Learning Without Tears Security Policy
Effective Date: May 17, 2017
Software Security
Data Transmission
Communication between a client application and our backend servers is via a secure,
private API requiring the use of a proprietary, dynamic security token for all web service calls.
API Calls
All web service calls are made over HTTPS using TLS cryptographic protocol. This ensures integrity of the data being transmitted; using unique session keys to encrypt/decrypt the data over the wire. Each web service call is also stateless, meaning authorization must be made by each subsequent service call, due to not storing any relevant ‘state’ information on the servers to link web service calls to a specific API client.
User Data Isolation
As data enters into the database, the particulars used to positively identify a user (teacher or student) are isolated as much as possible and replaced with synthetic identifiers used throughout the data model. The user elements retained, such as student name or teacher name to make the applications effectively usable.
During normal use of the application, these identifiable elements are visible via the applications by the user with proper access credentials. Upon terminated of the contract and written request from the customer, these elements are permanently destroyed.
Student Identifiable Information
As much as possible, a minimal amount of Student identifiable information is maintained in the database exclusively and expressly for the purposes of student login (authentication) and application personalization. Such information currently only includes student first name, last name, grade and optionally parent(s) email addresses. Upon entry into the database, the Student Identifiable Information is assigned a synthetic ID used through all operations and reporting with in the system. The Student Identifiable Information may be destroyed upon written customer request.
Facility Security
The data centers used to operate our infrastructure are run by industry leading providers with decades of experience designing, building and running highly available facilities with multiple, redundant paths for power, networking, physical and virtual security facilities.