ManageBac+ is committed to keeping your data safe and secure through recognised standards, strong internal controls, and secure infrastructure.

This article provides an overview of our security framework, compliance certifications, data protection approach, and continuity planning for schools and organisations using ManageBac+.

Overview

ManageBac+ applies industry best practices to protect customer data in transit, at rest, and across internal systems. Our security model includes recognised compliance standards, encrypted communications, controlled access to production data, and policies designed to support privacy obligations in the countries where we operate.

We also maintain business continuity and disaster recovery planning to support resilience and service continuity in the event of disruption.

Key Concepts

ISO/IEC 27001:2022 Compliance

ISO 27001 is a widely recognised information security management standard used by organisations to protect data assets. The ISO/IEC 27001:2022 Information Security Management System of ManageBac+ has been certified by BSI under certificate number IS 664562.

More information about ISO/IEC 27001:2022 and Information Security Management Systems can be found here. Our certificate can be found here.

Data Encryption

All data transmitted between your computer and our systems is encrypted end to end with SSL by default. Uploaded assets and backups are also stored and transmitted using encrypted connections.

Data is never sent in plain text. Communications across our internal network are conducted through a secure private VPN.

PCI DSS Compliance

ManageBac+ does not store credit card information on its servers. Payment information is securely transmitted to Stripe, our PCI compliant payment gateway, which handles transactions.

Because sensitive payment information must be handled securely before transmission to Stripe, ManageBac+ is also compliant with the PCI Data Security Standard. Our certification can be found here.

Legal, Privacy, and Data Protection

Data processed through ManageBac+ must comply with the laws of the countries where services are provided. To support this, data is securely hosted on servers located in Canada and managed in line with PIPEDA. Our terms of service and privacy policies can be found here.

ManageBac+ is compliant with GDPR. Further information about our GDPR related policies is available here.

For schools in China, ManageBac+ complies with the Chinese Cybersecurity Law, including the Provisions on the Cyber Protection of Children’s Personal Information, which can be found here. Chinese schools use a .cn domain and their data is hosted within China. We also hold ICP 17051512.

We also comply with applicable data protection policies in other countries where we operate, including:

• Canada
• Germany
• The United Kingdom
• The United States of America

An analysis of some of these policies can be found here.

Security Policy

Our internal security policies are governed under ISO 27001. Key measures include:

• Carefully controlled and limited access to production data
• Monitored and controlled physical access to laptops and servers
• High password security standards
• Malware scanning and centralised management for devices accessing our systems
• Required annual security training for all users
• A Security Incident Response Team on 24/7 standby that meets weekly to review security posture
• Ongoing monitoring of new threats, reported breaches, and vulnerabilities to assess potential operational impact

Business Continuity and Disaster Recovery

We have conducted a comprehensive analysis of risks to the business and maintain both a Business Continuity Plan and a Disaster Recovery Plan. Our applications and data are supported by warm standby environments in backup data centres.

As a remote first organisation, our workforce is able to operate from alternate locations if needed. In the event of a natural disaster or serious network issue, this supports a rapid resumption of operations.

Warnings & Important Notes

ManageBac+ does not store credit card information on its own servers. Payment processing is handled through Stripe, our PCI compliant payment gateway.

Data hosting arrangements may vary by region. For example, Chinese schools use a .cn domain and their data is hosted within China to support local compliance requirements.

If your school requires additional information about our security and compliance policies for internal review, please contact us for a briefing under NDA at security@managebac.com.

In Summary

• ManageBac+ maintains recognised security and compliance standards, including ISO/IEC 27001:2022 and PCI DSS compliance.
• Customer data is protected through encryption, controlled access, regional privacy compliance, and ongoing security monitoring.
• Business continuity and disaster recovery planning are in place to support service resilience and operational continuity.

These measures reflect the ongoing commitment of ManageBac+ to keeping customer data secure and compliant.