming independently certified as ISO 27001 complaintcompliantcompliant. When we have achieved certification we will update this contract and provide you with access to the certification. Our data centercentrecentre, Amazon Web Services, has been independently certified as ISO 27001 compliant. Staff We are careful in who we employ. All our staff with access to your data have been checked and cleared by the Disclosure and Barring Service (DBS) and we check their DBS status annually. The company that hosts our servers and databases, AWS, also vets their staff (though in practice we would never expect them to see your data). You are responsible for only giving access to Tapestry to people you trust and who actually need access. For instance, please remember to make staff inactive once they have left your service or if they are facing relevant disciplinary procedures. Please also ensure that, when you give access to relatives of children, you are careful to allocate them to the correct children, to enter their email address correctly, and to make them inactive once the child has left your setting. Procedures Our procedures are designed to minimise our access to your data. For example, we wouldn’t log into your account without your permission and even then would only do so if it was necessary to resolve a fault or problem you were experiencing. We are similarly careful with our suppliers. The company that hosts our servers and databases, AWS, operates on a similar principle of minimal access. They are ISO27001 accredited, which means they have a complete and appropriate set of security procedures. We would never expect them to need access to your data. It is important that you think about your procedures for what sort of data you put on Tapestry and what you allow your staff and relatives to do with it. For instance, you should think about: • Whether you give all staff access to data about all children, or just some children. • When it is appropriate for your staff to take and share photos and videos. • What instructions you should give to parents as to what is appropriate for them to add, and what they may do with material that you add (e.g., insisting no photos are uploaded to social media sites by parents without the written permission of the parents whose children are depicted in photos, videos or text.)

Security Responsibilities. Security is only as strong as the weakest link. We therefore need to work with you, the account holder, together with any staff staff, children and relatives you give permission to use Tapestry to ensure the overall system is secure. This annex explains what we do and what we hope you will do. The latest copy of this annex, together with our terms and conditions are always available in the control panel Control Panel of your copy of Tapestry. Who are we? Tapestry is the name of a product that was conceived, developed and is owned by The Foundation Stage Forum Ltd., an early years organisation that has provided resources and support for the early years workforce since February 2003. We have contracts with many local authorities, some of which have been in place for ten or more years. The Foundation Stage Forum Ltd The Foundation Stage Forum Ltd is a VAT registered, private UK limited company. Our company number is 05757213. Our registered office is at: 0, Xxxxxxxxx WaterCourt 00 Xxxx Xxxxxx Xxxxx East Sussex England BN7 1EL 1XG Our VAT registration number is 932933317. You can write to us at our registered office, or email us at xxxxxxxx.xxxxxxx@xxxx.xxxx. Our contracts are under UK English law. We have two directors: Xxxxx and Xxxxxxx Xxxxxxx. Director: Xxxxxxx Xxxxxxx MSc Xxxxx is the founder of the FSF. He worked for many years as a technical manager for the telecommunications organisation Ericsson, having completed a Masters Degree in information systems. He became interested in the early years as a result of his wife (Xxxxx, see below) setting up a nursery in their home, and left Ericsson to set up the FSF in 2002 as a resource and support network for the early years workforce. He has been fully occupied with the FSF ever since, conceiving and driving the development of Tapestry as a part of this commitment. Xxxxx is the board member responsible for security. Director: Xxxxx Xxxxxxx DPhil Xxxxx has been working with young children since 1989, firstly as a primary school teacher, and then as a successful nursery owner/manager, followed by employment as a local authority advisor and university tutor, and more recently as an Ofsted inspector. She also holds the EYP status. Data Protection Officer: Xxxxxx Xxxxx Xxxxxx Xxxxx is our Data Protection Officer. Her direct email is xxx@xxxx.xxxx.xxx@xxxx.xxxxxxx@xxxx.xxxx. Xxxxxx joined the The Foundation Stage Forum in 2014 after graduating from the University of Birmingham. She was designated our data protection officer after completing GDPR training in November 2017. Data Protection Law We are compliant with UK and EU data protection law. We describe our approach to data protection in Annex A. To summarise it in brief: You, the Tapestry account manager, own the data you put on Tapestry. We, The Foundation Stage Forum Ltd, do not. In technical terms, you are the Data Controller, we are the Data Processor. We will only do things with data that you, or people that you give permission to, request. We will not access your data without your permission. We only use the data you enter to provide provide, fix and improve the service you see: an online learning journal that helps you to monitor the progress of children, communicate with parents and the government and manage your activities. To be absolutely clear: we don’t use the data for marketing; we don’t share the data with others to do marketing. You should be aware of your responsibilities as a data controller. You can find out more at the Information Commissioner’s Office website: xxxxx://xxx.xxx.xx/for-organisations/. You are responsible for making sure that you only put data on Tapestry where you have permission to do so. i.e., if a parent has agreed with you that no photos of their child should be taken, you are responsible for ensuring that none of the photos added to Tapestry depict that child. Access to data Only you, and those you authorise, will have access to your Tapestry accounts. You can restrict the people you authorise to only be able to view data about some children. If we need to access your account to sort out a problem you are having, we will ask your permission first. We will not give Tapestry account information, or access to your Tapestry account, to anyone other than those individuals you have set up as staff members. Relatives contacting us for access details will always be referred to you, the Tapestry account holder. Under the data protection act, individuals have a right to see a copy of information that an organisation holds about them. As the data controller, you will need to respond to those requests and we, as the data processor, will help you. This is normally easy, since you can always see and print the information you have entered. Deleting data when it is no longer needed You can modify and delete the data you enter. In the common case of children leaving your setting, you can move them into a ‘deleted’ area, where (after a delay of ninety days to avoid disastrous mistakes occurring) their data will be deleted (this includes relevant pictures, videos, journals and reports). You can instruct us to delete all your data at any time. But this is all or nothing. If you just want to delete some of your data, you will need to use the control panel in the system Control Panel inside Tapestry to do so yourself. If you let your subscription to Tapestry lapse, we will delete all data associated with it. We delay the deletion for 90 days in case your subscription has inadvertently lapsed (e.g., it happened while you are on holiday, or there was a delay in your Local Authority paying our invoice) but if you explicitly ask us to then we will delete your data immediately. Data will remain in our backups for 90 further days. If you wish, you can instruct us to to delete all your data from these backups. But it is all or nothing. We cannot delete some of your data on these backupsbackupsBackups are only accessible by a subset of our staff who are authorised to recover data and, like all our staff, vetted and bound by a strict confidentiality requirement. As with all your data, we will only access backup data in cases that you’d expect: if you explicitly ask us to in order to check or restore something, or if something goes wrong with the main copy of your data that requires restoring from backup. Once those 90 days have passed, the data is iswill automatically be permanently deleted from our backups we can can. At this point it will no longer recover ititbe recoverable. Organisational data security ISO 27001 We are working towards becoming independently certified as ISO 27001 complaintcompliantcompliant. When we have achieved certification we will update this contract and provide you with access to the certification. Our data centercentrecentre, Amazon Web Services, has been independently certified as ISO 27001 compliant. Staff We are careful in who we employ. All our staff with access to your data have been checked and cleared by the Disclosure and Barring Service (DBS) and we check their DBS status annually. The company that hosts our servers and databases, AWS, also vets their staff (though in practice we would never expect them to see your data). You are responsible for only giving access to Tapestry to people you trust and who actually need access. For instance, please remember to make staff inactive once they have left your service or if they are facing relevant disciplinary procedures. Please also ensure that, when you give access to relatives of children, you are careful to allocate them to the correct children, to enter their email address correctly, and to make them inactive once the child has left your setting. Procedures Our procedures are designed to minimise our access to your data. For example, we wouldn’t log into your account without your permission and even then would only do so if it was necessary to resolve a fault or problem you were experiencing. We are similarly careful with our suppliers. The company that hosts our servers and databases, AWS, operates on a similar principle of minimal access. They are ISO27001 accredited, which means they have a complete and appropriate set of security procedures. We would never expect them to need access to your data. It is important that you think about your procedures for what sort of data you put on Tapestry and what you allow your staff staff, children and relatives to do with it. For instance, you should think about: • Whether you give all staff access to data about all children, or just some children. • When it is appropriate for your staff to take and share photos and videos. • Whether you give access to children in school or at home, what guidance you give them about what is acceptable to add and what you will do if they add inappropriate material. • What instructions you should give to parents as to what is appropriate for them to add, and what they may do with material that you add (e.g., insisting no photos are uploaded to social media sites by parents without the written permission of the parents whose children are depicted in photos, videos or text.)

Security Responsibilities. Security is only as strong as the weakest link. We therefore need to work with you, the account holder, together with any staff and relatives you give permission to use Tapestry to ensure the overall system is secure. This annex explains what we do and what we hope you will do. The latest copy of this annex, together with our terms and conditions are always available in the control panel of your copy of Tapestry. Who are we? Tapestry is the name of a product that was conceived, developed and is owned by The Foundation Stage Forum Ltd., an early years organisation that has provided resources and support for the early years workforce since February 2003. We have contracts with many local authorities, some of which have been in place for ten or more years. The Foundation Stage Forum Ltd The Foundation Stage Forum Ltd is a VAT registered, private UK limited company. Our company number is 05757213. Our registered office is at: 0, Xxxxxxxxx WaterCourt 00 Xxxx Xxxxxx Xxxxx East Sussex England BN7 1EL 1XG Our VAT registration number is 932933317. You can write to us at our registered office, or email us at xxxxxxxx.xxxxxxx@xxxx.xxxx. Deleted: UK Our contracts are under UK English law. We have two directors: Xxxxx and Xxxxxxx Xxxxxxx. Director: Xxxxxxx Xxxxxxx MSc Xxxxx is the founder of the FSF. He worked for many years as a technical manager for the telecommunications organisation Ericsson, having completed a Masters Degree in information systems. He became interested in the early years as a result of his wife (Xxxxx, see below) setting up a nursery in their home, and left Ericsson to set up the FSF in 2002 as a resource and support network for the early years workforce. He has been fully occupied with the FSF ever since, conceiving and driving the development of Tapestry as a part of this commitment. Xxxxx is the board member responsible for security. Director: Xxxxx Xxxxxxx DPhil Xxxxx has been working with young children since 1989, firstly as a primary school teacher, and then as a successful nursery owner/manager, followed by employment as a local authority advisor and university tutor, and more recently as an Ofsted inspector. She also holds the EYP status. Data Protection Officer: Xxxxxx Xxxxx Xxxxxx Xxxxx is our Data Protection Officer. Her direct email is xxx@xxxx.xxxx.xxx@xxxx.xxxxxxx@xxxx.xxxx. Xxxxxx joined the The Foundation Stage Forum in 2014 after graduating from the University of Birmingham. She was designated our data protection officer after completing GDPR training in November 2017. Data Protection Law We are compliant with UK and EU data protection law. We describe our approach to data protection in Annex A. To summarise it in brief: You, the Tapestry account manager, own the data you put on Tapestry. We, The Foundation Stage Forum Ltd, do not. In technical terms, you are the Data Controller, we are the Data Processor. We will only do things with data that you, or people that you give permission to, request. We will not access your data without your permission. We only use the data you enter to provide provide, fix and improve the service you see: an online learning journal that helps you to monitor the progress of children, communicate with parents and the government and manage your activities. To be absolutely clear: we don’t use the data for marketing; we don’t share the data with others to do marketing. Deleted: to You should be aware of your responsibilities as a data controller. You can find out more at the Information Commissioner’s Office website: xxxxx://xxx.xxx.xx/for-organisations/. You are responsible for making sure that you only put data on Tapestry where you have permission to do so. i.e., if a parent has agreed with you that no photos of their child should be taken, you are responsible for ensuring that none of the photos added to Tapestry depict that child. Access to data Only you, and those you authorise, will have access to your Tapestry accounts. You can restrict the people you authorise to only be able to view data about some children. If we need to access your account to sort out a problem you are having, we will ask your permission first. We will not give Tapestry account information, or access to your Tapestry account, to anyone other than those individuals you have set up as staff members. Relatives contacting us for access details will always be referred to you, the Tapestry account holder. Under the data protection act, individuals have a right to see a copy of information that an organisation holds about them. As the data controller, you will need to respond to those requests and we, as the data processor, will help you. This is normally easy, since you can always see and print the information you have entered. Deleting data when it is no longer needed You can modify and delete the data you enter. In the common case of children leaving your setting, you can move them into a ‘deleted’ area, where (after a delay of ninety days to avoid disastrous mistakes occurring) their data will be deleted (this includes relevant pictures, videos, journals and reports). You can instruct us to delete all your data at any time. But this is all or nothing. If you just want to delete some of your data, you will need to use the control panel in the system to do so yourself. If you let your subscription to Tapestry lapse, we will delete all data associated with it. We delay the deletion for 90 days in case your subscription has inadvertently lapsed (e.g., it happened while you are on holiday, or there was a delay in your Local Authority paying our invoice) but if you explicitly ask us to then we will delete your data immediately. Data will remain in our backups for 90 further days. If you wish, you can instruct us to to delete all your data from these backups. But it is all or nothing. We cannot delete some of your data on these backups. Once the data is deleted from our backups we can no longer recover it. Organisational data security ISO 27001 We are working towards becoming independently certified as ISO 27001 complaintcompliantcompliant. When we have achieved certification we will update this contract and provide you with access to the certification. Our data centercentrecentre, Amazon Web Services, has been independently certified as ISO 27001 compliant. Staff We are careful in who we employ. All our staff with access to your data have been checked and cleared by the Disclosure and Barring Service (DBS) and we check their DBS status annually. The company that hosts our servers and databases, AWS, also vets their staff (though in practice we would never expect them to see your data). You are responsible for only giving access to Tapestry to people you trust and who actually need access. For instance, please remember to make staff inactive once they have left your service or if they are facing relevant disciplinary procedures. Please also ensure that, when you give access to relatives of children, you are careful to allocate them to the correct children, to enter their email address correctly, and to make them inactive once the child has left your setting. Procedures Our procedures are designed to minimise our access to your data. For example, we wouldn’t log into your account without your permission and even then would only do so if it was necessary to resolve a fault or problem you were experiencing. We are similarly careful with our suppliers. The company that hosts our servers and databases, AWS, operates on a similar principle of minimal access. They are ISO27001 accredited, which means they have a complete and appropriate set of security procedures. We would never expect them to need access to your data. It is important that you think about your procedures for what sort of data you put on Tapestry and what you allow your staff and relatives to do with it. For instance, you should think about: • Whether you give all staff access to data about all children, or just some children. • When it is appropriate for your staff to take and share photos and videos. • What instructions you should give to parents as to what is appropriate for them to add, and what they may do with material that you add (e.g., insisting no photos are Deleted: an uploaded to social media sites by parents without the written permission of the parents whose children are depicted in photos, videos or text.)