Do You Have the Security in SpeedAdmin Covered?

With SpeedAdmin, your data and daily operations are protected by modern SaaS security standards — from encrypted data to secure hosting and continuous monitoring.

Security is a core part of our product, and we work continuously with:

• Thorough internal procedures
• Strict security policies
• Professional partners
• Ongoing monitoring
• Annual external IT audits

Every year, SpeedAdmin undergoes an independent review that results in an ISA-3000 certification — a strong quality stamp for our security work. Both latest Annual Assurance Report and SpeedAdmin IT Security Policy can be found under Support -> Files

A shared responsibility: Data Controller vs. Data Processor

A quick reminder on roles:

Your organisation is the Data Controller — you decide what data to collect, who should have access, how long data is stored, and how the system is used in practice.

SpeedAdmin is the Data Processor — we ensure that the platform is secure, encrypted, stable, and compliant with modern SaaS standards, and that data is processed according to your instructions.

This is why reviewing permissions, tightening your login setup, and evaluating what data you collect is essential — these are part of the controller’s responsibility and cannot be fully automated by the system.

But security is still a shared task, and as a superuser, you play an important role in keeping your organisation protected.

To help you stay secure, we recommend reviewing your setup at least once a year. Here’s how to get started:

1️⃣ Login & Password Policy

Start by reviewing how your users log in. Do users with access to personal data have MFA or SSO/IDP enabled?

Especially for SuperUsers, administrators, finance staff, and teachers who handle pupil data — the more access a role has, the higher the login security should be.
‍

🔒 What is MFA (Multi-Factor Authentication)?

MFA means you need more than one piece of proof to log in:

1. Something you know – a password
2. Something you have – a code from an app or SMS
3. Something you are – fingerprint or face recognition

Even if a password is stolen, MFA blocks unauthorized users. It is one of the simplest and strongest ways to protect your account.

‍

🔑 What is SSO via an IDP (Single Sign-On with an Identity Provider)?

SSO allows users to log in once and then access all approved systems without entering their password again.

An IDP (Identity Provider) — such as Microsoft Entra ID, Google Workspace and similar services — handles authentication securely.

Once a user is verified, access is granted to SpeedAdmin and other tools.

Benefits:

• Fewer passwords to manage
• Lower risk of errors or misuse
• A smoother and more secure login experience

SpeedAdmin recommends MFA or SSO/IDP for superusers and for teachers who access personal data. Both is an add-on and can be ordered by your Account Manager (thomas@speedadmin.com)
‍

🔐 Is your password policy strong enough?

For parents, students, and some teachers with limited access, Username/Password might be sufficient — if your password policy is strong enough.

A password policy controls:

• Required length
• Character rules
• Password age
• Re-use (history)
• Failed login attempts

Below are the currently available password policy levels in SpeedAdmin:

Recommendation:

Make sure your password policy matches how much data each user group can access.

If you’d like to update the policy for a user group, just reach out to our support team with the user group name (User, Teacher, Parent, Student) and the policy you want to use.

‍

2️⃣ Rights & Roles

Even with MFA and SSO in place, it is essential to review who has access to what inside SpeedAdmin — especially teachers who work with sensitive student information.

Why this matters:
‍

1. GDPR requires it

Data must only be accessed by people who need it to perform their tasks (the “data minimisation” principle).

This means:

• Access must be relevant and necessary
• Access must be reviewed regularly — not just once
• Old or unnecessary permissions must be removed
  
• You should be able to document:
  
  • Why the user needs the data
  • For which task
  • For how long

If a user has access they no longer need, the organisation is not compliant — even if nothing has gone wrong.
‍

2. Schools change, so must permissions

Teachers move groups, staff changes, substitutes come and go.

Unless access is adjusted, users can end up seeing data they no longer need.

🔒 How SpeedAdmin helps

SpeedAdmin offers User Access Control (UAC):

• Teachers only see data for students they teach or are assigned to
• SuperUsers override UAC because they need full access
• Permissions can be adjusted per role and responsibility

If teachers can see students they do not teach, UAC is not active in your database. To enable it, simply contact Support and let us know if any rights groups besides SuperUsers should have the “Overwrite UAC” permission.

‍

3️⃣ Data Collection During Registration

Take a moment to evaluate the information you collect from parents and students:

• Is every field really necessary?
• Could some fields be optional — or removed?
• Do different types of teaching require different data?

This is also the right time to verify that your Terms & Conditions and GDPR statements are up to date.
‍

🧭 A Few More Things to Keep in Mind

• Check in with your local IT or Data Protection Officer — local rules may apply
• Review user accounts and remove access for former employees
• Make sure your internal backup/export/archiving routines still fit your policies
  ‍

Security is a journey — not a one-time setup.

👉 Take one hour this month to review your settings — and you’ll have your SpeedAdmin environment secured for another year.

SpeedAdmin Security Checklist

‍

‍

‍