Arbor Education Partners Ltd.

Arbor Management Information System for Secondary Schools

Arbor MIS is the hassle-free way for schools to get work done. With Arbor you can easily manage your secondary school's essential daily admin, record important student information, create intuitive reports and act on everything important, fast - so you and your staff can focus on what matters most.


  • Statutory records and reporting for primaries, secondaries, and special schools
  • Progress Tracking: formative tracking and summative reporting against any curriculum
  • Parent/Student Portals: real-time views of performance, homework, attendance & more
  • SMS, App, letters and Email: personalise templates and automate communications
  • Classroom Management: create flexible seating plans, manage behaviour, and more
  • Behaviour: Record, reward and report on behaviour
  • Interventions: linked to performance, so that impact can be tracked
  • Examinations: Fully compliant exam management that automates repetitive tasks
  • Extra-curricular: Easily schedule activities & link to consents and payments
  • Group Analytics and MIS: take action across a group


  • Track behaviour, attendance, progress & more from one integrated platform
  • Get simple, smart, at-a-glance overviews of key performance measures
  • Codify school policies and help teachers apply them consistently
  • 77% of users report that Arbor saves them time
  • 82% agree Arbor improved how their school works and performs
  • 73% of admins improve how they understand and analyse data
  • Automate your tasks and communications using intuitive templates
  • Improve behaviour with better monitoring and communication
  • Improve parental engagement with online portals and the Arbor App
  • Group MIS allows remote leadership to view performance and act


£1,500 to £25,000 a unit a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

3 4 6 6 4 7 6 8 2 6 0 7 8 4 4


Arbor Education Partners Ltd. Phillippa De'Ath
Telephone: 0208 050 1028

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
We recommend users to work in the Chrome browser, with a minimum internet bandwidth of 2MB, but there are no known hardware constraints.
System requirements
  • Recommended browser: Chrome
  • Recommended internet bandwidth: 2MB

User support

Email or online ticketing support
Email or online ticketing
Support response times
We aim to respond to users as quickly as possible when queries come in. Our email and phone lines are staffed 8-5, Monday-Friday by a team of experienced analysts.

Our Service Level Agreement (the maximum time we would ever expect to take) for responding to urgent queries is 1 working hour, rising to 24 for low priority queries.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
We have a dedicated engineering team that works specifically on front-end user experience and managing our accessibility of Arbor for our users, including the support areas of the site. They have tested a number of assistive technologies with the site over the past year of development such as keyboard controls and colourblind browser settings.
Onsite support
Onsite support
Support levels
All schools have a named technical analyst to support their migration, training and needs at key points through the year e.g. Census. The analyst will work with the school Arbor champions on training and set up, with a dedicated call every week for 30 minutes during implementation, in addition to the usual email and phone support. This cost is included in the licence fee.

More complex deployments will be appointed a Project Manager to work with senior stakeholders on strategic planning, training delivery and integrations with third parties. This service begins at £2,500.

Further in person training can be provided for up to £650 per day. Further training and options are outlined in our Pricing document.
Support available to third parties

Onboarding and offboarding

Getting started
When schools sign up to Arbor, they’ll be scheduled to meet their Customer Success Manager (CSM) via web conference to plan their data migration, training and implementation. Data migration instructions will be sent to the school depending on their current MIS, usually on a Friday afternoon following final registration. Pre-Launch webinar training will be provided.

Thereafter, for the first term there will be weekly CSM calls to provide a review of the project status, implementation and answer any questions. Paid for on site training is usually provided once users have got going, for more detailed system areas such as custom report building, progress tracking or trust-wide administration.

All help documentation can be accessed online via the application, and is searchable without logging in to Arbor. Documentation includes videos, product gifs and written instructions.
Service documentation
Documentation formats
  • PDF
  • Other
Other documentation formats
  • Searchable Help Centre website
  • Video introductions & guides
  • Live webinars with a library of prior webinars
  • In-app walkthroughs and information
End-of-contract data extraction
Data processed in Arbor will always be owned by the school. Data can be removed from Arbor in the following ways:

• As reports using the Custom Report Writer which can then be exported in Excel, CSV, PDF, Word or XML.
• As Common Transfer Files (CTFs) containing all basic student data.
• As downloaded files that match their upload format e.g. pictures added to profiles, PDFs added to medical records.
• Through an Arbor Standard Migration Export, which exports all essential data in .csv format.
• Using Arbor’s full open RESTful API, all fields in Arbor can be exported to another MIS or similar application - full detail of the Arbor API can be found at
End-of-contract process
The Arbor standard license agreement covers support, hosting, upgrades, maintenance, and software license for the selected tier of MIS. It is a rolling 12 month contract.

Should the institution wish to fully terminate their service after the Initial Licence Period for that service, including the deletion of all historic data processed by the service, free or otherwise, it must give 30 days’ notice in writing to Arbor’s registered address that complete deletion of data is required. There will then be a 60 day countdown period during which time the institution can extract their data, before the MIS is switched off.

Access to an Arbor site will cease on the contract end date. After the contract end date we are no longer the appointed Data Processor, and in line with the General Data Protection Regulation (EU) 2016/679, the data will be permanently deleted after 30 days.

If the institution have not extracted their data after the contract end date, they can request access to export their data for a further 48 hours. This is possible up to 30 days after the end date, after which time data is permanently deleted. There is an administration fee of £500 (+VAT) for this extension.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The Arbor Parent App allows parents to access their Parent Portal on Android or iOS, so they can make payments, receive notifications from the school, arrange clubs, trips and parents evenings, update their children's data, and more.

The Arbor app for iPad is free to download from the Apple App Store. The mobile App allows teachers to view class information, take the register, view a student profile or their calendar.

You can also access the full Arbor MIS from a phone or tablet browser, just as you would on your computer.
Service interface
Description of service interface
Our user interface is clear and accessible, with colour coding and all displays carefully considered to ensure a consistent user experience across the site. Graphs, callouts, and slideovers break up the screen to introduce significant information in engaging ways, according to a standard set of design guidelines.

By creating a consistent and attractive user experience, we can guarantee the meaning of each component is clear and memorable. Experienced users can guess how to find and use data on any page, even if they have not been to that particular area of the site before.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Arbor is used by over 80 special and alternative provision schools across the country, and by students, parents, and staff experiencing a range of special needs and disabilities. We regularly collect feedback from all users, including schools and users with additional needs. Accordingly, our interface is customisable through browser-based accessibility controls. We recommend Google Chrome for the best range of accessibility controls and plugins, such as their high contrast, colourblind, and greyscale modes.
What users can and can't do using the API
Arbor's full REST and GraphQL APIs allow you to integrate your app and reach our entire network of schools with your product or service. Integrating with Arbor is completely free, and we provide full developer documentation and Software Developer Kits to help you get started. Once we’ve vetted an app, they can become an Arbor approved partner. We can migrate app data from a previous MIS to sync with Arbor, maintaining historic data records.

The Developer Portal is the first place to find answers to technical queries relating to Arbor’s open, REST and GraphQL APIs. We also partner with Wonde, Groupcall and Zinet to maintain a simpler interface to the API to allow app developers to read and write to the Arbor database.

There are no operating system or database constraints, but Arbor reserves the right to rescind access by third parties if the API is misused. Access to the API is granted by school administrators only; no third party will be able to access a school's Arbor-stored data unless we have been given the explicit, written consent of the data controller in that school.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
Arbor is a highly customisable system which will be set up to match school priorities. During implementation, we will work with you on each of our customisable features to make sure their languages and processes work best for you and your goals. Schools using our Core MIS will also be able to have any modules from our higher value packages in their system for a set fee, allowing them to mix and match the right MIS for them.

Workflows: customisable for behaviour, progress tracking and intervention management

Curriculum: any curriculum can be imported and tracked against

Assessment frameworks: can be set up in limitless ways

Custom Report builder: any data fields can be pulled into custom reports that can be read within the application or exported to Excel, Word, Google Docs, XML or Excel/GDoc live feed.

Users can customise based on role: usually school administrators will set up and push out workflows or assessment features to their own schools.


Independence of resources
1. Architecture is housed in a private firewalled network, within which we operate a strict single-tenanted database model.

2. Dynamically-sized worker pool
Amazon EC2 instance optimised for high memory and data storage.

3. Massively Parallel Analytics Engine
The dynamic worker pool is combined with a job server to allow large, complex querying of datasets, with results returned in real-time.

4. Dynamically-sized web instance pool
Amazon instance optimised for high CPU power analytics.

5.Elastic load balancer
Uses Amazon’s Elastic Load Balancer to reroute traffic across multiple instances.


Service usage metrics
Metrics types
Feature usage:
- Monitored by Arbor support analysts to evaluate training needs.
- Monitored by Product Managers to identify feature adoption issues and to improve usability.

Guardian usage:
- Adoption metrics are available to Arbor school administrators to identify engaged parents and to automate follow ups to those who have not used the system.

Staff usage:
- The 'Users and Security' feature shows MIS login history in the past thirty days, the last login date of each user, and the access permissions users have.
- Each staff page has a 'System Engagement' section that shows their individual service usage.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data can be exported from Arbor as:
• CTF (common transfer files)
• XML (e.g. for Census)
• Excel
• Word
• .csv
• via the API
• as pre-built extracts (e.g. for London Grid for Learning)

All of our features have suggested exports designed around their function; for example, a student's full record can be downloaded as a PDF from a single button on their profile page.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • CTF
  • ATF
  • Read from the Arbor API
Data import formats
  • CSV
  • Other
Other data import formats
  • CTF
  • ATF
  • Excel
  • XML
  • Write back to the Arbor API

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
From our standard terms and conditions:

We will use our reasonable endeavours to maximise uptime, and ensure that the System is available least 99% of the time during each year, excluding (i) any of our or our subcontractors' maintenance downtime, (ii) a failure between the Institution's computer(s) and the internet; (iii) factors outside of our reasonable control; (iv) the Institution's action or inaction, or any action or inaction of the Users or the Institution's other suppliers.

No refunds are provided if this level is not met.
Approach to resilience
Our datacentre, hosted by Amazon Web Services in London, is resilient and certified ISO 27001, ISO 27017 and ISO 27018 compliant.

Architecture is housed in a private firewalled network to reduce external access and increase security. Instances are recycled daily to reduce the risk of data being compromised; servers are patched continuously to reduce security vulnerabilities.

Further information is available on request.
Outage reporting
By email alerts to Arbor users.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
System Access: Access is granted to various business systems based on defined Access Control Policy. We conduct regular Access Control reviews. We maintain a test/demo system that minimises the need for support access to production systems.

Server Access: We adopt a Development and Cryptographic Policy which restricts server access to production servers only to DevOps engineers, using SSH keys managed via an LDAP server which are additionally password protected.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
The certification covers all Arbor services and locations. It is renewed annually.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • IASME & Cyber Essentials
  • DfE Cloud Suppliers Checklist

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
• IASME & Cyber Essentials certification
• DfE Cloud Suppliers Checklist
Information security policies and processes
Arbor protects the data we store with a comprehensive Information Security Management System, audited annually for our ISO27001 certification. This system is governed by an Information Security Management Committee consisting of senior management across various business areas.

Arbor senior management actively supports information security within the organisation through clear direction, demonstrated commitment, and acknowledgment of information security responsibilities. The committee is ultimately responsible for:
•Reviewing and approving information security policy and objectives
•Providing clear direction and visible management support for security initiatives
•Providing the resources needed for information security
•Initiating programmes to maintain information security awareness
•Adopting a best-practice approach to information risk management and ensuring implementation of appropriate information security controls
•Promoting the regular review and continual improvement of information security

Physical security is maintained by formal inspections, risk assessments, and access control at every Arbor office. Access to Arbor locations is restricted with secure keys, CCTV, 24/7 security personnel and secure perimeter doors.

Data security is maintained by our staff’s awareness training, personal vigilance, and a number of digital safeguards including regular password changes and two-factor authentication. Data is stored centrally rather than on any one device, making it easy to give and revoke permissions to different users.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All systems are configured using SaltStack. No changes are ever made to live server configurations (we operate with immutable servers). Salt allows us to define the end state of the system declaratively in salt state files which are version controlled. This means that any changes to the configuration of servers leave an audit trail. It also means that all configuration can be tested in our staging environment and repeated deterministically. All changes are assessed by the Head of Technical Security Operations before being approved.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Assessing: We run a monthly Security Committee to assess potential threats to our services. In addition, there is a quarterly Management Information Security Review to ensure effectiveness of the information security management system. A dedicated DevOps team subscribes to relevant security briefings and assesses the risk on a daily basis. We commission external penetration tests at least once per year.

Patching: All systems are configured to download and install security updates nightly, and the installed updates are checked via a centralized log.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Monitoring: All changes to any data records are kept in an Audit Log. All errors are logged to a centralized error reporting system and investigated by relevant engineering teams. All user activity, page requests, system and server logs are aggregated in a centralized log. All services are continually monitored into a centralized system.

Identification: Automatic alerts are sent to DevOps/engineers whenever breaches/errors are identified.

Response: Incidents are assessed and classified. Serious incidents are reported to the CTO and our Incident Response Policy is followed to completion (48 hours). Minor incidents are resolved by individual teams (14 days).
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
The security incident response plan aligns with the SANS Identification step and is about making use of a robust detection and reporting capability. Early visibility of incidents facilitates quick decision making and rapid action. Potential security incidents can be detected and reported from a number of different sources, such as:
Arbor employees.
Arbor customers.
Arbor business partners.
Other external sources such as Law Enforcement Agencies.
System logs.
For non-system reportingArbor colleagues or business partners can telephone0207 043 0470or email and report a perceived security event or security weakness.

Security related incidents are centrally recorded using an Incident Log.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£1,500 to £25,000 a unit a year
Discount for educational organisations
Free trial available
Description of free trial
Our Insight dashboard offers free analytics for all schools and groups for an unlimited period.

We also offer free trials of MIS for new schools getting set up, usually for 6 months.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.