PhysicsUK Admin Privacy & Data Protection
Governance summary (version 1.0.0)
Controller-led deployment
1) Controller
PhysicsUK is operated privately for teaching and assessment. The operator determines who is on the platform, what data is collected, and why it is processed.
- Data Controller: tafrensystems.com (PhysicsUK / Tafren Systems)
- Privacy contact: contact@tafrensystems.com
- DPO: Not appointed (not required for this service model). A privacy contact is provided for all data protection queries.
2) Processors / Sub-processors
The following suppliers provide infrastructure services that may process personal data on behalf of the controller:
- MongoDB Atlas – database hosting (primary data store)
- Heroku – application hosting and runtime
- Mailgun – email delivery (e.g., login emails / notifications)
3) International transfers
Some suppliers may process data outside the UK. Where this occurs, appropriate safeguards are used (for example, contractual safeguards such as the UK IDTA / UK Addendum, and vendor transfer mechanisms where applicable).
4) Security measures (high level)
- Encryption in transit: HTTPS/TLS is used for web traffic and service connections where supported.
- Encryption at rest: MongoDB Atlas encrypts cluster storage and snapshots at rest by default.
- Access control: Access to the database and platform admin functions is restricted to the controller.
- Data minimisation: Only educational and operational data required to run the platform is collected.
5) Retention
Pupil data is deleted each year in August as part of the end-of-year reset, unless there is a lawful reason to retain specific records for longer.
6) AI features
If AI feedback is enabled, the platform is designed to avoid sending sensitive personal data. Users should not enter sensitive personal information into answer fields.