Commitment to Privacy & Security
Introduction
GG4L is Trusted by Major Companies
Awareness of Security Threats and Security Audits
Securing Access to Infrastructure
Data Collection and Retention Policies
Integration with LDAP
Data Encryption
Comprehensive Privacy Policy
Personnel Security Policies and Procedures
Introduction
GG4L centers our security posture and security policy on ISO 27001. To accomplish that, we align ourselves with the Cloud Security Alliance via completing self-assessment and subsequently pursuing external validation. Certification plans for 2023 include completing SOC2 external audit.
Student data is among a school’s most sensitive information. And it’s imperative that this data is fully protected. We at Global Grid for Learning, PBC (“GG4L”) understand that. That’s why we take all commercially available measures to protect your data. This document describes GG4L’s approach to security and privacy.
The information contained herein applies to GG4L School Passport platform (“School Passport”, “service”), which has passed regular testing by a highly reputable, US-based, third party security compliance testing company.
GG4L is Trusted by Major Companies
The core components within the School Passport have been built from the ground up over several years and with sizable investments. As opposed to simply being a reseller of someone else’s service, GG4L owns and operates its hosted SSO, Provisioning, Identity Management and Data Integration services. Other than our best-of-breed development frameworks, there are no third parties involved in our services.
The School Passport is currently licensed by multinational organizations such as Amplify Learning, Coursera, Faria Education Group, Google Qwiklabs and Lightspeed Systems. GG4L continuously strives to meet the high security standards demanded by its partners and embed these into its own security policies and requirements
Awareness of Security Threats and Security Audits
GG4L invests significant resources in developing the security components of its products.
School Passport software is subject to a regular evaluation of security in the form of penetration and hybrid assessment testing. These combine automated application vulnerability scanning with manual penetration testing techniques to locate attack vectors and simulate real-world exploitation. The outcome of the last evaluation is that GG4L’s software is very secure.
GG4L’s development team attends regular training sessions that focus on raising awareness of the security threats and on improving software security. GG4L has an internal QA team whose main focus is the evaluation of software security.
There is strict separation of responsibilities so that database support personnel do not interact with the code base of the application (that decrypts sensitive data), and vice versa.
Securing Access to Infrastructure
The software component of School Passport is deployed in the Virtual Private Cloud (VPC) environment in Amazon Web Services (AWS) as per industry standards and best practice.
Deployment is split into three logical layers with each layer having its access control managed through the relevant AWS Security Group and Network Access Control List.
Physical access (via SSH) to application servers is granted according to established Access Control Policies and Procedures.
GG4L enforces encryption of all incoming/outbound traffic to/from the School Passport.
Application code is executed under account with minimal privileges to system resources.
User uploaded content is strictly validated, placed outside of the web root directory and is protected with the access control policies.
Data Collection and Retention Policies
Data in the database is encrypted at the file system level. Application level encryption is applied to security credentials and to Personally Identifiable Information (PII) persisted in the database of School Passport.
Advanced Encryption Standard (AES) algorithm is used for encryption of data
Bcrypt algorithm is used for creating a one-way hash of users’ passwords that are persisted in the database.
Data pertaining to a user or to an institution are deleted from the solution when the respective entity is deactivated (by an administrator of the respective institution) or upon termination of a subscription with GG4L.
Integration with LDAP
All operations against on-premise or cloud-hosted LDAP servers utilize Secure Lightweight Directory Access Protocol (LDAPS). Connections between the School Passport and LDAP server are secured by TLS. GG4L recommends that the firewall of the data center (that hosts the LDAP server) grants access only from the physical location of GG4L’s VPC.
Each tenant of GG4L has rights to view and manage connectivity with LDAP that was created under its account.
Authentication of users against the LDAP server utilizes a “bind” operation. After successful authentication, certain attributes of the user can be read from LDAP, encrypted and persisted into GG4L’s data storage. A “role” of the user within a School Passport can be determined by user’s membership in “Organizational Unit(s)” or “Group(s)” in LDAP. The information about such membership is accessible through the attributes of the entity that represents the user’s account in the LDAP server.
Data Encryption
A combination of Advanced Encryption Standard (AES) with Cipher block chaining (CBC) and PKCS#5 Padding is used for data encryption. AES-256 provides a large keyspace to ensure a highly conservative security strategy.
In order to use the CBC mode effectively a unique Initialization Vector (IV) is randomly generated for each encrypted value. PKCS#5 Padding is a binary safe padding scheme.
Key Derivation Function (KDF) is applied to IV and to a key to ensure that the resulting value for block cipher fills the entire possible key space. A secure random number generator (CSPRNG) is being used to generate a key and IV.
Comprehensive Privacy Policy
In compliance with GG4L’s Privacy Policy (https://gg4l.com/privacy-policy/) School (school, school district, community college, university, or other educational organization) can use School Passport to share data between the School and data consumers. Data consumers are typically cloud-based applications.
Data privacy is important to us. GG4L protects the privacy of any information we may collect through GG4L School Passport and other services and websites we own and operate.
School Passport is a software-as-a-service single sign-on and data integration hub that transmits roster and other operational data between a School and consumers of that data on behalf of the School. Only data that is explicitly authorized by the School is made available to data consumers.
It is important to note that data ownership of School data, at all times and in all circumstances, remains exclusively with the School. As a School, you have complete control of and responsibility for your data. If you have questions about or need help with your data, just ask us.
GG4L is an approved signatory of the Student Data Privacy Pledge, a recipient of the IMS TrustEd Apps Seal and a member of the Student Data Privacy Consortium.
Personnel Security Policies and Procedures
GG4L maintains a comprehensive hiring, training, and retraining process, which includes rigorous pre-employment screening. Pre-employment screening can include but is not limited to:
- Conducting credit referencing and criminal background checks
- Verifying academic and professional qualifications
- Undertaking detailed employment reference checking, including confirmation of employment dates, job titles, leaves (where relevant) and salaries
Confirming current, past and disqualified certifications and licenses, if any.
Each employee, as part of the hiring process, signs agreements and statements including but not limited to:
- Non-disclosure agreement (NDA)
- Confidentiality agreement
- Company policy acknowledgement and agreement
