iSAMS
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🟠 Insufficient — Request Data-Processing Agreement
Privacy score 22.2% · band Poor
This reads as a general website privacy policy, not a data-processing agreement: 14 of 18 questions are simply not addressed. That's a wrong-document signal, not a vendor judgment — the 22.2% reflects silence, not bad practice. Enterprise vendors' real assurance lives in their DPA, a security cert (e.g. ISO 27001), or a completed questionnaire. Request those and assess in Round 2.
Unaddressed gate(s): Q1, Q5, Q8, Q11, Q12, Q13, Q16 — not covered by the public policy. Confirm before relying on this.
Dimension scorecard
| Dimension | Score | |
|---|
| Data Collection GATE ⚠ |
| 0.0% |
| Data Sharing GATE ⚠ |
| 50.0% |
| Data Sold GATE |
| 100.0% |
| Data Rights GATE ⚠ |
| 33.3% |
| Data Safety GATE ⚠ |
| 0.0% |
| Ads & Tracking GATE ⚠ |
| 0.0% |
| Parental Consent |
| 0.0% |
| School Purpose |
| 0.0% |
| AI & Model-Training GATE ⚠ |
| 0.0% |
| Jurisdiction & Residency |
| 100.0% |
Findings — 18 questions, every answer cited
Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
? Not addressed
T0
Answer: Unclear
Policy does not explicitly state whether collection is limited to data required for the product.
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
? Not addressed
T0
Answer: Unclear
Policy does not address whether PII beyond educational purpose is collected.
Q3Is any image of the user collected?
? Not addressed
T0
Answer: Unclear
Policy does not mention collection of user images.
Q4Does the vendor collect precise geolocation data?
? Not addressed
T0
Answer: Unclear
Policy mentions geographic location from IP address but does not explicitly address precise geolocation data collection.
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
? Not addressed
T0
Answer: Unclear
Policy does not explicitly state whether data sharing with third parties is limited to the original purpose.
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good
T3
Answer: Yes
“iSAMS Ltd. uses the following processors and is satisfied that they meet the obligations required by iSAMS Ltd. and the GDPR.”
Policy states processors meet GDPR obligations, implying contractual limits.
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good
T3
Answer: No
“We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.”
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
? Not addressed
T0
Answer: Unclear
Policy does not address ownership of uploaded content or IP.
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good
T3
Answer: Yes
“Your personal information will be deleted on one of the following occurrences: deletion of your personal information by you (or by another person engaged by the Customer); or receipt of a written request by you (or another person engaged by the Customer) to us.”
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed
T0
Answer: Unclear
Policy does not mention auto-deletion or data sunset after inactivity.
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
? Not addressed
T0
Answer: Unclear
Policy does not address student interaction with unknown users or public contact features.
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
? Not addressed
T0
Answer: Unclear
Policy does not address behavioral or targeted advertising to students.
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
? Not addressed
T0
Answer: Unclear
Policy does not address sharing student information with third parties for ad-targeting.
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
? Not addressed
T0
Answer: Unclear
Policy does not mention special collection limits for children under 13 or parental/school consent requirements.
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
? Not addressed
T0
Answer: Unclear
Policy does not state the product is intended for preschool or preK-12 students.
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
? Not addressed
T0
Answer: Unclear
Policy does not address use of student/user data to train or improve AI/ML models.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
? Not addressed
T0
Answer: Unclear
Policy does not disclose AI sub-processors or models powering features.
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good
T3
Answer: Yes
“iSAMS Ltd. uses the following processors and is satisfied that they meet the obligations required by iSAMS Ltd. and the GDPR. Service providers that store and process personal customer data for iSAMS Ltd where iSAMS Ltd acts as the data controller: [Azure, Zendesk, Gainsight, SendGrid, Campaign Monitor listed for client data processing]”
Policy names GDPR compliance and lists processors; Azure is mentioned for hosting service.
Jurisdiction & residency — Nord Anglia footprint
Vendor named 0 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score —
a vendor can be strong on privacy yet leave residency gaps for specific countries.
“iSAMS Ltd. uses the following processors and is satisfied that they meet the obligations required by iSAMS Ltd. and the GDPR.”
| Country | Privacy law | Coverage |
|---|
| MexicoLatAm | LFPDPPP | ⚠ Gap |
| Costa RicaLatAm | Law 8968 | ⚠ Gap |
| PanamaLatAm | Law 81/2019 | ⚠ Gap |
| Dominican RepublicLatAm | Law 172-13 | ⚠ Gap |
| BrazilLatAm | LGPD | ⚠ Gap |
| ColombiaLatAm | Ley 1581/2012 | ⚠ Gap |
| EcuadorLatAm | LOPDP (2021) | ⚠ Gap |
| PeruLatAm | Law 29733 | ⚠ Gap |
| ChileLatAm | Law 21.719 | ⚠ Gap |
| UruguayLatAm | Law 18.331 | ⚠ Gap |
| United States | FERPA / COPPA | ⚠ Gap |
| GDPR (overlay) | Nord Anglia is UK-headquartered, global | ✓ Named |