When you use our service, you trust us to protect your data and your privacy. This article is intended to give you the confidence that RM takes these responsibilities seriously.

RM Unify helps you, as data controllers, to fulfil your responsibilities in regard to relevant data protection law including the Data Protection Act (DPA), Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation (GDPR).

Specifically, RM Unify supports effective data protection in the following ways:

• We are transparent about the data that we hold and what we do with it.
• Our service provides you with a single point of control over what cloud services are in use and what data is shared with each one.
• The single sign on standards we use mean that a user's password is never shared with third party cloud services, with the exception of Google for Chromebook password consistency. This naturally limits the data that other third parties hold, reducing the impact in the event that they experience a data breach.

This article takes you through some of the policies and technologies that we use to protect your data.

RM Unify is hosted in the Microsoft® Azure cloud. The Microsoft Azure datacentres, which also host the Microsoft 365™ service, are accredited to ISO 27001. Microsoft Azure infrastructure and services have been verified as meeting the cloud security principles of G-Cloud. This permits storage of UK government data up to the official level, which covers the vast majority of public sector data. For more information please see the Microsoft Trust Centre:
https://www.microsoft.com/en-us/TrustCenter/Compliance/UK-G-Cloud

In accordance with the EU Data Processing Directive, RM will keep all hosting of the service within Microsoft Azure datacentres inside the European Economic Area (EEA). RM Unify is currently deployed in a redundant architecture in Azure North Europe (Dublin) and Azure West Europe (Amsterdam).

All end user and API access is performed over TLS connections. This is important for two reasons:

1. It ensures that users are connecting to the real RM Unify service and not a lookalike site.
2. Connections are protected from snooping and tampering.

The service enforces strict authentication and authorisation controls so that users can only access the data they should be allowed to.

RM Unify handles different types of user password that requires them to be stored in different ways. For transparency, the storage of each type of password is detailed below:

• Logon passwords - These are stored as a RFC2898 compliant PBKDF2 salted hash. This matches the recommendations of the world authority on authentication, the National Institute of Standards and Technology (NIST).
• Windows device SSO - To facilitate Windows device SSO, the user password needs to be held as an MD4 hash. To further protect this we encrypt it with advanced standard encryption (AES) to provide additional hardening.
• Chromebook SSO - To facilitate password consistency between RM Unify and Google Workspace, the user password must be available as a SHA1 hash. As above, we encrypt this with AES to provide additional hardening.
• Saved Password Apps (SPAs) - Where SPAs are used by a school, the provided user passwords need to be recoverable for RM Unify to post them into the sign in pages of the respective cloud apps. As such these passwords are AES encrypted.

In all cases where the passwords are AES encrypted, access to the encryption keys is further protected with an RSA certificate. Finally, underpinning all of this, the databases themselves are encrypted on disk.

One of the core capabilities of RM Unify is collecting data and synchronising with third party cloud services to provision and deprovision accounts. As such, it is important for customers to understand what data is collected from their source MIS/Active Directory and shared between RM Unify and associated cloud services. For more information on this data sharing mechanism, refer to TEC5891006 in the Other Useful Articles section below.

The terms and conditions (and cookie policy) for RM Unify, detailing how we process your data, can be found here: http://www.rm.com/about/terms

If you want to stop using the RM Unify service, please let us know so that we can clear down your personal data.

• RM Unify Premium - Raise a support call via RM Support online here, by selecting 'Log a support call' on the Support Home tab.
• RM Unify Basic - Please call the RM Unify Support team on 0845 404 0000, choosing option 2 from the menu.

Telephone support for customers without an RM Unify Support contract is permitted only when making this specific request to delete RM Unify establishment data.

In line with industry best practice, RM encourages the responsible disclosure of any security vulnerabilities identified by customers via the vulnerability disclosure section of our website: http://www.rm.com/contact.