Security and compliance, built for UK colleges
FEDataSync is designed around data minimisation. Learner personal data stays on the college network, and the cloud only ever holds configuration, encrypted tokens and aggregate health. This page sets out how we protect data and what we can give your data protection and IT teams.
Data minimisation by design
Learner data never leaves your network
A small agent runs inside your own network, next to your student record system. It reads the approved SQL views locally and pushes contacts straight to your own HubSpot portal over a secure, authorised connection. Student records are never sent to us and are never stored in our cloud.
Our control plane holds only what it needs to run the service: your configuration, your field mapping, an encrypted HubSpot refresh token and aggregate health counts. None of our sub-processors receive learner personal data. That keeps the amount of student data we process to the minimum, which is exactly what UK GDPR asks of you.
How we handle your data
We act as your processor
Your college is the data controller and FEDataSync is the processor. We process personal data only on your documented instructions, under a UK GDPR Article 28 Data Processing Agreement.
UK and EU data residency
The control-plane database runs in the United Kingdom (London). Learner personal data isn’t held by us at all, so it stays on your network and in your own HubSpot portal.
Encrypted in transit and at rest
Every connection uses TLS. The OAuth tokens we hold are encrypted at rest with AES-256-GCM, and only a hashed form of each agent key is stored.
Access control
Administrator access to the control plane is protected by managed authentication with support for multi-factor sign-in. Access to tenant data is scoped per college.
Consent and suppression
Deceased, withdrawn, consent-withdrawn, do-not-email and ADP records are suppressed automatically on every run, so you don’t market to anyone you shouldn’t.
Children’s data
Most FE learners are under 18 and remain children under UK GDPR. Marketing profiling is off by default for under-18 contacts, and we support separate student and parent or guardian consent.
Breach notification
If we ever become aware of a personal data breach, we notify you without undue delay and within 72 hours, with the detail you need to meet your own reporting duties.
Retention and deletion
You choose your retention rules. On exit we delete or return the configuration and tokens we hold, and confirm deletion.
Audit and reconciliation
Every operation is written to an append-only audit log, and a daily reconciliation report compares your data against HubSpot so drift surfaces early.
Sub-processors
We use a small set of trusted providers to run the service. None of them receives learner personal data, because that data flows straight from your network to your HubSpot portal.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database for tenant configuration, encrypted OAuth tokens and aggregate health | United Kingdom (London region) |
| Vercel | Hosting for the control plane and this website | EU and global edge |
| Clerk | Administrator sign-in for the control plane | United States |
| Resend | Transactional and alert email to college administrators | United States |
| Stripe | Subscription billing (no learner data) | United States and EU |
We give at least 30 days’ notice of any change to this list so you can review it.
Certifications and assurance
We’re honest about where we are. Here is what’s in place today and what’s on the way.
- Available now: a UK GDPR Article 28 Data Processing Agreement, a named sub-processor list, a security overview, a DPIA support pack and answers to the NCSC Cloud Security Principles, all on request.
- In progress: Cyber Essentials, aligned with the DfE digital and technology standards for colleges.
- On our roadmap: Cyber Essentials Plus and ISO/IEC 27001 certification as we grow.
For data protection officers and IT teams
Ask us for the assurance pack and we’ll send it across: the Data Processing Agreement, DPIA support pack, sub-processor list, security overview, a completed supplier security questionnaire and our NCSC Cloud Security Principles response.
Security contact: security@fedatasync.co.uk. To report a vulnerability, see security.txt.
FEDataSync is a product of Limelai Limited, a company registered in England and Wales (company number 16486216), registered with the Information Commissioner’s Office.