Technical and organisational security measures

Last Updated: 16/12/25

Thrive Learning Limited implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with applicable data protection laws and regulations.These measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

1. ‍Governance and Policies
   • Internal data protection, information security, and IT security policies are implemented, documented, and maintained in line with applicable laws and regulatory requirements.
     
   • Policies and procedures are reviewed regularly and updated where necessary to reflect changes in risk, technology, or legal obligations.
     
   • Responsibility for data protection and information security is clearly assigned, including the appointment of individuals with dedicated responsibilities (e.g. information security and data protection roles, where required by law)
   ‍
2. Confidentiality and Staff Awareness
   • Access to personal data is restricted to authorised individuals and subject to appropriate confidentiality obligations.
     
   • Employees and relevant contractors receive regular training on data protection, information security, and secure data handling practices.
     
   • Training is refreshed periodically to ensure continued awareness of risks, responsibilities, and best practices.
   ‍
3. Access Control and Authentication
   • Logical access to IT systems is granted based on the principle of least privilege and a need-to-know basis.
     
   • All systems are accessed via unique, individual user accounts.
     
   • Passwords are required and enforced in line with current industry standards for complexity and security.
     
   • Access rights are reviewed and adjusted as roles change or access is no longer required.
     
   ‍
4. Data Segregation and Environment Separation
   • Personal data belonging to different customers is logically segregated.
     
   • Test and development environments are separated from production systems.
     
   • Controls are in place to prevent unauthorised access or accidental data crossover between environments.
     
   ‍
5. Encryption and Data Protection
   • Personal data is encrypted at rest where appropriate.
     
   • Personal data is encrypted in transit when transmitted over public networks.
     
   • Secure protocols are used for online transmission and, where applicable, the transport of data using mobile or removable media.
   ‍
6. Physical Security
   
   • Physical access to offices, data centres, and facilities is controlled based on the sensitivity of the data and criticality of processing.
     
   • Access is restricted to authorised personnel and relevant third parties
   
   
7. Business Continuity and Resilience
   • Data backup and recovery policies and procedures are implemented and tested.
     
   • Business continuity and disaster recovery measures are in place, including defined recovery time objectives.
     
   • These measures are designed to ensure the ongoing availability and resilience of processing systems and services.
   ‍
8. Monitoring, Auditing, and Assurance
   • Regular internal and external audits are conducted to assess compliance with data protection and information security requirements.
     
   • Audit outcomes are reviewed, and corrective actions are implemented where necessary.
     
   • Continuous monitoring and vulnerability management practices are in place to identify and mitigate security risks.
     
   ‍
9. Sub-processors
   • Sub-processors engaged by Thrive are subject to formal, documented, and controlled data processing arrangements.
     
   • Appropriate due diligence is conducted before engagement.
     
   • Sub-processors are required to implement security measures consistent with Thrive’s data protection obligations.
     
   ‍
10. Data Loss Prevention
    • Data Loss Prevention (DLP) tools and techniques are implemented to reduce the risk of unauthorised disclosure or loss of data.
      
    • Controls are designed to detect, prevent, and respond to data exfiltration risks where appropriate.
      
    ‍

‍Contact

‍If you have any questions regarding Thrive’s technical and organisational measures, please contact: privacy@thrivelearning.comThrive Learning Limited Company No. 10988277 27 Market Place Bingham Nottingham Nottinghamshire NG13 8JY United Kingdom

1. Physical access to offices, data centres, and facilities is controlled based on the sensitivity of the data and criticality of processing.
   
   
2. Access is restricted to authorised personnel and relevant third parties only.