Arbor Education Partners Ltd.

Arbor Group Management Information System for MATs and LAs

Arbor's simple, smart, cloud-based Management Information System (MIS) allows groups of schools, from primary to colleges, to manage all their student data. Fully supporting all statutory compliance, Arbor centralises all education data and processes to help manage a MAT or Local Authority more effectively, all from one system.


  • Group-wide live performance dashboards for Trust or group leaders
  • Centralised workflow for HR and Education administration
  • Powerful custom reporting to support bespoke analysis
  • All the power of Arbor MIS from the classroom up
  • A live companion product for your schools' Arbor MIS
  • Deeper licensing discounts for larger groups of schools
  • Export data to different formats or live-link to Microsoft/Google programs


  • Track attendance, behaviour, and progress in a single, integrated platform
  • View and act on school performance from your central team
  • Ensure quality assurance across your schools with live dashboards
  • Uncover and understand trends by digging deeper into data
  • Support your Trust's growth with consistent workflows and bespoke reporting
  • Reduce school level admin burdens by remotely accessing their MIS
  • Communicate better across your Trust by standardising your systems


£1500 to £15000 per unit per year

Service documents


G-Cloud 11

Service ID

5 4 7 1 7 7 2 2 2 5 5 4 3 5 5


Arbor Education Partners Ltd.

Phillippa De'Ath


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints We recommend users to work in the Chrome browser, with a minimum internet bandwidth of 2MB, but there are no known hardware constraints.
System requirements
  • Recommended browser: Chrome
  • Recommended internet bandwidth: 2MB

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We aim to respond to users as quickly as possible when queries come in. Our email and phone lines are staffed 8-5, Monday-Friday by a team of experienced analysts.

Our Service Level Agreement (the maximum time we would ever expect to take) for responding to urgent queries is 1 working hour, rising to 24 for low priority queries.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels All schools have a named technical analyst to support their migration, training and needs at key points through the year e.g. Census. The analyst will work with the school Arbor champions on training and set up, with a dedicated call every week for 30 minutes to run through updates, in addition to the usual email and phone support. This cost is included in the licence fee.

More complex deployments will be appointed a Project Manager to work with senior stakeholders on strategic planning, training delivery and integrations with third parties. This service begins at £2,500.

Further in person training can be provided for up to £650 per day. Further training and options are outlined in our Pricing document.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started When schools sign up to Arbor, they’ll be scheduled to meet their Customer Success Manager (CSM) via web conference to plan their data migration, training and implementation. Data migration instructions will be sent to the school depending on their current MIS, usually on a Friday afternoon following final registration. Pre-Launch webinar training will be provided.

Thereafter, for the first term there will be weekly CSM calls to provide a review of the project status, implementation and answer any questions. Paid for on site training is usually provided once users have got going, for more detailed system areas such as custom report building, progress tracking or trust-wide administration.

All help documentation can be accessed online via the application, and is searchable without logging in to Arbor. Documentation includes videos, product gifs and written instructions.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • In-app walkthroughs and information
  • Video introductions & guides
  • Searchable Help Centre website
  • Live webinars with a library of prior webinars
End-of-contract data extraction Data processed in Arbor will always be owned by the school. Data can be removed from Arbor in the following ways:

• As reports using the Custom Report Writer which can then be exported in Excel, CSV, PDF, Word or XML.
• As Common Transfer Files (CTFs) containing all basic student data.
• As downloaded files that match their upload format e.g. pictures added to profiles, PDFs added to medical records.
• Through an Arbor Standard Migration Export, which exports all essential data in .csv format.
• Using Arbor’s full open RESTful API, all fields in Arbor can be exported to another MIS or similar application - full detail of the Arbor API can be found at
End-of-contract process The Arbor standard license agreement covers support, hosting, upgrades, maintenance, and software license for the selected tier of MIS. It is a rolling 12 month contract.

Should the institution wish to fully terminate their service after the Initial Licence Period for that service, including the deletion of all historic data processed by the service, free or otherwise, it must give 30 days’ notice in writing to Arbor’s registered address that complete deletion of data is required. There will then be a 60 day countdown period during which time the institution can extract their data, before the MIS is switched off.

Access to an Arbor site will cease on the contract end date. After the contract end date we are no longer the appointed Data Processor, and in line with the General Data Protection Regulation (EU) 2016/679, the data will be permanently deleted after 30 days.

If the institution have not extracted their data after the contract end date, they can request access to export their data for a further 48 hours. This is possible up to 30 days after the end date, after which time data is permanently deleted. There is an administration fee of £500 (+VAT) for this extension.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The Arbor app for iPad is free to download from the Apple App Store. The mobile App allows teachers to take the register, view a student profile or their calendar. More apps are in our development pipeline.

You can also access the full Arbor MIS from a phone or tablet browser, just as you would on your computer.
Service interface Yes
Description of service interface Our user interface for both School and Group MIS is clear and accessible, with colour coding and all displays carefully considered to ensure a consistent user experience across the sites. Graphs, callouts, and slideovers break up the screen to introduce significant information in engaging ways, according to a standard set of design guidelines.

By creating a consistent and attractive user experience, we can guarantee the meaning of each component is clear and memorable. Experienced users can guess how to find and use data on any page, even if they have not been to that particular area of the site before.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing Arbor is used by over 80 special and alternative provision schools across the country, and by students, parents, and staff experiencing a range of special needs and disabilities. We regularly collect feedback from all users, including schools and users with additional needs. Accordingly, our interface is customisable through browser-based accessibility controls. We recommend Google Chrome for the best range of accessibility controls and plugins, such as their high contrast, colourblind, and greyscale modes.
What users can and can't do using the API Arbor's full REST and GraphQL APIs allow you to integrate your app and reach our entire network of schools with your product or service. Integrating with Arbor is completely free, and we provide full developer documentation and Software Developer Kits to help you get started. Once we’ve vetted an app, they can become an Arbor approved partner. We can migrate app data from a previous MIS to sync with Arbor, maintaining historic data records.

The Developer Portal is the first place to find answers to technical queries relating to Arbor’s open, REST and GraphQL APIs. We also partner with Wonde, Groupcall and Zinet to maintain a simpler interface to the API to allow app developers to read and write to the Arbor database.

There are no operating system or database constraints, but Arbor reserves the right to rescind access by third parties if the API is misused. Access to the API is granted by school administrators only; no third party will be able to access a school's Arbor-stored data unless we have been given the explicit, written consent of the data controller in that school.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Arbor is a highly customisable system which will be set up to match school and MAT priorities. During implementation, we will work with you on each of our customisable features to make sure their languages and processes work best for you and your goals. Schools using our Core MIS will also be able to have any modules from our higher value packages in their system for a set fee, allowing them to mix and match the right MIS for them.

Group-school relationship: different data sharing agreements can be chosen; viewing live Insight data only, viewing live Insight and MIS data, or having live access to view Insight and MIS data and login to a school MIS.

Workflows: customisable for behaviour, progress tracking and intervention management.

Curriculum: any curriculum can be imported and tracked against.

Assessment frameworks: can be set up in limitless ways.

Custom Report builder: any data fields can be pulled into custom reports that can be read within the application or exported to Excel, Word, Google Docs, XML or Excel/GDoc live feed.

Users can customise based on role: usually school administrators will set up and push out workflows or assessment features to their own schools.


Independence of resources 1. Architecture is housed in a private firewalled network, within which we operate a strict single-tenanted database model.

2. Dynamically-sized worker pool
Amazon EC2 instance optimised for high memory and data storage.

3. Massively Parallel Analytics Engine
The dynamic worker pool is combined with a job server to allow large, complex querying of datasets, with results returned in real-time.

4. Dynamically-sized web instance pool
Amazon instance optimised for high CPU power analytics.

5. Elastic load balancer
Uses Amazon’s Elastic Load Balancer to reroute traffic across multiple instances.


Service usage metrics Yes
Metrics types Feature usage:
- Monitored by Arbor support analysts to evaluate training needs.
- Monitored by Product Managers to identify feature adoption issues and to improve usability.

Guardian usage:
- Adoption metrics are available to Arbor school administrators to identify engaged parents and to automate follow ups to those who have not used the system.

Staff usage:
- The 'Users and Security' feature shows MIS login history in the past thirty days, the last login date of each user, and the access permissions users have.
- Each staff page has a 'System Engagement' section that shows their individual service usage.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported from Arbor as:
• CTF (common transfer files)
• XML (e.g. for Census)
• Excel
• Word
• .csv
• via the API
• as pre-built extracts e.g. for London Grid for Learning

All of our features have suggested exports designed around their function; for example, a student's full record can be downloaded as a PDF from a single button on their profile page.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • CTF
  • ATF
  • Read from the Arbor API
Data import formats
  • CSV
  • Other
Other data import formats
  • CTF
  • ATF
  • Excel
  • XML
  • Write back to the Arbor API

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability From our standard terms and conditions:

We will use our reasonable endeavours to maximise uptime, and ensure that the System is available least 99% of the time during each year, excluding (i) any of our or our subcontractors' maintenance downtime, (ii) a failure between the Institution's computer(s) and the internet; (iii) factors outside of our reasonable control; (iv) the Institution's action or inaction, or any action or inaction of the Users or the Institution's other suppliers.

No refunds are provided if this level is not met.
Approach to resilience Our datacentre, hosted by Amazon Web Services in London, is resilient and certified ISO 27001, ISO 27017 and ISO 27018 compliant.

Architecture is housed in a private firewalled network to reduce external access and increase security. Instances are recycled daily to reduce the risk of data being compromised; servers are patched continuously to reduce security vulnerabilities.

Further information is available on request.
Outage reporting By email alerts to Arbor users.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels System Access: Access is granted to various business systems based on defined Access Control Policy. We conduct regular Access Control reviews. We maintain a test/demo system that minimises the need for support access to production systems.

Server Access: We adopt a Development and Cryptographic Policy which restricts server access to production servers only to DevOps engineers, using SSH keys managed via an LDAP server which are additionally password protected.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 06/04/2017
What the ISO/IEC 27001 doesn’t cover The certification covers all Arbor services and locations in the UK
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • IASME & Cyber Essentials
  • DfE Cloud Suppliers Checklist

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards • IASME & Cyber Essentials certification
• DfE Cloud Suppliers Checklist
Information security policies and processes Arbor protects the data we store with a comprehensive Information Security Management System, audited annually for our ISO27001 certification. This system is governed by an Information Security Management Committee consisting of senior management across various business areas.

Arbor senior management actively supports information security within the organisation through clear direction, demonstrated commitment, and acknowledgment of information security responsibilities. The committee is ultimately responsible for:
•Reviewing and approving information security policy and objectives
•Providing clear direction and visible management support for security initiatives
•Providing the resources needed for information security
•Initiating programmes to maintain information security awareness
•Adopting a best-practice approach to information risk management and ensuring implementation of appropriate information security controls
•Promoting the regular review and continual improvement of information security

Physical security is maintained by formal inspections, risk assessments, and access control at every Arbor office. Access to Arbor locations is restricted with secure keys, CCTV, 24/7 security personnel and secure perimeter doors.

Data security is maintained by our staff’s awareness training, personal vigilance, and a number of digital safeguards including regular password changes and two-factor authentication. Data is stored centrally rather than on any one device, making it easy to give and revoke permissions to different users.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All systems are configured using SaltStack. No changes are ever made to live server configurations (we operate with immutable servers). Salt allows us to define the end state of the system declaratively in salt state files which are version controlled. This means that any changes to the configuration of servers leave an audit trail. It also means that all configuration can be tested in our staging environment and repeated deterministically. All changes are assessed by the Head of Technical Security Operations before being approved.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Assessing: We run a monthly Security Committee to assess potential threats to our services. In addition, there is a quarterly Management Information Security Review to ensure effectiveness of the information security management system. A dedicated DevOps team subscribes to relevant security briefings and assesses the risk on a daily basis. We commission external penetration tests at least once per year.

Patching: All systems are configured to download and install security updates nightly, and the installed updates are checked via a centralized log.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Monitoring: All changes to any data records are kept in an Audit Log. All errors are logged to a centralized error reporting system and investigated by relevant engineering teams. All user activity, page requests, system and server logs are aggregated in a centralized log. All services are continually monitored into a centralized system.

Identification: Automatic alerts are sent to DevOps/engineers whenever breaches/errors are identified.

Response: Incidents are assessed and classified. Serious incidents are reported to the CTO and our Incident Response Policy is followed to completion (48 hours). Minor incidents are resolved by individual teams (14 days).
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach The security incident response plan aligns with the SANS Identification step and is about making use of a robust detection and reporting capability. Early visibility of incidents facilitates quick decision making and rapid action. Potential security incidents can be detected and reported from a number of different sources, such as:
Arbor employees.
Arbor customers.
Arbor business partners.
Other external sources such as Law Enforcement Agencies.
System logs.
For non-system reportingArbor colleagues or business partners can telephone0207 043 0470or email and report a perceived security event or security weakness.

Security related incidents are centrally recorded using an Incident Log.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1500 to £15000 per unit per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Our Insight dashboard offers free analytics for all schools and groups for an unlimited period.

We also offer free trials of MIS for new schools getting set up, usually for 6 months.
Link to free trial

Service documents

Return to top ↑