Information for Due Diligence and DPIAs

No. Signal acts as a Data Processor, not a co-Controller. Your organisation instructs Signal to process data on its behalf — there is no data sharing arrangement. The DPA covers the controller-processor relationship.

Yes. Signal maintains a designated Data Protection Officer contactable at dpo@signalschools.co.uk. The DPO oversees our data protection compliance programme and is the primary point of contact for data protection enquiries.

Yes. We maintain Records of Processing Activities as both a Controller (for our own business data) and as a Processor (for customer safeguarding data), in accordance with UK GDPR Article 30.

All staff with access to customer data receive data protection and security awareness training. This training covers UK GDPR principles, data handling procedures, incident reporting, and the specific sensitivity of safeguarding data.

After receiving your setup information, we provision a dedicated tenant for your organisation. Your school decides which categories of personal data to import. Data can be imported via secure file upload or entered manually by your staff.

We provide comprehensive onboarding including video tutorials and documentation. Our support team is available to assist with setup and ongoing use of the platform.

• Student information: Names, dates of birth, identifiers, year groups
• Safeguarding records: Incident descriptions, categories, severity levels, concerns
• Special category data: Health information, safeguarding concerns, wellbeing data
• Staff information: Names, roles, contact details
• Parent/guardian data: Contact information and relationship details
• Documents: Uploaded files and attachments

Full details are set out in our Data Processing Agreement.

All customer data is encrypted and stored in the United Kingdom using Microsoft Azure UK South and UK West data centres. Data is never transferred outside the UK without explicit consent and appropriate safeguards.

Yes. All data is encrypted at rest using AES-256 encryption and encrypted in transit using TLS 1.3 or higher.

All sub-processors are bound by data processing agreements compliant with UK GDPR Article 28. We provide at least 30 days' notice before engaging new sub-processors.

Microsoft Azure hosts our infrastructure but does not have access to unencrypted customer data. Azure OpenAI processes prompts and generates responses to power AI features — prompts and completions are not stored by the model and are not used to train or improve any models (see AI Data Processing below). Rebound processes only the email addresses and content necessary for transactional email delivery, with a 30-day log retention period.

Signal uses Microsoft Azure OpenAI Service to host all AI models. Azure OpenAI is an enterprise-grade service hosted entirely within Microsoft's Azure environment. It does not interact with OpenAI's consumer services (such as ChatGPT or the OpenAI API).

No. Under Microsoft's enterprise data privacy commitments for Azure OpenAI, your data is protected by the following guarantees:

• Your prompts (inputs) and completions (outputs) are not used to train, retrain, or improve any AI foundation models
• Your data is not available to OpenAI or any other third party
• Your data is not available to other customers
• Your data is not used to improve Microsoft or third-party products or services

These commitments are set out in Microsoft's data privacy documentation and the Microsoft Products and Services Data Protection Addendum.

When Signal's AI features process your data (for example, analysing an incident description or generating an action plan), your input is sent as a prompt to the Azure OpenAI Service, which generates a response. The AI models are stateless:

• No prompts or completions are stored in the AI model
• Prompts and responses are processed within the customer-specified geography (UK)
• Content is filtered through Microsoft's built-in guardrails to prevent harmful content generation
• No data from the AI processing is retained by the model after the response is generated

Azure OpenAI includes an abuse monitoring system designed to detect misuse. Signal has opted in to Microsoft's managed customer programme, which means prompts and completions are not stored for human review. Automated abuse detection may still occur at the time of processing, but no data is retained by the abuse monitoring system.

As Data Processor, Signal supports schools in responding to DSARs. Requests received directly by Signal are referred to the relevant school as Data Controller. We provide tools within the platform to facilitate data export and search capabilities to assist with DSAR fulfilment.

Data subjects (students, parents, staff) should direct their requests to the school as Data Controller. If Signal receives a request directly, we will promptly refer it to the relevant school and assist as needed.

Signal will notify affected customers without undue delay and within 24 hours wherever possible of becoming aware of any personal data breach. Notification will be made by email to the designated contact. We will provide details of the nature of the breach, affected data categories, and measures taken or proposed to mitigate harm.

Yes. We will investigate the breach, take appropriate measures to contain and remediate it, and provide reasonable assistance to the school in meeting their breach notification obligations to the ICO and data subjects.

Signal's security practices are informed by industry standards including ISO 27001 principles. We are not currently ISO 27001 certified. We implement comprehensive technical and organizational measures covering:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control with granular permissions
• Multi-factor authentication and passwordless login (WebAuthn/passkeys)
• Comprehensive audit logging
• Web Application Firewall protection
• DDoS mitigation and rate limiting

Microsoft Azure, our hosting provider, maintains SOC 2 Type II and ISO 27001 certifications.

Yes. Automated security testing is integrated into our software development lifecycle. This includes static code analysis, vulnerability scanning, and automated dependency scanning to ensure third-party components remain secure and up to date.

Access to customer data within Signal is strictly limited to personnel who require it for service delivery and support. All access is subject to role-based controls and comprehensive audit logging. All staff undergo DBS (Disclosure and Barring Service) checks and receive data protection training.

Signal targets 99.9% uptime using Microsoft Azure's multi-region UK infrastructure with automated failover. We maintain 24/7 monitoring with automated alerting. Our Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 1 hour.

Automated daily backups are performed with point-in-time recovery capability. Backups are encrypted and stored in geographically separate Azure UK regions to protect against regional outages.

Upon termination, customer data is retained for 60 days to allow for data retrieval or transition to another system. After this period, all customer data is permanently and irreversibly deleted, including backups (which may persist for up to 90 days from the deletion date due to Azure backup schedules). Schools may request early deletion at any time.

As Data Processor, Signal retains data for as long as the school instructs. Schools typically retain safeguarding records until a student reaches age 25, in line with statutory guidance. The school as Data Controller determines the appropriate retention period. This is dependant on the school remaining a Signal subscriber — if a school leaves Signal, all customer data is permanently deleted after 60 days (see above).

We recommend that organisations conduct a Data Protection Impact Assessment when implementing any system that processes children's safeguarding data, as it involves special category data and data relating to vulnerable individuals. This document, together with our Data Processing Agreement and Privacy Policy, provides the information you need to complete your assessment.

• This due diligence information document (what you're reading now)
• Data Processing Agreement — controller-processor obligations
• Privacy Policy — how we handle personal data
• Terms and Conditions — full service agreement

If you require any additional information for your DPIA, please contact us.