Staffroom
Security & Privacy

Trust Staffroom with pupil data—built for UK schools from day one.

We designed Staffroom around real classroom safeguards: hashed identifiers, role-based access, and privacy-friendly analytics. Here’s how we keep your pupils and staff protected.

Talk to us about complianceRequest our DPA

Student hashing

Every student name is converted to a deterministic hash and alias (e.g. “Pupil-AB12CD34”). AI prompts never contain raw names.

Data retention

Schools can export or delete reports at any time. Backups are retained for 30 days in encrypted storage.

Analytics without cookies

We use Umami Analytics in anonymised, cookieless mode. No consent banner is required under UK GDPR/PECR.

Our approach to safeguarding data

Security is embedded in the product—from how we store data to how we plan future features.

Privacy-first architecture

Student first names are hashed and stored as aliases before ever contacting AI providers, so personally identifiable information never leaves your workspace.

Secure infrastructure

Staffroom runs on Vercel with encrypted PostgreSQL storage. Access is controlled with role-based permissions, audit trails, and automated backups.

Teacher-controlled access

Only the teachers and admins you invite can access a class. Memberships are synced with Clerk organisations so you stay in control of who can view pupil information.

Transparent reporting

We keep a clear data processing log, support subject access requests, and provide downloadable report exports for your own archiving.

Compliance commitments

  • GDPR-ready processes. We act as a data processor, follow the UK GDPR, and provide signed Data Processing Agreements on request.
  • Sub-processor transparency. Our AI provider (OpenAI) receives only hashed identifiers alongside lesson highlights.
  • Access requests. We help schools respond to DSARs with full export or deletion of pupil data without delay.
  • Incident response. Critical events trigger alerts to the founding team and impacted schools within statutory timelines.

Need something formal?

We provide signed Data Processing Agreements, full privacy policies, and Safeguarding statements on request.

Request privacy policy PDFRequest security overviewAsk a question

Have safeguarding templates you already use? Send them over—we’ll complete them within two working days.