Yes. Classlist is fully compliant with the UK Data Protection Act 2018, UK GDPR, and EU GDPR. Classlist operates strictly as a Data Processor on behalf of schools and PTAs (who act as Data Controllers). Our data protection practices and platform structures are backed by a formal Legal Opinion from Veale Wasbrough Vizards (VWV)—one of the UK’s top education law firms—and continuously updated alongside data privacy specialists Clayden Law to reflect all post-Brexit regulatory standards.

This rating is a reflection of third-party commercial enrollment, not technical vulnerability or data non-compliance. Automated compliance aggregator tools like 9ine frequently default independent EdTech platforms to "unvetted" or "risky" flags if the vendor has not purchased a slot in their proprietary, paid vendor certification program.

Classlist invests directly in independent legal audits and enterprise-grade infrastructure rather than commercial platform listings. We provide comprehensive compliance documentation directly to school leadership and DPOs completely free of charge.

All Classlist data is fully encrypted and stored strictly within the UK and European Union. Classlist does not transfer personal data to the United States or any other jurisdictions outside the UK/EU framework. This guarantees total compliance with strict UK GDPR rules regarding international data transfers and ensures your school community’s data remains within local legal jurisdictions.

Classlist uses a "built-for-purpose" closed security architecture designed to eliminate the safeguarding and privacy flaws found in open social networks like WhatsApp or Facebook. Our primary controls include:

• Strict User Authentication: Every parent account must be individually verified and approved by designated School or PTA administrators before gaining access.
• Data Encryption: All personal data and communications are fully encrypted both in transit (via secure HTTPS/TLS) and at rest.
• No Commercial Profiling: Classlist never sells user data, never passes data to third parties, and completely bars third-party trackers from profiling parents or children for advertising.
• Granular Privacy Controls: Individual members maintain absolute control over their profiles, with the ability to inspect, modify, or invoke their "Right to be Forgotten" (data deletion) instantly.

Yes. Classlist provides a comprehensive, legally vetted Data Processing Agreement (DPA) that is automatically executed upon school setup to satisfy the legal processor-controller relationship. Furthermore, Classlist provides a dedicated, comprehensive DPIA Preparation Guide within our Compliance Document Centre, giving school DPOs all the pre-filled technical answers required to complete an internal Data Protection Impact Assessment in minutes.