GDPR & Data Protection

GDPR COMPLIANCE STATEMENT

This statement covers the Carrot Rewards Group of companies including:

  • Carrot Rewards Limited
  • School Stickers Limited

Description of the technical and organisational security measures implemented by the data processor:

PHYSICAL SECURITY

The Carrot Rewards team are all UK based.

The Carrot Rewards office is equipped with external CCTV cameras, and footage is monitored periodically by authorised individuals. Fire alarms are in place to detect and mitigate damage in the unlikely event of a fire. Regular fire drills are also conducted by the premises management team to educate employees about emergency evacuation procedures. A policy has been implemented to approve and regulate visitor access into the building.

DATA SECURITY

Our websites and data are stored on our dedicated services with our provider Fasthosts. Fasthosts is a provider of cloud and hosting services, based in Gloucester. Fasthosts have a registered office at Discovery House, 154 Southgate Street, Gloucester, GL1 2EX and company number 03656438. Lindsay Hamilton-Reid is the registered Data Protection Officer for Fasthosts.

ISO 27001 certification

Fasthosts data centres have been accredited with the ISO 27001 certificate – an international standard given to data centres that reach the top-level of security, safety and compliance. This certificate ensures that our network, people and processes meet the industry best-practices of physical and logical security.

Data centres provide maximum security, with access strictly limited to cleared personnel and monitored by extensive CCTV and access control systems. We’ve put in place a comprehensive range of physical security measures to guarantee the safety of your data.

CCTV covering all areas of the data centres and corporate offices

Highly experienced security guards on duty 24/7, 365 days a year

Role-based access control swipe-card system across multiple secure areas to ensure absolutely no access by unauthorised personnelAll accounts have an encrypted password and we do not hold any identifying data of the pupils such as address or date of birth.

Where we transfer data to third parties for processing, we notify our clients to get their consent to this activity, and from the third party we get confirmation of their GDPR compliance

DATA DELETION

When a contract or other form of relationship with one of our customers ends, we take written instruction from the customer on how they wish for us to deal with their data. Our customers have the ability to export their data before final deletion. Schools via their Carrot Rewards log in can also delete any data within their account.

In the absence of anything in writing from a customer, we will destroy all client data securely 12 months after the relationship ends

For on-going customer relationships our deletion policy is:

Student / Teacher Data – can be deleted at any time via the school Carrot Rewards log in.

OPERATIONAL SECURITY

Members of the board of directors are present to oversee and approve all organisation-wide security policies. Operational security starts right from recruiting an employee to training and supervising auditing their on-going work products. All employees are provided with adequate training about the information security policies of the company and are required to sign that they have read and understood the company’s security related policies. Confidential company information is available for access only to select authorised Carrot Rewards employees. Employees are required to report any observed suspicious activities or threats. We take the appropriate disciplinary action against employees who violate organisational security policies.

Carrot Rewards maintains an inventory of all information systems used by our employees. Only authorised and licensed software products are installed, and no software may be installed onto any server or Cloud, other than by our head of IT.