Your Data, Handled with Care: A Guide for Schools

Legislation and accountability frameworks surrounding education technology are, quite rightly, becoming increasingly tighter.

At Charanga, data security is a responsibility we take seriously and approach with the utmost care, rigour, and pride. Protecting information is integral to how we design, operate, and continuously improve our systems.

This guide brings together the questions about data security and protection that I’m most often asked by school IT leads, data protection officers, and those responsible for ensuring the educational technology tools their school uses are secure, reliable, and trustworthy.

At the top of my FAQ leaderboard are two questions: ‘What information systems are data held in?’ and ‘What data transfer mechanism is used?’.

Here you’ll find clear explanations about how and where we store your data, who can access it, how long it is retained, and how it is deleted — all written as plainly and transparently as possible.

I hope you find this guide helpful and reassuring. If there’s anything you’d like to explore further or would like added to this guide, we’re always happy to help. Please contact us at gdpr@charanga.com or email me directly at ruthjones@charanga.com.

---

About Charanga
Data processing, terms, compliance and security FAQs
Data Governance and compliance information (GDPR, COPPA, FERPA)
What personal data do we collect?
What jurisdictions are used to hold UK data subjects data?
What information systems are data held in?
What data transfer mechanism is used?
What data security / cyber security measures are used?
What is our cyber incident response plan?
Do we have a cybersecurity liability insurance policy?
What is the Lawful Basis for processing Student data?
Is there a data processing agreement or contract for schools?
Are third-party processors used?
What is our Data Deletion and Retention schedule?
Do you use AI, or plan to use AI within your products?

About Charanga

Charanga is a music education technology company based in Brighton, UK. Its online platform supports classroom and instrumental/vocal music teaching through cloud-based curriculum resources and interactive tools, including a DAW, drum machine, graphic score tool, music notepad and digital keyboards.

Products include Musical School (primary), Charanga Secondary, YuStudio®, Charanga Music Professional, Charanga Cymru, Charanga Scotland, Charanga International and Yumu.

Teachers can organise resources, create and customise lessons and schemes of work, track progress, upload their own materials, and manage student groups. Optional student access via Yumu enables assignment and monitoring of projects in a secure, password-protected space; there is no student-to-student messaging.

Charanga also provides CPD, training and support. Access is by subscription for schools and music services, each with a designated Lead Teacher for oversight.

View more information and news about Charanga.

Using Yumu for students is NOT a requirement for using Charanga effectively. View more information about online access for students in our Child Protection Online Safety Policy Statement.

Data processing, terms, compliance and security FAQs

You can find detailed information in our policy section here:

Terms of Use
Schedule to Terms of Use: Data Processing Terms
Privacy Notice
Privacy Notice for Young People
Cookie Notice
Child Protection and Online Safety Policy Statement

Data Governance and compliance information (GDPR, COPPA, FERPA)

Charanga is based in the UK, and is governed by and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Charanga is registered with the Information Commissioner’s Office:
https://ico.org.uk/ESDWebPages/Entry/Z312670X

EEA and UK residents: More information about the lawful basis for processing personal data and legitimate interests can be found in section 18 of our privacy notice.

Charanga powers MusicFirst Elementary in the US and is COPPA/FERPA-compliant.

Californian residents: more information can be found in section 19 of our privacy notice.

Further information for Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah and Virginia can be found in section 20 of our privacy notice.

What personal data do we collect?

Data minimisation and purpose limitation: we need personal information to conduct our business and provide users with our platform, website and services.

• We only collect personal data that we need for our specified purposes
• We ensure we have sufficient data to fulfil our specified purposes
• We periodically review the data we hold and delete anything we don’t need

No special category data is required to use the platform.

Charanga intends for, and has designed all products, to not require a great deal of personal data. The main Charanga teaching tools do not require any student data to operate.

For teachers, we need a first name, last name, email address and school name.

For Yumu, the minimum amount of student personal data required is a first and last name. Student data is associated with the teacher’s name and school name. Student pseudonyms can be used if preferred.

Note: SSO (Single Sign-on, sign-on integration) – we are currently finalising Google Classroom and MS Teams integration, which will be made available to secondary schools on request later in 2026. We will contact our secondary school admins to let them know when this is available.

You can find more detailed information on our Schedule to Terms of Use: Data Processing Terms. Please also refer to our Privacy Notice.

What jurisdictions are used to hold UK data subjects data?

Charanga hosts its websites on Amazon Web Services’ (AWS) European Union (EU) data centres in Ireland.

What information systems are data held in?

Data is processed in Ireland (EU) and the UK. Data is stored on an AWS RDS (Relational Database Service) instance, which is a managed MySQL database in the AWS eu-west-1 regional zone (Ireland).

The Charanga servers in AWS are in a locked-down VPC (virtual private cloud), where access to those machines is logically isolated from any other AWS instances.

Charanga uses AWS’ geographic controls to ensure that no data leaves the EU data centres in Ireland. This ensures we are in compliance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

What data transfer mechanism is used?

All digital data is encrypted during transmission and at rest, and transmitted over secure network connections. Session cookies are set to be HTTP-only (can’t be read by JavaScript) and secure (can only be used over an HTTPS connection). HTTP (unencrypted) connections are automatically redirected to HTTPS (encrypted) using an HTTP Strict-Transport-Security response header (HSTS). The platform uses TLS 1.2+ for all data transmission.

What data security / cyber security measures are used?

The VPC acts like an isolated LAN. Network access is strictly controlled by security groups. Traffic in and out of the VPC from specific machines (i.e., the web server and only the web server) to the wider internet is further limited by firewall rules that permit only a limited set of protocols: HTTP, HTTPS, SMTP, and SSH.

SSH access to the VPC is allowed only from a set of whitelisted IP addresses. Password access is not permitted, nor dis root access. Access is solely from SSH keypairs, which are reviewed on a regular basis.

We operate intrusion detection systems and have an automated IP-banning system that blocks bots, scanners, and exploit scripts.

We always use privacy-enhancing technologies (PETs) to assist us in complying with our data protection by design and default obligations.

We offer strong privacy defaults, including automatic logout after a period of inactivity, user-friendly options and controls, and we respect user preferences.

The platform supports Multi-Factor Authentication (MFA) and implements role-based access control (RBAC).

Note: We are currently testing a TOTP (Time-based One Time Password) 2FA system. This is on our 2026 roadmap for Charanga staff users with access to personal data. We won’t be using SMS-based 2FA due to the risks of sim swapping, social engineering, and SMS Pumping Fraud. We are consulting with UK partners (Local authorities, music services, MATs) regarding whether 2FA should be an opt-in feature for their regional / member schools in future.

APIs are securely protected - secure API endpoints with authentication and rate limiting.

We operate an ethical security researcher disclosure policy as detailed in our industry-standard security.txt file.

Our systems are manually penetration-tested annually, and we run an automated exploit scanning tool.

Our database data is continually backed up and can be restored to any point in time over the last 12 months. Key data changes are recorded in an audit log.

We know that data is secure because we renew our security certificates annually or every 3 months (depending on the domain), and our infrastructure provider, Amazon Web Services (AWS), is ISO-certified. Our systems run in an isolated private network and can only be accessed by authorised technical staff. All accesses are logged and can be audited. We comply with GDPR.

Charanga follows the NCSC guidance ‘Cyber Security Essentials’. We are undertaking the AWS software partners programme and aligning with the CIS Amazon Web Services Foundation guidance. We have updated our Cyber Essentials Self-Assessment to certification for 2025.

Everyone who works for Charanga is required to read and understand the company’s Data Security Policy, which sets out the minimum standard which should be applied whenever employees access Charanga facilities and equipment. Security responsibilities are included in role descriptions, person specifications and personal development plans where practical.

Charanga staff are required to complete accredited Information Security training at least once a year, and selected staff are required to complete accredited GDPR training at least once a year.

What is our cyber incident response plan?

If Charanga becomes aware of a personal data breach (such as loss, damage, corruption, unauthorised access, or unlawful processing of school data), we will notify the school in writing within 48 hours and without undue delay.

Our notification will include:

• A description of what happened and the type of data affected.
• The likely consequences.
• The steps we have taken or propose to take to fix the issue and reduce risks.

We will also:

• Cooperate fully with the school in investigating the breach.
• Provide access to relevant records, facilities, and staff if needed.
• Help with any regulatory or law enforcement requirements.
• Cover reasonable costs of responding to the breach, except where the breach results from the school’s own actions.

Charanga will not disclose third-party information directly without the school’s consent (unless required by law). The school decides whether to notify individuals, regulators, or others.

Do we have a cybersecurity liability insurance policy?

Yes - our Cyber Insurance includes compensating for data breach response, student data privacy liability, cyber extortion, privacy liability, losses arising from business interruption, digital asset restoration, and contractual liability. The minimum limit of the coverage is from 100,000 GBP with a maximum of 5 million GBP.

What is the Lawful Basis for processing Student data?

The lawful basis is legitimate interest.

1. To allow teachers to organise students into groups, assign teaching resources and upload assessment evidence.
2. To provide teachers with the option to grant specific students access to Yumu, linked to their own teacher account only.
3. So that teachers can provide differentiated, adaptive music-learning resources and activities for different student groups in their classroom teaching.
4. So that teachers can provide students with creative digital assignments and tools to enable them to progress in musical learning and activity, and to create and save their own musical compositions.
5. No third parties benefit from the processing of student data.
6. There are no wider public benefits to the processing of student data.

Is there a data processing agreement or contract for schools?

No. Instead of a contract, we provide a Schedule to the Terms of Use, which outlines the data to be processed, processing purposes and sharing limitations.

Are third-party processors used?

Like most companies, we rely on third-party providers to support the provision of our products and services, such as online file storage and communications. Some of these service providers will, by necessity, have access to or be directly involved in processing or storing a subset of the personal information you share with us.

We also have special-case partnership projects and products, for example, Arts Award with Trinity College London, the Connect Programme with Young Sounds UK, and the Secondary Music Suite with MusicFirst and Rising Software. In these cases, we seek consent to share personal data for specific reasons where required.

All our third-party data processors have been carefully selected as responsible service suppliers who also practise responsible data handling. We believe that each has appropriate protections to ensure the security of the data we store or process with them and clear policies for how they treat that data. But if in doubt, you should review their individual Privacy Policies.

View more information about third-party processors.

What is our Data Deletion and Retention schedule?

We retain Personal Data only as long as necessary for its intended purposes. We will store only the minimum data needed to meet legal requirements and provide goods or services in compliance with data protection laws, including GDPR legislation and Acceptable Use.

Student data is retained for the duration of the activity, or, if the account is ended or dormant, for 2 years from the date of the last user activity.

Teachers can delete their own student data (student groups and Yumu accounts) at any time. If data is deleted accidentally, it will be saved in a deleted students table for 2 years and can be restored from there if necessary. Students cannot delete their own data. The two-year retention period gives students time to transition to new schools or for customers to decide to renew their subscription, and it also allows requests to export saved work files. Charanga deletion: Student accounts which have been inactive (dormant) for 2 years enter an automatic deletion process.

Teacher data is retained for the duration of the activity, or until the account is ended or dormant, for 3 years from the date of the last user activity.

Financial transaction data is retained for the duration of the account, then 7 years from the date of the last transaction.

Marketing data (First name, last name, email address, job title, school or organisation name) is subject to user opt-out/unsubscribe.

Right to erasure (deletion), Right to be forgotten - unless subject to a legal requirement, individuals can withdraw their consent for their data to be processed / request that their data be deleted at any time.

Do you use AI, or plan to use AI within your products?

No. We do not include or use AI or AI tools that collect data to train or develop Large Language Models, and we currently have no plans to do so.

---

Last updated February 2026
Ruth Jones
Data Protection Officer