Security like no other
We understand how important it is for you to protect and safeguard everyone in your community, which is why IRIS Connect ensures outstanding security. We have thought very carefully about our legal responsibilities and your peace of mind, building a system that’s rooted in data protection, privacy and safety.
IRIS Connect is the only video professional learning platform with a protocol agreed between the ASCL and NASUWT.
Why are data protection, privacy and security so important?
Video is a powerful tool for accelerating teaching and learning, but it is vital that the students featured in a lesson recording are appropriately protected at all times.
A school leader who purchases a system that does not meet basic data protection requirements exposes the school to a range of significant liabilities, not least the failure of an Ofsted inspection on the grounds of safeguarding.
Click here to read our Security and Data Protection information.
Download your free guide to buying video-based professional learning below
What questions should I ask?
Our platform is designed to be a safe professional learning community, but not all video technology providers prioritise your safety in the same way. Not everyone abides by the relevant legal frameworks and some don’t even provide very basic security measures.
Here are a series of basic questions you can use to help establish whether a video system puts your security first.
These considerations will help you check whether a provider is aware of the legal framework that schools have to operate within, provides an agreement that meets it and can look after your data in such a way that it will not be lost or accessed by others.
Questions relating to agreements and data protection
Does the provider offer an agreement that complies with the Data Protection Act (DPA)?
Does the provider take into account and clearly define the roles of data processors and owners in their agreement?
The DfE outlines that schools, as data controllers, have a responsibility to ensure that the processing carried out by their service provider complies with the DPA. The best way to do this is to have a contract and a data processing agreement in place.
Is the provider registered with the Information Commissioner's Office as a data processor?
Does the provider ensure that all data is stored within the EEA (European Economic Area)?
All data for EU customers is stored within the EU.
Questions relating to privacy
Does the provider ensure the individual user keeps control of videos and has the right to delete at any time?
The IRIS Connect EULA also makes clear that our system is to be used only within a supportive developmental framework. It states that IRIS Connect act solely as the data processor, the school acts as the data controller and the end user the data owner. This agreement also gives individual users the right to delete videos and ensures that individual videos will not be recorded or shared with any other IRIS Connect user without their explicit permission.
Questions for cloud-based solutions
Does the provider store all data at rest within a world-class data storage environment?
1. You must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you
2. You must take reasonable steps to check that those security measures are being put into practice
ISO 27001 (widely-adopted global security standard)
ISO 9001 (global standard for managing the quality of products and services)
G-Cloud (UK Government security standard)
FERPA (U.S. Department of Education)
FIPS 140-2 (U.S. government security standard)
DIACAP and FISMA (U.S. Federal Information Security Management)
DoD CSM Levels 1-2, 3-5 (U.S. Department of Defence)
IRAP (Australia) MTCS Tier 3 Certification (Singapore Security Management Standard)
PCI DSS Level 1 (Payment Card Industry Data Security Standard)
SOC 1/ ISAE 3402 ( Service Organization Controls reports)
SOC 2 ( Service Organization Controls reports)
SOC 3 ( Service Organization Controls reports)
CJIS (U.S. Criminal Justice Information Services)
CSA (Cloud Security Alliance) HIPAA (storage of protected health information)
FedRAMP (SM) (The Federal Risk and Authorization Management Program)
Does the provider provide a robust authentication process to protect access to personal data and / or user accounts?
Each account is linked to an email address, which needs to be verified. Further passwords cannot be reset by the Organisation Administrator nor email addresses changed to gain access through the ‘forgotten password’ process. The entire IRIS Connect platform (including the login page) uses SSL (https) to protect against ‘man in the middle attacks’ and ensure that user’s account credentials and data are sent securely through the latest industry standards.
Does the provider ensure all data transmitted to and from its cloud service is securely encrypted?
SSL encryption is a security protocol that allows sensitive information to be transmitted securely. The ICO states: ‘it is good practice to encrypt data whilst it is being transferred from one device to another (e.g. across the internet or over a wireless connection) to provide effective protection against interception of the communication by a third party whilst the data is in transfer.’
Does the provider ensure all requests to delete data are complied with and data is disposed of responsibly and securely?
Inline with principle 5 (data retention) and principle 7 (security) of the DPA, ‘it is not only important to monitor data transfer and storage but also the deletion of data, where data is deleted from a live system, it should also be deleted from any back-ups as well.’
Customer data (non-financial) will be disposed of following termination of licence. Our secure data centre employs industry standard procedures on the decommissioning of its storage devices at the end of their useful life. Deleted data will be stored for 3 months in case the customer needs to retrieve it. The back-ups will be stored for a further 6 months before being destroyed. There are certain occasions when information needs to be preserved beyond this limit, such as in the following circumstances:
• Legal proceedings or a regulatory or similar investigation or obligation to produce information are known to be likely, threatened or actual
• A crime is suspected or detected
• Information is relevant to a company in liquidation or receivership, where a debt is due to IRIS Connect
• In the case of possible or actual legal proceedings, investigations or crimes occurring, the type of information that needs to be retained relates to any that will help or harm IRIS Connect or the other side’s case or liability or amount involved
Does the provider ensure that its security processes and systems are regularly reviewed internally and through independent services?
This alternative perspective review will assist in identifying any practices that could cause security, storage or usability issues.
Does the provider ensure that adequate data recovery and back-up systems are in place?
Collecting and storing your data in a system involves financial, time and process investment and often this stored data is irreplaceable. This investment needs to be protected and if a recovery is required, the service provider must ensure they are able to restore this without alteration from a back-up.
Does the provider confirm that it has sufficient capacity to ensure a resilient, reliable and accessible service?
IRIS Connect have provided 99.9% service uptime in the last 18 months during core operating hours (8am – 6pm). IRIS Connect provides free full support to all customers, enabling us to quickly resolve any issues logged. This is provided Monday – Friday between 8am – 5.30pm GMT, with additional limited support until 10pm. The support team are available via live chat, email and phone.
Questions for local network-based solutions
Is data stored securely and backed-up in case of a disk failure?
Further the data needs to have a reliable, regular back-up; ideally to an off-site location in the event of a fire / flood etc.
For full user control and data security, videos are never stored on individual devices or local servers. Instead, they are encrypted, immediately uploaded to our platform and automatically deleted from the device they were recorded on. The platform is designed to ensure that data remains in the secure, password protected environment, including adding Editing and Groups for cross-organisational sharing and not enabling the downloading of sensitive data to local devices.
Is the security of hardware regularly reviewed internally and through independent services?
Further the data needs to have a reliable, regular back-up ideally to an off-site location in the event of a disk failure, fire, flood etc.
Are passwords stored in a secure database and in an encrypted format?
The use of passwords as a secure authentication step to safeguard data stored on the system will be compromised if the passwords are not stored in an encrypted format. This presents a security risk. When passwords are stored in an encrypted format, they will be useless if someone manages to gain access to them.
Has hardware passed rigorous safety testing and does it have a CE mark with supporting documentation?
CE marking is a mandatory conformity marking for certain products sold within the European Economic Area (EEA) since 1985. The manufacturer has to take certain obligatory steps before the product can bear CE marking, including a conformity assessment, setting-up a technical file and signing a declaration stipulated by the leading legislation for the product. The documentation has to be made available to authorities upon request.
These videos often include students as they interact with the teacher and their peers in the classroom. Teachers are completely in control of these videos – only they can decide which educators can see them. IRIS Connect will not share these videos with third parties.
Am I able to request to see any data held of my child?
Who will be able to see these recordings?
In what circumstances would my child be recorded?
Could these recordings be uploaded to other websites?
When using IRIS Connect, you have complete control over who sees any of the videos that you create, sharing them with only individuals or groups that you choose. You also have the ability to delete or remove sharing privileges as you wish.
Can I download my reflection?
This means your community isn’t being appropriately safeguarded as the video is no longer private or secure and doesn’t adhere to relevant data protection laws.
We’ve built features into our platform that mean you should have no need to download your videos, including editing, sharing across organisations using Groups and anonymisation.
If you feel you have a very exceptional reason for needing to download a video then please get in touch.
NASUWT/ASCL agreement about IRIS Connect
Video Technology Security Checklist
Download your free checklist of questions to
ask about your video technology.
Department for Education –
Cloud Service Providers Self Certification Checklist

This checklist enables organisations to compare the degree to which different service providers comply with platform security best practice and data protection.
IRIS Connect’s responses (included in the document) have been independently verified and certified.
Cloud (educational apps) software services and the Data Protection Act

Department for Education’s guidance document on data protection for schools considering using cloud software services to hold sensitive information.