Arbor Group Management Information System for MATs and LAs
Arbor's simple, smart, cloud-based Management Information System (MIS) allows groups of schools, from primary to colleges, to manage all their student data. Fully supporting all statutory compliance, Arbor centralises all education data and processes to help manage a MAT or Local Authority more effectively, all from one system.
- Group-wide live performance dashboards for Trust or group leaders
- Centralised workflow for HR and Education administration
- Powerful custom reporting to support bespoke analysis
- All the power of Arbor MIS from the classroom up
- A live companion product for your schools' Arbor MIS
- Deeper licensing discounts for larger groups of schools
- Export data to different formats or live-link to Microsoft/Google programs
- Track attendance, behaviour, and progress in a single, integrated platform
- View and act on school performance from your central team
- Ensure quality assurance across your schools with live dashboards
- Uncover and understand trends by digging deeper into data
- Support your Trust's growth with consistent workflows and bespoke reporting
- Reduce school level admin burdens by remotely accessing their MIS
- Communicate better across your Trust by standardising your systems
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||We recommend users to work in the Chrome browser, with a minimum internet bandwidth of 2MB, but there are no known hardware constraints.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
We aim to respond to users as quickly as possible when queries come in. Our email and phone lines are staffed 8-5, Monday-Friday by a team of experienced analysts.
Our Service Level Agreement (the maximum time we would ever expect to take) for responding to urgent queries is 1 working hour, rising to 24 for low priority queries.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
All schools have a named technical analyst to support their migration, training and needs at key points through the year e.g. Census. The analyst will work with the school Arbor champions on training and set up, with a dedicated call every week for 30 minutes to run through updates, in addition to the usual email and phone support. This cost is included in the licence fee.
More complex deployments will be appointed a Project Manager to work with senior stakeholders on strategic planning, training delivery and integrations with third parties. This service begins at £2,500.
Further in person training can be provided for up to £650 per day. Further training and options are outlined in our Pricing document.
|Support available to third parties||Yes|
Onboarding and offboarding
When schools sign up to Arbor, they’ll be scheduled to meet their Customer Success Manager (CSM) via web conference to plan their data migration, training and implementation. Data migration instructions will be sent to the school depending on their current MIS, usually on a Friday afternoon following final registration. Pre-Launch webinar training will be provided.
Thereafter, for the first term there will be weekly CSM calls to provide a review of the project status, implementation and answer any questions. Paid for on site training is usually provided once users have got going, for more detailed system areas such as custom report building, progress tracking or trust-wide administration.
All help documentation can be accessed online via the application, and is searchable without logging in to Arbor. Documentation includes videos, product gifs and written instructions.
|Other documentation formats||
|End-of-contract data extraction||
Data processed in Arbor will always be owned by the school. Data can be removed from Arbor in the following ways:
• As reports using the Custom Report Writer which can then be exported in Excel, CSV, PDF, Word or XML.
• As Common Transfer Files (CTFs) containing all basic student data.
• As downloaded files that match their upload format e.g. pictures added to profiles, PDFs added to medical records.
• Through an Arbor Standard Migration Export, which exports all essential data in .csv format.
• Using Arbor’s full open RESTful API, all fields in Arbor can be exported to another MIS or similar application - full detail of the Arbor API can be found at https://developers.arbor-education.com.
The Arbor standard license agreement covers support, hosting, upgrades, maintenance, and software license for the selected tier of MIS. It is a rolling 12 month contract.
Should the institution wish to fully terminate their service after the Initial Licence Period for that service, including the deletion of all historic data processed by the service, free or otherwise, it must give 30 days’ notice in writing to Arbor’s registered address that complete deletion of data is required. There will then be a 60 day countdown period during which time the institution can extract their data, before the MIS is switched off.
Access to an Arbor site will cease on the contract end date. After the contract end date we are no longer the appointed Data Processor, and in line with the General Data Protection Regulation (EU) 2016/679, the data will be permanently deleted after 30 days.
If the institution have not extracted their data after the contract end date, they can request access to export their data for a further 48 hours. This is possible up to 30 days after the end date, after which time data is permanently deleted. There is an administration fee of £500 (+VAT) for this extension.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
The Arbor app for iPad is free to download from the Apple App Store. The mobile App allows teachers to take the register, view a student profile or their calendar. More apps are in our development pipeline.
You can also access the full Arbor MIS from a phone or tablet browser, just as you would on your computer.
|Description of service interface||
Our user interface for both School and Group MIS is clear and accessible, with colour coding and all displays carefully considered to ensure a consistent user experience across the sites. Graphs, callouts, and slideovers break up the screen to introduce significant information in engaging ways, according to a standard set of design guidelines.
By creating a consistent and attractive user experience, we can guarantee the meaning of each component is clear and memorable. Experienced users can guess how to find and use data on any page, even if they have not been to that particular area of the site before.
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
|Accessibility testing||Arbor is used by over 80 special and alternative provision schools across the country, and by students, parents, and staff experiencing a range of special needs and disabilities. We regularly collect feedback from all users, including schools and users with additional needs. Accordingly, our interface is customisable through browser-based accessibility controls. We recommend Google Chrome for the best range of accessibility controls and plugins, such as their high contrast, colourblind, and greyscale modes.|
|What users can and can't do using the API||
Arbor's full REST and GraphQL APIs allow you to integrate your app and reach our entire network of schools with your product or service. Integrating with Arbor is completely free, and we provide full developer documentation and Software Developer Kits to help you get started. Once we’ve vetted an app, they can become an Arbor approved partner. We can migrate app data from a previous MIS to sync with Arbor, maintaining historic data records.
The Developer Portal is the first place to find answers to technical queries relating to Arbor’s open, REST and GraphQL APIs. We also partner with Wonde, Groupcall and Zinet to maintain a simpler interface to the API to allow app developers to read and write to the Arbor database.
There are no operating system or database constraints, but Arbor reserves the right to rescind access by third parties if the API is misused. Access to the API is granted by school administrators only; no third party will be able to access a school's Arbor-stored data unless we have been given the explicit, written consent of the data controller in that school.
|API documentation formats||Open API (also known as Swagger)|
|API sandbox or test environment||Yes|
|Description of customisation||
Arbor is a highly customisable system which will be set up to match school and MAT priorities. During implementation, we will work with you on each of our customisable features to make sure their languages and processes work best for you and your goals. Schools using our Core MIS will also be able to have any modules from our higher value packages in their system for a set fee, allowing them to mix and match the right MIS for them.
Group-school relationship: different data sharing agreements can be chosen; viewing live Insight data only, viewing live Insight and MIS data, or having live access to view Insight and MIS data and login to a school MIS.
Workflows: customisable for behaviour, progress tracking and intervention management.
Curriculum: any curriculum can be imported and tracked against.
Assessment frameworks: can be set up in limitless ways.
Custom Report builder: any data fields can be pulled into custom reports that can be read within the application or exported to Excel, Word, Google Docs, XML or Excel/GDoc live feed.
Users can customise based on role: usually school administrators will set up and push out workflows or assessment features to their own schools.
|Independence of resources||
1. Architecture is housed in a private firewalled network, within which we operate a strict single-tenanted database model.
2. Dynamically-sized worker pool
Amazon EC2 instance optimised for high memory and data storage.
3. Massively Parallel Analytics Engine
The dynamic worker pool is combined with a job server to allow large, complex querying of datasets, with results returned in real-time.
4. Dynamically-sized web instance pool
Amazon instance optimised for high CPU power analytics.
5. Elastic load balancer
Uses Amazon’s Elastic Load Balancer to reroute traffic across multiple instances.
|Service usage metrics||Yes|
- Monitored by Arbor support analysts to evaluate training needs.
- Monitored by Product Managers to identify feature adoption issues and to improve usability.
- Adoption metrics are available to Arbor school administrators to identify engaged parents and to automate follow ups to those who have not used the system.
- The 'Users and Security' feature shows MIS login history in the past thirty days, the last login date of each user, and the access permissions users have.
- Each staff page has a 'System Engagement' section that shows their individual service usage.
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Data can be exported from Arbor as:
• CTF (common transfer files)
• XML (e.g. for Census)
• via the API
• as pre-built extracts e.g. for London Grid for Learning
All of our features have suggested exports designed around their function; for example, a student's full record can be downloaded as a PDF from a single button on their profile page.
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
From our standard terms and conditions:
We will use our reasonable endeavours to maximise uptime, and ensure that the System is available least 99% of the time during each year, excluding (i) any of our or our subcontractors' maintenance downtime, (ii) a failure between the Institution's computer(s) and the internet; (iii) factors outside of our reasonable control; (iv) the Institution's action or inaction, or any action or inaction of the Users or the Institution's other suppliers.
No refunds are provided if this level is not met.
|Approach to resilience||
Our datacentre, hosted by Amazon Web Services in London, is resilient and certified ISO 27001, ISO 27017 and ISO 27018 compliant.
Architecture is housed in a private firewalled network to reduce external access and increase security. Instances are recycled daily to reduce the risk of data being compromised; servers are patched continuously to reduce security vulnerabilities.
Further information is available on request.
|Outage reporting||By email alerts to Arbor users.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
System Access: Access is granted to various business systems based on defined Access Control Policy. We conduct regular Access Control reviews. We maintain a test/demo system that minimises the need for support access to production systems.
Server Access: We adopt a Development and Cryptographic Policy which restricts server access to production servers only to DevOps engineers, using SSH keys managed via an LDAP server which are additionally password protected.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||LRQA|
|ISO/IEC 27001 accreditation date||06/04/2017|
|What the ISO/IEC 27001 doesn’t cover||The certification covers all Arbor services and locations in the UK|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
• IASME & Cyber Essentials certification
• DfE Cloud Suppliers Checklist
|Information security policies and processes||
Arbor protects the data we store with a comprehensive Information Security Management System, audited annually for our ISO27001 certification. This system is governed by an Information Security Management Committee consisting of senior management across various business areas.
Arbor senior management actively supports information security within the organisation through clear direction, demonstrated commitment, and acknowledgment of information security responsibilities. The committee is ultimately responsible for:
•Reviewing and approving information security policy and objectives
•Providing clear direction and visible management support for security initiatives
•Providing the resources needed for information security
•Initiating programmes to maintain information security awareness
•Adopting a best-practice approach to information risk management and ensuring implementation of appropriate information security controls
•Promoting the regular review and continual improvement of information security
Physical security is maintained by formal inspections, risk assessments, and access control at every Arbor office. Access to Arbor locations is restricted with secure keys, CCTV, 24/7 security personnel and secure perimeter doors.
Data security is maintained by our staff’s awareness training, personal vigilance, and a number of digital safeguards including regular password changes and two-factor authentication. Data is stored centrally rather than on any one device, making it easy to give and revoke permissions to different users.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||All systems are configured using SaltStack. No changes are ever made to live server configurations (we operate with immutable servers). Salt allows us to define the end state of the system declaratively in salt state files which are version controlled. This means that any changes to the configuration of servers leave an audit trail. It also means that all configuration can be tested in our staging environment and repeated deterministically. All changes are assessed by the Head of Technical Security Operations before being approved.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Assessing: We run a monthly Security Committee to assess potential threats to our services. In addition, there is a quarterly Management Information Security Review to ensure effectiveness of the information security management system. A dedicated DevOps team subscribes to relevant security briefings and assesses the risk on a daily basis. We commission external penetration tests at least once per year.
Patching: All systems are configured to download and install security updates nightly, and the installed updates are checked via a centralized log.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Monitoring: All changes to any data records are kept in an Audit Log. All errors are logged to a centralized error reporting system and investigated by relevant engineering teams. All user activity, page requests, system and server logs are aggregated in a centralized log. All services are continually monitored into a centralized system.
Identification: Automatic alerts are sent to DevOps/engineers whenever breaches/errors are identified.
Response: Incidents are assessed and classified. Serious incidents are reported to the CTO and our Incident Response Policy is followed to completion (48 hours). Minor incidents are resolved by individual teams (14 days).
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
The security incident response plan aligns with the SANS Identification step and is about making use of a robust detection and reporting capability. Early visibility of incidents facilitates quick decision making and rapid action. Potential security incidents can be detected and reported from a number of different sources, such as:
Arbor business partners.
Other external sources such as Law Enforcement Agencies.
For non-system reportingArbor colleagues or business partners can telephone0207 043 0470or email firstname.lastname@example.org and report a perceived security event or security weakness.
Security related incidents are centrally recorded using an Incident Log.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£1500 to £15000 per unit per year|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||
Our Insight dashboard offers free analytics for all schools and groups for an unlimited period.
We also offer free trials of MIS for new schools getting set up, usually for 6 months.
|Link to free trial||https://login.arbor.sc/|