Information Security Policy
SECTION 1: GENERAL INFORMATION
| Last updated | 23rd May 2024 |
| Last updated by | Chris Thornton (Creative Director). |
| Website | HelpKidzLearn.com (HKL). |
| Product Name(s) and Version(s) | Games and Activities (GA), ChooseIt Maker (CM), ChooseIt Readymades (CRM), Insight (I), Inclusive Stories (IS). |
| Purpose and Functionality of Product(s) | Online accessible services, enabling learners of all abilities to play, develop and achieve. |
| Product(s) Licensing Model | SAAS on a monthly and/or annual basis. |
| Vendor's Company Name / Registration number | Inclusive Technology Ltd (IT) / 3525459. |
| Registered Company Address | Unit 8-9, Riverside Court, Huddersfield Road, Delph, Oldham, UK. OL3 5FZ. |
| Company Tax Number | GB732822345 |
| Total Number of Employees | 20 |
| HelpKidzLearn and Services Comply with Privacy Provisions | Data Protection Act, UK/EU GDPR. Children's Online Privacy Protection Act (COPPA) of 1998. Family Educational Rights and Privacy Act (FERPA). |
| Information Security Management System (ISMS) | N/A |
| Information Security Manager(s) | Shared Accountability: Chris Thornton (Creative Director), Steven Hill (Principal Developer). |
| Data Privacy Officer/Manager | Chris Thornton (Creative Director) |
| Policies and Standards Maintained | |
| Documentation and Processes in Support of Business Resilience (Available Upon Request) |
|
| Product Target and Intended Users | Teacher/Payee: Administration of Account and Purchasing of Licences etc. Learner: Access Products (only) |
SECTION 2 – SOLUTION ARCHITECTURE INFORMATION
| Architecture Used for Hosting and Delivery of Product/Service | Public cloud provider: Azure and AWS. |
| Customer or Solution Data Stored | United Kingdom |
| Individuals, Groups or Roles that have Access to the Physical Environment where Customer Data is Stored and Processed | Internal Administrative Staff |
| Access to Physical Environment Controlled (This question does not relate to cyber intrusion or hacking) | Physical Locks |
| Validation of Third Parties, Suppliers, Vendors or Partners that Handle or Store Personal Information | Suppliers/Resellers acting on behalf of HelpKidzLearn are assessed and sign contracts to adhere to privacy principles. |
| Utilisation of Third Party Code, Services or Other Resources | PayPal, Mailchimp, Libraries (e.g. ReactJS). HelpKidzLearn contains no third party tracking pixels for marketing purposes; See Privacy Policy. |
| Management of Security and Integrity of Third Party Code | Third parties are ISO27001 Certified. |
| Security of Backup Data (Security Controls: Encryption, Device Blocking, Data Anonymisation) | Database and data (e.g. media) backups secured through encryption and access control. |
| Security of Data Stored on Portable Media Devices (USB Drives and Laptops) | No data is stored on portable media devices; Acceptable use policy. |
| Security of Data in Development and Test Environments | Isolated environment with internal visibility only. |
| Login and Authenticate using an Existing Social Media Account | Solution does not integrate with social platforms. |
SECTION 3 – DATA SECURITY AND PRIVACY INFORMATION
Personal Data Utilised and Stored by Solution
Staff and Teachers:
| Staff Name | Yes (If Payee - Can be anonymised) |
| Staff Email Address | Yes (If Payee - Can be anonymised) |
| Staff Personal Information | No |
| School Name | Yes (Not required) |
| Any other staff data | No |
Students:
| Student name | Insight (only); Though not required. |
| Student home address | No |
| Student telephone number | No |
| Student email address | No |
| Student date of birth | Insight (only) |
| Student produced work/content | No |
| Student attendance records | No |
| Student behavioural records | No |
| Student photos or videos | ChooseIt Maker (only) |
| Student gender | Insight (only) |
| Student medical or health | No |
| Student biometric data | No |
| Student geolocation data | No |
| Grades or performance information | No |
| Any other student data | No |
Parents:
| Parent name | Yes (If Payee - Can be anonymised) |
| Parent contact information | Yes |
| Any Parent financial or payment data | No |
| Any other parent data (e.g. employment details, reference checks etc.) | Yes (Not required) |
| Utilisation and Storage of Data Classification Framework or Policy in Place | Initial onboarding of employees includes police, criminal records and background check. N/A for contractors and/or 3rd parties. |
| Protection of Data at Rest and In Transit | Public facing website(s) and APIs protected by HTTPS. Database data is protected at rest and in transit via enforced TLS 1.2 encryption over a private and isolated services subnet. |
| Employees that have Access to Customer and User Data | Internal developers and sales staff for processing of orders only. |
| Training for Vendor Officers or Employees Accessing Protected Information | Internal developers and sales staff receive training on governing confidentiality prior to receiving access to information. |
| Solution and/or Database Administration Functions Outsourced to 3rd Parties | N/A - No support and/or administration functions are outsourced. |
| System Administrator Access to Systems that Store and Process Sensitive Data | Protection via technical controls. Senior engineer only access (SQL). |
| Employees, Contractors or Other 3rd Parties Checks | Initial onboarding of employees includes police, criminal records and background check. N/A for contractors and/or 3rd parties. |
| Controls to Prevent Unauthorised Access to Data | Data is stored in an isolated network with no access from external/public sources. Web Application Firewall used to protect websites and APIs. Best-practice approaches used to protect APIs and authenticate users. Role-based access limits service connections to capabilities they require. |
| Controls to Prevent Copying or Theft of Data by Employees | Technical controls, including Data Loss Prevention (DLP); Acceptable use policy. |
| Data (iIdentifiable, De-Identified or Summarised) Shared with and/or sold to any other Company, Entity, Organisation, Research Body, Government Department | Other than as expressly set out in HKL Policy or as otherwise required or permitted by law, we will not share, sell, or distribute any personal information without prior written consent. |
| Exposing Users (Including Minors) to Information, Advertising or Content that can be Considered Detrimental or Offensive Nature | Services do not deliver any advertisement and no detrimental and/or offensive material is served, or able to be served via HelpKidzLearn. |
| Geolocation or Biometrics Data Collected as Part of the Provision of the Service or Product | N/A |
| Collection of Data that Constitutes the Minimum Possible Requirement to Operate the Service or Product and Supports 'Data Minimisation' | N/A |
| Utilisation of Features that Ensure 'Privacy by Design' | Yes; Secure coding guidelines and developer training. |
SECTION 4 – LOGGING INFORMATION
| Logs of Employee Access to Systems and Data | Yes - Comprehensive logging; Risk assessment. |
| Duration of Logs Retained | Logs retained for maximum 90 days. |
| Access to Logs | Internal administrative staff only. |
| Security Incident and Event Logs | Yes - Comprehensive logging (all elements of the solution). |
| Duration of Security Logs Retained | Logs retained for maximum 90 days. |
| Access to Security Logs | Internal administrative staff only. |
| SIEM or Other Monitoring and Alerting Solution to Triage and Manage Security Events and Incidents | Yes - Log monitoring and alerting capability; Application insights, prometheus and grafana. |
SECTION 5 – ACCESS AND AUTHENTICATION INFORMATION
| User Authenticate to the Solution | Email Address/Password. |
| Provision of Unique Usernames for All Users | Yes - All usernames are unique. |
| Validation of Access for Legitimate User | User access is managed by the Payee. |
| Responsibility for Managing the Creation, Provisioning, Maintenance and De-Provisioning of User Accounts | Managed by the Payee. |
| Secured User Credentials | Password encryption. |
| Support of Role Based Access | Role based access (administrator, staff and student accounts). |
| Does the solution support Multi Factor Authentication i.e. MFA, 2FA etc? | No support for MFA. |
| Access Apps on the User's Sevice to Deliver Supplemental Functionality | N/A |
| Age Restrictions on the Use of the Service | No age restrictions in place. |
| Parental Consent Rules for the Product or Service | N/A |
| Public Facing or In-Solution Browsable Profile for Created User Accounts | N/A |
| Minimum Standards Applied to Passwords for User Authentication | Password minimum characters of 6 or more. |
SECTION 6 – SECURITY ASSURANCE INFORMATION
| Vulnerability Assessment Across Customer Solution and Corporate Environment | Azure Vulnerability Scanning, Monitoring and Notifications. |
| Security Assessments Available to Consumers of Solution | Yes - Available upon request. |
| Policy for Notifying Users of a Data Breach | Notification to impacted users within 7 days of data breach event. |
| Date of Last Solution or Corporate Systems Data Breach | N/A |
SECTION 7 – DATA PRIVACY AND ACCESS INFORMATION
| Owner of Content, Data Uploaded or Created within Product or Service | Vendor. |
| Process for Individual User to Request a Copy of their Data Held by Company? | Phone and email - Validation required. |
| Account Closure and Complete Deletion of Profile and Associated Data | Yes - Available upon request - Validation required. |
| Customer and User Data Retained after a User Profile is Deactivated/Deleted | Immediate data deletion. |
| User or Customer Data Utilised to Target the Sale of Additional Services or Products | Legitimate interest / Consent based. |
| Supply Complete Data-Set of All Accounts Following Discontinuation of the Service | Yes - Available upon request. |
| Provide Evidence and Assurance for Validation Purposes of Particular Personal Data-Sets Held and/or Have Been Securely Deleted | Yes - Available upon request. |
| Right to Complain About Possible Breaches and Unauthorised Disclosures of Data | To report security related issues and/or impovements please contact the HelpKidzLearn information security team using the following contact details: Email: [email protected] Telephone: +44 1457 819790 Mail to: Chief Privacy Officer, HelpKidzLearn, Inclusive Technology Ltd. Unit 8-9, Riverside Court, Huddersfield Road, Delph, Oldham, UK, OL3 5FZ. We are a small team and appreciate your support and assistance in improving our services for customers of learners with severe and complex needs. |
| Data Provision Audits | No more than once a year, or following unauthorised access, upon receipt of a written request (at least 10 business days notice) we will allow an audit of the security and privacy measures in place to ensure protection of Student Data. |
Legal
Copyright 2024 HelpKidzLearn. All rights reserved.