Data Security and Compliance

At CPOMS, protecting our customers’ sensitive data is an integral part of our mission. With a comprehensive data security program aligned to industry best practices and internationally recognised security standards such as ISO 27001, we continuously evolve our security program to meet critical security and compliance standards.

CPOMS Data Security and Compliance

How CPOMS Provides Data Security

Below, we detail our approach to providing data security, privacy and compliance, showcasing our dedication to protecting customer data and demonstrating the value of our solutions from a security standpoint.

CPOMS has implemented the following data security practices:

safe-silver
NCSC logo
ISO-2001
G-Cloud

1. ISO 27001 Certification

As part of our commitment to data security, CPOMS has aligned its information security management practices with the ISO 27001 standard, an internationally recognised framework for managing information security. This alignment demonstrates our adherence to the core principles of:

  • Confidentiality: Ensuring sensitive information is protected against unauthorised access.
  • Integrity: Maintaining the accuracy and trustworthiness of data.
  • Availability: Ensuring information is accessible to authorised personnel when needed.


Our alignment with ISO 27001 provides assurance to our customers that their data is managed with robust, standardised controls. Examples of our implementation include:

  • Continuous risk assessment and mitigation processes.
  • Proactive threat monitoring and detection.
  • Regular internal audits to ensure compliance with security policies.

back to top

2. Data Privacy and Regulatory Compliance

CPOMS is committed to complying with applicable legal and regulatory privacy requirements, both domestic and international. One of our key goals is to protect personal data through practices that include:

  • Collecting only essential data and using it for its intended purpose.
  • Securely deleting data upon customer request.
  • Help ensure that personal data is never sold or shared without explicit consent and is only disclosed for lawful or approved purposes.

The CPOMS Privacy Policy can be found here.

3. Monitoring and Vulnerability Detection

To protect against emerging threats, our monitoring and detection framework includes:

  • 24/7 system availability, performance and security monitoring through a managed SOC (Security Operations Center).
  • Centralised logging and alerting to detect malicious activities.
  • Regular vulnerability scanning and remediation for identified risks.
  • Annual independent penetration testing conducted by third-party security experts.
  • A bug bounty program to encourage responsible disclosure of vulnerabilities.

back to top

4. Data Encryption and Storage

We prioritise encryption to safeguard data in transit and at rest:

  • Data at rest is encrypted using AES-256 encryption, following ISO 27001 best practices.
  • All data transmissions utilise TLS encryption to protect data in transit.
  • Segregated environments are employed throughout the development lifecycle.
  • A Web Application Firewall (WAF) is implemented to help protect systems against unauthorsed access and cyberattacks.

5. Employee Training and Accountability

Our team is our first line of defence against security risks. Every employee at CPOMS:

  • Undergoes a rigorous background check during the hiring process.
  • Completes security awareness training during onboarding and participates in ongoing annual training.
  • Where applicable, receives specialised training in secure coding practices and cloud infrastructure security.

back to top

6. Role-Based Access Control and Identity Management

To help protect sensitive systems and data, we enforce strict access management practices, including:

  • Role-based access controls to ensure that employees only have access to the resources required for their job responsibilities.
  • Regular access reviews to ensure proper authorisation levels.
  • Multi-factor authentication (MFA) for accessing critical systems.

7. Vendor Oversight

Third-party vendors are thoroughly vetted and held to high security standards to ensure safe and appropriate access:

  • Comprehensive risk assessments are conducted for all third-party vendors.
  • Vendors are contractually obligated to meet security commitments.
  • Regular reviews are conducted to ensure compliance with security policies.

back to top

8. Business Continuity and Disaster Recovery

Our Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) help ensure that we are prepared for unexpected events:

  • Critical systems undergo daily incremental backups and weekly full backups.
  • Backup systems are regularly tested to ensure effectiveness.
  • Automated alerts notify our team of backup or system failures to ensure rapid resolution.

9. Secure Development Practices

Security is embedded into every stage of our software development lifecycle to help ensure the safety and reliability of our products:

  • Secure by Design: Security is prioritised during the design phase, with safeguards built into all application features.
  • Code Reviews and Testing: Peer reviews and testing are conducted before deployment.
  • Continuous Updates: Regular updates are applied to address new threats, and systems are actively monitored to resolve potential issues.

back to top

10. Incident Response and Communication

CPOMS has a robust Incident Response Plan (IRP) designed to quickly address and mitigate security incidents. Our process includes:

  • Classification, prioritisation and escalation of incidents.
  • Containment and remediation of threats in a timely manner.
  • Root cause analysis to drive continuous improvement.
  • Transparent communication with affected stakeholders, both internally and externally, to help provide timely updates and guidance.

11. Transparency and Customer Assurance

We understand the importance of data security to the communities we serve. CPOMS is committed to maintaining transparency and providing regular updates about the enhancements we make to secure our systems and data. Any changes to our security practices are promptly communicated to stakeholders.

back to top

12. Additional Certifications and Accreditations

CPOMS is proud to uphold the following additional data security and compliance certifications and accreditations:

  • G-Cloud 14 Framework: CPOMS is listed on the UK government’s Digital Marketplace as a G-Cloud 14 Supplier and is approved to sell cloud-based services to public sector organisations, demonstrating compliance with government standards and security requirements.
  • Safeguarding Fundamentals (SGF) Silver Quality Mark accreditation: The SGF Quality Mark is a pioneering standard dedicated to transforming the safety and well-being of children across all organisations. By meeting SGF’s eight requirements for accreditation, CPOMS reaffirms its commitment to making a lasting difference in the lives of children, ensuring they grow in environments that are safe, supportive and empowering.
  • National Cyber Security Centre (NCSC) Cyber Essentials Certification: National Cyber Security Centre’s program that establishes industry-recognised standards to demonstrate the ability to defend against common cyber threats and uphold security best practices. By meeting these standards, CPOMS reaffirms its commitment to maintaining a strong, secure digital environment and safeguarding both our data and the trust of the users of our products.

Why Security Matters

The policies, procedures and systems at CPOMS are built on a foundation of security to help provide peace of mind for our customers. By aligning with ISO 27001 and regulatory requirements, CPOMS demonstrates its commitment to protecting the schools, establishments and communities we serve.

We strive to maintain a comprehensive security program that keeps our platform reliable, trustworthy and aligned with customer expectations. If you have any questions, please feel free to reach out to [email protected]