Data protection and GDPR

Securing and respecting the confidentiality of sensitive information and documents provided by families and companies is at the heart of Eduka Software’s concerns, which takes all measures to ensure the security of its infrastructure and software platform. This document provides an overview of the measures undertaken by Eduka and offered to schools through the Eduka Suite platform. The hosting and communication architecture implemented by Eduka Software, as well as its various components, were presented and explicitly validated by the Data Protection Officer of the AEFE (Agency for French Education Abroad).

Data collection, processing and storage

Eduka Software is a software publisher and offers a software suite for school administrative management accessible on the Internet. Eduka Software employees do not collect or access data from schools. However, we offer through our software a set of features and measures that the school must implement to ensure its good compliance with the RGPD as well as other possible local regulations. Eduka Software actively encourages schools to set up these features to ensure compliance with the regulations in force. These measures are presented and detailed in a separate document given to the school at the start of the project to set up the platform within the school.

Application of the GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect. This European Union regulation concerns any company or organisation even outside Europe: it applies whenever a database contains personal data relating to residents of the European Union.

To be compliant with the GDPR, the school will thus be able to:

Add a Privacy Policy page on the homepage of the application (a template to be completed by the school is provided by Eduka)

This document should describe, among other things:

  • What data is collected by the application,
  • Treatments performed,
  • How to exercise your rights of access, withdrawal and opposition
  • The security measures implemented to guarantee the confidentiality of the data
  • Applicable legislation and regulations
  • The name and contact details of the Data Protection Officer, the person responsible for data protection within the school

Add a checkbox when creating an account so that users explicitly agree to these terms when registering

Provide users with an easily accessible feature to upload their personal data

Article 20 of the General Data Protection Regulation introduces the notion of “right to data portability”. A feature to download data in a “machine-readable” format is available in the user’s account settings.

By clicking on this button, you will retrieve a .ZIP archive containing an Excel file with your personal data in a common format, as well as the supporting files you have uploaded. The file is encrypted and protected by an encryption password that is communicated to you. This feature is enabled by default for all schools and cannot be disabled.

For its proper compliance with the GDPR, the EDUKA platform also offers schools:

  • A data erasure feature

All data entered by the parent is recorded in a history that can be consulted by the school administration. In order to comply with Article 17 of the General Data Protection Regulation regarding the “right to be forgotten”, the Data Protection Officer has a functionality to erase the data history. This feature is available to Students, Principals, Families, Staff and Payers.

Thanks to this functionality, the Data Protection Officer will have the technical means, upon request of a student leader or a paying institution, to delete all data concerning him/her in the EDUKA database.

  • IP address removal functionality

The platform collects or calculates a set of metadata, some of which may allow the identification of visitors. In particular, the IP address used by the visitor when registering for an account and during certain processes such as registering for activities or services. IP addresses can be deleted by the Data Protection Officer upon request by users.

Data storage

The hosting infrastructure of the EDUKA platform is based on :

  • A segmentation by zones with data hosted on 2 data centers:
  • A data centre located in Europe (Netherlands) via the company Worldstream, used for all establishments located outside Asia, as well as all Directly Managed Establishments (DME) managed by the AEFE. For more information on Worldstream’s security and privacy guarantees, click here.
  • A data centre located in Asia (Singapore) via the company Leaseweb, used for all schools located in Asia/Oceania for network performance reasons, with the exception of the EGD (Directly Managed Schools of the AEFE, whose Eduka platforms are located in the European data centre). For more information on Leaseweb’s security and privacy guarantees, click on this link.
  • A school may request a transfer from one region to another at any time if it deems it necessary. The company Eduka Software does not charge for this operation. Schools hosted in Asia benefit from a level of protection, security, and guaranteed confidentiality of their information that is equal to that offered to schools hosted in the data center located in Europe.

The CloudFlare service, which optimizes data performance and security, protection against denial of service attacks, and a number of other technical advantages in terms of platform access quality and hosting infrastructure. For more information on CloudFlare’s security and privacy guarantees, please click on this link and this one. The use of the CloudFlare component was explicitly validated by the AEFE prior to the technical implementation of this infrastructure, in order to guarantee the respect of measures and good practices regarding the protection of privacy and data confidentiality.

Security

Technical measures for security and confidentiality

The measures implemented to ensure the security of the EDUKA platform offered to schools are as follows

  • Access to the platform is exclusively through a secure connection (HTTPS) with an SSL certificate that guarantees the proper encryption and security of communications
  • Access management: only authorized personnel can consult the data. Access rights to the features are exclusively and explicitly managed by the schools.
  • Software for network monitoring, intrusion detection, and defense against viruses and Trojan horses
  • Connection to the platform protected by a combination of login and password, with the possibility of adding a strong two-factor authentication: e-mail, SMS, or single-use code. Activation of dual-authentication features is at the discretion of the school.
  • The server hosting the school’s platform is protected by ahardware firewall as well as a softwarefirewall and a webapplication firewall

In addition, other measures of a strictly technical nature are used to strengthen the security of the platform, a summarized and non-exhaustive list of which is given below:

  • Periodic anti-virus and anti-rootkit scanning, and also in real time when files are uploaded
  • Protection against SQL injections through the exclusive use of PDO queries
  • Protection against XSS attacks by filtering user data via various methods(CSP, CSRF tokens)
  • Clickjacking protection; hiding headers that reveal server component versions
  • Protection against brute forceattacks
  • Protection against many other types of attacks through the use of a WAF (Web Application Firewall)
  • Daily backups with multiple levels of redundancy, proprietary format backup files and encrypted with multiple key factors.
  • Real-time data replication based on the “master/slave” model for 100% data recovery in case of service disruption.
  • Regular updates of the operating system and components to benefit from the latest security developments
  • Good network practices, checked and audited regularly, no port opening except port 443 (web), IP addresses of servers inaccessible because all external communications are done via CloudFlare relay

Security audits

Security audits are carried out every year by an independent external service provider to ensure the proper IT security of the installations, the hosting infrastructure and the application code.

Since 2018, the IT security company retained to carry out the periodic IT audit assignment is LinkByNet (www.linkbynet.com),” pure player ” since 2006 in the field of Information Systems Security Management with references in the Banking, Insurance, Distribution, Public Services, Local Authorities, Health, Industrial Group, Building and Public Works sectors… Please find a more detailed list of LinkByNet’s references by clicking on this link.

The latest audits have not revealed any major security problems and all good practices and suggestions are systematically and immediately implemented following the audits. The auditing company believes that the security measures implemented in the Eduka software solution and its infrastructure offer an ” above average ” guarantee of security. Certificates of successful completion of these audits are systematically issued and shared with schools that request them, in order to provide schools with an optimal level of transparency.

Other options that can be activated

In order to provide an optimal level of confidence for all users, additional features are available and can be activated at any time by schools. Eduka actively recommends the use of these features.

Login with Strong Authentication

Principle: when a user connects to the platform, he/she must enter a temporary code in addition to his/her usual login and password. The temporary code can be :

  • Or sent by e-mail
  • Either generated on an application for smartphone, tablet, or computer
  • Or sent by SMS

To activate this feature, users must access their account settings and click on “Strong Authentication”.

A user guide is provided to users from the online help available on the platform by clicking on the “?” button at the top right of the web page.

Whitelist of IP addresses for administrative profiles

Principle: the platform administrator restricts access to the administrative management features of the Eduka platform to administrative staff whose IP address is on a white list.

This feature provides enhanced protection so that even if an administrative user’s password is stolen, the attacker will not be able to access the Eduka platform because his IP address will not be in the white list of authorized IP addresses.

Protect access to the platform with Captcha

Principle: propose a “captcha” on the registration form, as well as on the password reset form.

This prevents excessive or automated use of certain features. The captcha component used is considered the industry standard. It requires registration with a third party service by the school.

Password security

Principle: force users to use a complex password composed of at least 1 upper case letter, 1 lower case letter, 1 number, and 1 special character, with a minimum of 8 characters.

This prevents the use of passwords that are too simple or present in the dictionary. This option is activated by default when the Eduka platform is delivered, and we strongly recommend that schools do not deactivate it.