Last updated on 22 August 2022.
Learnosity Technical and Organizational Measures
This document describes technical and organizational security measures implemented by Learnosity Limited (“Learnosity”) to protect Personal Data and ensure ongoing confidentiality, integrity, and availability of Learnosity’s Software products including Learnosity Author, Learnosity Questions, Learnosity Math, Learnosity Assessments, and Learnosity Analytics.
This document covers only the measures in place for the core Learnosity Software products mentioned above. Learnosity has written contracts in place with all its subcontractors used to provide services with respect to core Learnosity Software products for implementation of adequate technical and organizational measures which may vary from the below measures for Learnosity Software products. Learnosity partner products have their own security measures.
Learnosity may change these measures from time to time. This may mean that individual measures are replaced by new measures that serve the same purpose or deal with the same risks without materially degrading the overall security. You can check the latest version of this document at https://learnosity.com/data-protection-protocols/. In the unlikely event that Learnosity does materially reduce its security measures, Learnosity shall formally notify Customers.
Within this document, the following definitions apply:
- “Customer” means any Licensee of the Learnosity Software.
- “Learnosity Software” means the core Learnosity Software products mentioned above and licensed by Learnosity to Customer pursuant to a written license agreement entered into by Learnosity and Customer.
- “Personal Data” means any information provided or submitted by the Customer or Customer’s authorized users in connection with use of the Learnosity Software, in each case relating to any identified or identifiable natural person, that Learnosity processes on behalf of Customer.
- “Personnel” means Learnosity employees and authorized individual contractors.
- “Strong Encryption” means the use of industry-standard encryption measures compliant with FIPS 140-2.
Learner Personal Data processed by Learnosity is usually pseudonymized in that Customers pass Learnosity IDs rather than names, and Learnosity does not know the real identity of its Customers’ learners and test takers.
1. Organization of Information Security
Learnosity has an information security function that has been ratified and is supported by business leadership and Learnosity ensures that its Personnel are competent in information security.
- The Learnosity information security function reports to a senior board-level executive.
- Learnosity has a cross-departmental Security Board to address information security across different areas of business.
- Learnosity has information security policies, approved by senior management and disseminated to all Personnel.
- Learnosity security policies are reviewed at least annually and updated when needed.
- All Personnel have entered into confidentiality agreements. All Personnel must annually agree to and sign user rules of behavior that are designed to ensure Personnel understands and follows
Learnosity’s information security rules.
- Failure of Personnel to follow information security policies may be treated as a disciplinary matter and lead to sanctions, including dismissal.
- All Personnel are given regular training in information security and must take and pass a data security test as part of their onboarding and thereafter annually. In addition to this, all Personnel are also given data privacy training led by Learnosity’s legal team annually. Personnel in specific roles may take part in role-based security training relevant to their position.
- Information security is a basic design and architectural principle for the Learnosity Software.
- Learnosity is committed to the continual improvement of its security.
2. Information Security Management System
Learnosity has an Information Security Management System (“ISMS”) in place to evaluate risks to the security of Personal Data, to manage the assessment and treatment of these risks, and to continually improve its information security.
- Learnosity has in place appropriate technical and organizational measures to protect the security of personal data we process that meet the general principles of ISO 27001 and ISO 27002.
3. Physical access
Physical access to Personal Data is protected.
- Learnosity utilizes cloud hosting infrastructure from ISO 27001 certified and SOC 2 accredited third-party production data centers with defined and protected physical perimeters, strong physical controls including access control mechanisms, controlled delivery, and loading areas, surveillance, and 24x7x365 professional security guards.
- Only authorized representatives have access to the data center premises and only to the approved layer of the data center specified in their permissions. Physical access to data centers is logged,
monitored, and retained. Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents.
- Power and telecommunications cabling carrying Personal Data or supporting information services at the production data centers are protected from interception, interference, and damage.
- The production data center and its equipment are physically protected against natural disasters, malicious attacks, and accidents.
- Equipment at the production data center is protected from power failures and other disruptions caused by failures in supporting utilities and is correctly maintained.
- Equipment or disk media containing Personal Data (including faulty or end-of-life disks) are not physically removed from the production data center unless securely decommissioned using techniques detailed in NIST 800-88 prior to such removal or being transferred securely for destruction at a third-party site.
4. System Access
Learnosity data processing systems are used only by approved, authenticated users.
- Access to Learnosity internal systems is granted only to Personnel and/or to permitted employees of Learnosity’s subcontractors and access is limited as required for those persons to fulfill their function.
- Learnosity has established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords
must fulfil defined minimum requirements and are stored in encrypted form. Each computer has a password-protected screensaver.
- Multifactor authentication is used for key Learnosity internal systems.
- Learnosity has a thorough procedure to deactivate users and their access when a user leaves the company or to alter their access rights if their job function has changed.
5. Data Access
Persons entitled to use data processing systems gain access only to the Personal Data that they are authorized to access.
- Learnosity has a policy to restrict Personnel access to customer data on a “need-to-know” basis.
- Learnosity has a formal background check procedure and carries out background checks on all new Personnel with access to Personal Data in accordance with the requirements of applicable laws.
- Personnel training covers access rights to and general guidelines on the definition and use of Personal Data.
- Where appropriate and practical, Learnosity employs data minimization and pseudonymization to reduce the likelihood of inappropriate access to Personal Data.
- The production environment for the Learnosity Software is separate from the development and testing environment, and development Personnel outside of the infrastructure team do not have access to the production environment.
- Learnosity uses up-to-date anti-malware software on all appropriate computers and servers.
- Learnosity ensures that appropriate Personnel receive alerts and notifications from system software vendors and other sources of security advisories and install system software patches regularly and efficiently.
6. Data Transmission
Prevent Personal Data from being read, copied, altered, or deleted by unauthorized parties during transfer.
- Data in transit is encrypted to protect all interaction with Learnosity Software.
- Learnosity uses Strong Encryption for all other transmissions of Personal Data in the Learnosity Software outside the production data center.
The Customer is responsible for the security of Personal Data once it has been transmitted from Learnosity to the Customer including when downloaded or accessed by Customer users.
7. Development Process
Learnosity implements administrative and technical controls to ensure secure code development.
- Learnosity has a defense in-depth approach to product development and uses a Secure Development Lifecycle (SDLC) that includes a wide range of security testing and flaw reporting and management procedures.
- Learnosity trains its software engineers and quality assurance Personnel on Learnosity’s Product Development Security Policy which includes application security practices and secure coding practices.
- Learnosity has a central, secured repository of product source code, which is accessible only to authorized Personnel.
- All changes to software are via a controlled, approved release mechanism within a formal change control program that tracks, documents, tests, and approves change requests prior to
Personal Data is protected from accidental destruction or loss, and there is timely access, restoration, or availability to Personal Data in the event of an incident.
- Personal Data is stored in at least 2 data centers in a region, with multiple separate cross-connections. The data centers can be switched in the event of flooding, earthquake, fire, or other physical destruction or power outage, to protect Personal Data against accidental destruction and loss.
- Core applications at the production data center are deployed to an N+1 standard so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
- The production data centers are equipped with backup power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.
- The production data centers are monitored 24x7x365 for power, network, environmental and technical issues.
- Learnosity has business continuity measures in place.
9. Job Control
Personal Data processed on a Customer’s behalf is processed solely in accordance with the relevant agreement and related instructions of the Customer including in the use of subprocessors.
- Learnosity acts as a data processor with respect to Personal Data and stores and processes Personal Data in order to operate the Learnosity Software under the instructions of Customer.
- Learnosity uses a limited number of subprocessors to help it provide the Learnosity Software including a small number of third-party companies and some individual (natural person) subcontractors.
- Learnosity has in place directly or via affiliates contracts with all subprocessors that provide for confidentiality of Personal Data and agreements incorporating the EU Standard Contractual Clauses (Processors) are in place with all subprocessors that process relevant Personal Data outside of the European Economic Area or countries considered to provide an essentially equivalent level of protection for Personal Data.
10. Data Separation
Personal Data from one Customer is always logically separated from that of other Customers.
- Learnosity architects its system to ensure logical separation of Personal Data originating from different Customers in the Learnosity Software.
- Any audit rights given to Customers to review Learnosity systems and security always respect the rights of other Customers including preventing access to data from other Customers.
11. Incident Management
In the event of any security breach of Personal Data, the effect of the breach is minimized and the Customer is promptly informed.
- Learnosity maintains an incident response plan and a process for how information security events are assessed and classified as incidents.
- The clocks of all systems at the production data center are synchronized to a single reference time source to aid investigation in the event of an incident.
- In the event of a Personal Data breach that requires notification according to applicable laws, Learnosity will notify Customers without undue delay after becoming aware of the Personal Data breach to the email address or other contact information specified by Customers for this purpose or to Customer’s general contact if no specific breach notification contact information has been provided. In such event, Learnosity shall provide all information on the Personal Data breach to Customers as required by applicable laws (including where applicable the EU General Data Protection Regulation), which information may be provided incrementally if not immediately apparent (but in any case without undue delay) and will include where required by applicable law Learnosity’s explanation of the consequences the Personal Data breach may entail. Learnosity shall take reasonable, necessary measures to mitigate the effects of the Personal Data breach.
Learnosity commissions third-party audits to measure the effectiveness of these technical and administrative controls against industry standard security frameworks.
- Learnosity conducts regular internal audits of its security and expects to conduct external audits.
- Learnosity has a formal policy for managing suppliers who have access to Personal Data and this includes criteria for reviewing and approving suppliers and procedures for monitoring and reviewing their performance.
- Learnosity takes reasonable steps to ensure that Personnel are aware of and comply with the technical and organizational measures set forth in this document.
- Learnosity conducts third-party penetration tests.
Supplementary Measures for Personal Data subject to the GDPR/UK GDPR
Learnosity is an Irish company established in the European Union but we do transfer some personal data to the United States and wish to reassure customers about this transfer. Learnosity commits to the following supplementary measures in respect of personal data subject to the GDPR or UK GDPR that is transferred outside of the European Economic Area or United Kingdom pursuant to the Standard Contractual Clauses published by the European Commission under Commission Implementing Decision (EU) 2021/914 (4 June 2021) (“SCCs”).
1. Learnosity has never received a valid and binding demand for personal data from the U.S. intelligence authorities, including under FISA s.702 or EO 12333 and with respect to EEA or UK personal data transferred to the U.S. under the SCCs (or any prior version), and commits to removing or modifying this statement in the event this position ever changes in accordance with applicable laws;
2. Learnosity will enter into the SCCs which in its view implement the obligations of the Schrems II decision of the Court of Justice of the European Union and which warrant that it believes that it is not required to grant access to data to the US intelligence authorities under Section 702 FISA (or EO 12.333). The SCCs contain contractual provisions on the notification and handling of government data demands in accordance with the expectations of the European Data Protection Board. Learnosity believes that law enforcement and national security agencies should go directly to our business and government customers to obtain information or data regarding those entities, their employees, and users.
3. Learnosity will commit to challenge any FISA s.702 or other valid and binding demand that it believes in good faith is unauthorized or overbroad and defend itself against orders to hand over data in court as far as reasonably possible. We do not provide any government with direct, unfettered access to customer data. If a government demands customer data from us, it must follow the applicable legal process. We will only comply with valid and binding demands when we are clearly compelled to do so. Our first step is always to use every reasonable effort to re-direct such orders to customers or to inform them, to allow customers to seek a protective order or other appropriate remedy. If ever ultimately compelled to do so, Learnosity would only disclose the minimum necessary data to satisfy the request;
4. Learnosity will maintain and comply with a government access request policy, the most recent version of which has been formally approved within Learnosity. Learnosity will promptly notify Customers, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying Customer, use reasonable lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible. Lawful efforts do not include actions that would result in a civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction or where in the opinion of legal counsel there is no realistic prospect of success;
5. Apart from video and other media files included in questions or given as a response to questions, Learnosity uses end to end encryption of customer personal data in transit and at rest;
6. Learnosity has and will continue to have a “no backdoor policy”. Our product development practices prohibit any intentionally developed capabilities or product features that are designed to allow undisclosed and/or undocumented device or network access, or undisclosed and/or undocumented access to device information and/or services.
7. Learnosity confirms that data subjects have rights under the GDPR, including the right to compensation for material or non-material damage under and in accordance with Article 82 GDPR;