Security Overview
Last updated: February 2026
In short: Pupil data is stored in the UK and EU on Google's infrastructure, with some server-side processing in the US. Everything is encrypted. We collect as little as possible — just first names and maths scores. There's no tracking, no ads, and no third-party data sharing.
Where your data is stored
| What | Where | Provider |
|---|
| Pupil names, scores, and results | London, UK | Google Firebase Firestore |
| Live session data (who's logged in) | Belgium, EU | Google Firebase Realtime Database |
| Teacher login accounts | Google infrastructure (may involve processing outside UK/EU with safeguards) | Google Firebase Authentication |
| Server-side processing | US | Google Cloud Functions |
Google is certified under the EU-US Data Privacy Framework, and processing is covered by Standard Contractual Clauses with the UK International Data Transfer Addendum where data leaves the UK.
Encryption
- In transit: All connections use HTTPS/TLS. Data cannot be intercepted between the browser and our servers.
- At rest: Google Cloud encrypts all stored data automatically using AES-256 encryption.
- Class passwords: Verified using bcrypt hashing.
Access control
The app uses role-based access. Each role can only see what it needs to:
- Pupils — Other children's names are hidden in the app — they appear as generic usernames ("Star", "Moon", etc.). Pupils can only access their own class.
- Teachers — Can see pupil names and results for their own class only.
- School leads — Can see overall statistics across the school. Can also view individual classes and pupil names for oversight purposes.
Teacher and school lead access is managed through Firebase Authentication and role assignments stored in Firestore.
Login security
- Teachers log in with email and password via Firebase Authentication.
- Pupils log in with a class password plus their own 4-digit PIN.
- Rate limiting: After 5 failed PIN attempts, the account is locked for 2 minutes. This prevents guessing.
- Session management: Teachers can remove any pupil from an active session. Changing the class password forces everyone to log in again.
Audit logging
Teacher and admin actions are logged automatically, including:
- What action was taken
- Who did it (teacher account)
- Their IP address
- When it happened
Audit logs are kept for 90 days, then automatically deleted. They can be used to investigate any security concerns.
We do not log children's IP addresses.
Backups
Data is stored on Google Firebase, which provides built-in infrastructure redundancy — Google automatically replicates data across their servers to protect against hardware failures.
When a school lead or teacher deletes a class, the class data (pupil names, scores, results) is kept for 30 days before permanent deletion, so accidental deletions can be recovered. Teacher account deletions are immediate and permanent (audit logs containing the teacher's IP and actions are retained separately for 90 days).
XSS prevention
All user input (such as pupil names) is sanitised before being displayed. This prevents code injection attacks.
Third-party services
The app uses these external services:
- Google Firebase — Database, authentication, hosting, and server-side functions
- Google Fonts — The Nunito Sans font used on the site
- Zoho Mail — Sends invitation emails to teachers via SMTP (teacher email addresses only)
- jsDelivr and Cloudflare CDNs — Open-source libraries (for charts, PDF exports, and browser compatibility) are loaded from these CDNs. They receive standard connection data (IP address, browser info) but no pupil data.
No pupil data is shared with anyone else. There are no analytics platforms, no advertising networks, and no tracking tools.
What we don't have (yet)
In the interest of being upfront:
- Cyber Essentials certification — We don't currently hold this. It's on the roadmap.
- Penetration testing — We haven't commissioned a formal pentest. The app uses Firebase Security Rules which are well-established, and we follow standard security practices.
- Content Security Policy (CSP) — We don't currently set CSP headers. The app loads libraries from third-party CDNs (jsDelivr, Cloudflare) without Subresource Integrity checks. This is on the roadmap.
Incident response
We have a documented incident response plan covering:
- Immediate containment steps for different types of breach
- Assessment and investigation using audit logs
- 72-hour notification to the ICO (if required under UK GDPR)
- Notification to affected schools
- Root cause analysis and prevention
For full details on breach notification, see our Data Processing Agreement.
Contact
If you have security questions or need to report a concern:
Sear Education
Email: info@mrsearmtc.uk
Back to Classroom