Skip to content
  • There are no suggestions because the search field is empty.

GDPR FAQs

Purpose

This article is to provide information regarding Reading Cloud and its policies regarding GDPR. This information may be used to help complete DPIAs, or for general enquires. 

What is Reading Cloud?

Reading Cloud is a SaaS platform for school libraries. It enables catalogue management, borrowing, reading engagement, and reporting. It allows integrations with MIS systems (via Wonde) and optional eBook/content services. Access is via secure browser-based login for staff and students.


Where is data stored?

All database storage within the Reading Cloud solution is hosted on Azure SQL, providing a secure, high-availability data platform.

Data is protected through encryption at rest and TLS encryption in transit, ensuring confidentiality and integrity at all times. Access to the database is controlled through role-based access control (RBAC), restricting permissions to authorised service accounts and administrators only. Database connection credentials are securely stored in Azure Key Vault, which is certified to meet multiple national and international legal and regulatory compliance standards as documented in the Microsoft Azure Compliance Framework.

What other security is place?

Please see the Protection of Data article for details on the data centre security.


Who is the Data Controller?

The Data Controller is the person or organisation who determines the purposes and means of the processing of personal data. In the UK education sphere, this would be the school, with the exception of Scotland where the Data Controller of school data is the local authority.

GDPR stipulates that the Data Controller shall “Be responsible for and be able to demonstrate, compliance with the principles.”


Who is the Data Processor?

A data processor is the person or organisation that processes the personal data on behalf of the data controller. In education, examples of this would be the MIS provider, library system supplier, or any other third party supplier that uses pupil, parent or staff personal data to provide the school with services or products. The school determines which supplier they will use and what data these suppliers can use to provide their services.

Regarding the library system, Reading Cloud would be the Data Processor.

For further information on data subject rights, please see our Privacy Policy.


What certifications does Reading Cloud hold?

As a UK-based software company, ParentPay ensures its software and operations fully comply with the UK GDPR and the Data Protection Act 2018. The Reading Cloud security architecture is built around privacy-by-design principles, implementing strong encryption, access controls, and data minimisation to protect personal information and uphold individual rights.

ParentPay Group and Reading Cloud is ISO 27001 and Cyber Essentials Plus certified, and audited by independent third parties.

Who is responsible for information backup?

A backup of your hosted website is taken every 5 minutes, which are kept for 35 days to allow more accurate restores to take place if you need them. For backups older than 35 days we retain the backup taken at the start of the week up to 3 months. These backups are stored at the data centre. After 3 months, the backups are automatically deleted.

For further information on this topic, please see our article on Data Retention.

How is user access managed?

All user access to the Reading Cloud backend system is facilitated exclusively through a secured API. The API enforces authentication, authorisation, and input validation to ensure that only authorised requests from trusted clients are processed. All API communications are encrypted in transit using TLS to protect data confidentiality and integrity.

Reading Cloud implements role-based access control (RBAC) through the use of defined Security Groups ensuring that users are granted only the permissions necessary for their roles.

All access rights are enforced at the application level, providing consistent and centralised control over user actions and protecting sensitive functionality and data from unauthorised use. Within Reading Cloud, administrators manage user accounts through the integrated User Manager.

New users can be added individually and assigned to the appropriate Security Groups to define permissions, or provisioned in bulk via CSV import or MIS integration.


What sort of security testing does Reading Cloud undergo?

Penetration testing of the Reading Cloud platform is performed on a regular basis using both internal security specialists and independent external organisations. This approach ensures a comprehensive assessment of the system’s security posture, combining in-depth product knowledge with objective third-party evaluation. Findings from penetration tests are documented, risk-assessed, and remediated according to the organisation’s vulnerability management process.


Are any other services used by Reading Cloud?

Cloudflare is utilised for content delivery and to provide additional security services, including web application firewall (WAF) protection and DNS management.

Further information on Cloudflare can be found in the Protection of Data article

Other useful links

Reading Cloud's Privacy Policy

Security Policy


How some of our other customers have phrased this

- Where is my data stored?

- DPIA help

- Data Controller and Data Processor details

- Does Reading Cloud have ISO certification?


Need Some Extra Help?

If you are struggling with an issue please let the friendly Reading Cloud Service Team help. If you are using the chat bot and your issue is urgent, just say “Transfer for help please”. Alternatively if you prefer you can email them with support@reading-cloud.com or give them a call on +44 (0) 330 822 5359.