Data Handling & Confidentiality Commitment

This Data Handling & Confidentiality Commitment outlines how Hey Tech Labs Ltd (trading as HeyEd) protects personal data shared during customer onboarding, data migration, and ongoing platform operations. This commitment provides transparency regarding data handling practices and security measures applied to all customer information.

During the onboarding process, customers may provide the following categories of personal data:

• Staff names, roles, and contact details
• DBS certification and right-to-work documentation
• Training records and certificates
• Policy and compliance documents

HeyEd does not process children's personal data. The platform is designed exclusively for staff compliance management.

Hey Tech Labs Ltd operates under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 as a Data Processor.

• The Customer (childcare provider) acts as the Data Controller.
• Hey Tech Labs Ltd (trading as HeyEd) acts as the Data Processor.
• All data processing is governed by a Data Processing Agreement (DPA), which defines responsibilities, retention periods, and security obligations.

ICO Registration Number: ZB774385

The following technical and organisational measures are implemented:

• Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
• Infrastructure: Data is hosted in secure AWS UK/EU data centres with redundancy and access control mechanisms.
• Access Control: Access to customer data is restricted to authorised HeyEd personnel under strict confidentiality obligations.
• Authentication: Multi-factor authentication (MFA), role-based access control, and comprehensive audit logging are enforced for all system access.
• Monitoring: Continuous monitoring systems detect anomalies and potential security incidents.

Customer data during onboarding is handled as follows:

• Data is transferred via secure upload mechanisms or encrypted file sharing (password-protected links).
• Access to uploaded data is restricted to assigned compliance engineers for system configuration purposes only.
• Upon completion of migration:
  • Data is imported into the customer's HeyEd account.
  • All data is securely deleted from temporary storage within 14 days.

Deletion confirmation can be provided upon request.

All HeyEd employees, contractors, and partners with access to customer data are bound by confidentiality agreements.

Customer data is not:

• Shared with third parties outside the scope of service delivery or technical support
• Used for marketing purposes
• Used for AI model training
• Enriched or combined with third-party data sources

Customers may request at any time:

• A complete export of their data
• Confirmation of data deletion
• Access logs detailing any data access during migration or account setup

Customers retain full control over their data at all times.

HeyEd is working toward Cyber Essentials certification and adheres to guidance from:

• National Cyber Security Centre (NCSC)
• Information Commissioner's Office (ICO) guidance for data processors
• Ofsted and Department for Education data handling principles for early years settings

For enquiries regarding data handling or to request deletion confirmation, please contact:

This commitment is reviewed annually or following any material change to data handling practices.