Data protection and GDPR

Securing and respecting the confidentiality of sensitive information and documents provided by families and companies is at the heart of Eduka Software’s concerns, which takes all measures to ensure the security of its infrastructure and software platform. This document provides an overview of the measures undertaken by Eduka and offered to schools through the Eduka Suite platform. The hosting and communication architecture implemented by Eduka Software, as well as its various components, were presented and explicitly validated by the Data Protection Officer of the AEFE (Agency for French Education Abroad).

Data collection, processing and storage

Eduka Software is a software publisher and offers a software suite for school administrative management accessible on the Internet. Eduka Software employees do not collect or access data from schools. However, we offer through our software a set of features and measures that the school must implement to ensure its good compliance with the RGPD as well as other possible local regulations. Eduka Software actively encourages schools to set up these features to ensure compliance with the regulations in force. These measures are presented and detailed in a separate document given to the school at the start of the project to set up the platform within the school.

Application of the GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect. This European Union regulation concerns any company or organisation even outside Europe: it applies whenever a database contains personal data relating to residents of the European Union.

To be compliant with the GDPR, the school will thus be able to:

Add a Privacy Policy page on the homepage of the application (a template to be completed by the school is provided by Eduka)

This document should describe, among other things:

  • What data is collected by the application,
  • Treatments performed,
  • How to exercise your rights of access, withdrawal and opposition
  • The security measures implemented to guarantee the confidentiality of the data
  • Applicable legislation and regulations
  • The name and contact details of the Data Protection Officer, the person responsible for data protection within the school

Add a checkbox when creating an account so that users explicitly agree to these terms when registering

Provide users with an easily accessible feature to upload their personal data

Article 20 of the General Data Protection Regulation introduces the notion of “right to data portability”. A feature to download data in a “machine-readable” format is available in the user’s account settings.

By clicking on this button, you will retrieve a .ZIP archive containing an Excel file with your personal data in a common format, as well as the supporting files you have uploaded. The file is encrypted and protected by an encryption password that is communicated to you. This feature is enabled by default for all schools and cannot be disabled.

For its proper compliance with the GDPR, the EDUKA platform also offers schools:

  • A data erasure feature

All data entered by the parent is recorded in a history that can be consulted by the school administration. In order to comply with Article 17 of the General Data Protection Regulation regarding the “right to be forgotten”, the Data Protection Officer has a functionality to erase the data history. This feature is available to Students, Principals, Families, Staff and Payers.

Thanks to this functionality, the Data Protection Officer will have the technical means, upon request of a student leader or a paying institution, to delete all data concerning him/her in the EDUKA database.

  • IP address removal functionality

The platform collects or calculates a set of metadata, some of which may allow the identification of visitors. In particular, the IP address used by the visitor when registering for an account and during certain processes such as registering for activities or services. IP addresses can be deleted by the Data Protection Officer upon request by users.

Data storage

The hosting infrastructure of the EDUKA platform is based on :

  • A segmentation by zones with data hosted on 2 data centers:
  • A data centre located in Europe (Netherlands) via the company Worldstream, used for all establishments located outside Asia, as well as all Directly Managed Establishments (DME) managed by the AEFE. For more information on Worldstream’s security and privacy guarantees, click here.
  • A data centre located in Asia (Singapore) via the company Leaseweb, used for all schools located in Asia/Oceania for network performance reasons, with the exception of the EGD (Directly Managed Schools of the AEFE, whose Eduka platforms are located in the European data centre). For more information on Leaseweb’s security and privacy guarantees, click on this link.
  • A school may request a transfer from one region to another at any time if it deems it necessary. The company Eduka Software does not charge for this operation. Schools hosted in Asia benefit from a level of protection, security, and guaranteed confidentiality of their information that is equal to that offered to schools hosted in the data center located in Europe.

The CloudFlare service, which optimizes data performance and security, protection against denial of service attacks, and a number of other technical advantages in terms of platform access quality and hosting infrastructure. For more information on CloudFlare’s security and privacy guarantees, please click on this link and this one. The use of the CloudFlare component was explicitly validated by the AEFE prior to the technical implementation of this infrastructure, in order to guarantee the respect of measures and good practices regarding the protection of privacy and data confidentiality.

Security

Technical measures for security and confidentiality

The measures implemented to ensure the security of the EDUKA platform offered to schools are as follows

  • Access to the platform is exclusively through a secure connection (HTTPS) with an SSL certificate that guarantees the proper encryption and security of communications
  • Access management: only authorized personnel can consult the data. Access rights to the features are exclusively and explicitly managed by the schools.
  • Software for network monitoring, intrusion detection, and defense against viruses and Trojan horses
  • Connection to the platform protected by a combination of login and password, with the possibility of adding a strong two-factor authentication: e-mail, SMS, or single-use code. Activation of dual-authentication features is at the discretion of the school.
  • The server hosting the school’s platform is protected by ahardware firewall as well as a softwarefirewall and a webapplication firewall

In addition, other measures of a strictly technical nature are used to strengthen the security of the platform, a summarized and non-exhaustive list of which is given below:

  • Periodic anti-virus and anti-rootkit scanning, and also in real time when files are uploaded
  • Protection against SQL injections through the exclusive use of PDO queries
  • Protection against XSS attacks by filtering user data via various methods(CSP, CSRF tokens)
  • Clickjacking protection; hiding headers that reveal server component versions
  • Protection against brute forceattacks
  • Protection against many other types of attacks through the use of a WAF (Web Application Firewall)
  • Daily backups with multiple levels of redundancy, proprietary format backup files and encrypted with multiple key factors.
  • Real-time data replication based on the “master/slave” model for 100% data recovery in case of service disruption.
  • Regular updates of the operating system and components to benefit from the latest security developments
  • Good network practices, checked and audited regularly, no port opening except port 443 (web), IP addresses of servers inaccessible because all external communications are done via CloudFlare relay

Security audits

Each year, an independent external provider conducts security audits to ensure that our IT facilities, hosting infrastructure, and application code are perfectly secure. Eduka chooses to change providers annually in order to maximize the robustness of its suite.

For reference, here are the providers that have conducted the audits over the past three years:

The recent security audits have revealed no major issues, demonstrating the robustness of our system. Every recommendation and best practice is quickly implemented, ensuring continuous improvement of our security. The external auditor praised the security measures implemented within the Eduka solution and its infrastructure, describing them as “above average.” Additionally, compliance certificates are systematically issued and made available to schools upon request, offering an exemplary level of transparency and reassurance for our partners.

Other options that can be activated

In order to provide an optimal level of confidence for all users, additional features are available and can be activated at any time by schools. Eduka actively recommends the use of these features.

Login with Strong Authentication

Principle: when a user connects to the platform, he/she must enter a temporary code in addition to his/her usual login and password. The temporary code can be :

  • Or sent by e-mail
  • Either generated on an application for smartphone, tablet, or computer
  • Or sent by SMS

To activate this feature, users must access their account settings and click on “Strong Authentication”.

A user guide is provided to users from the online help available on the platform by clicking on the “?” button at the top right of the web page.

Whitelist of IP addresses for administrative profiles

Principle: the platform administrator restricts access to the administrative management features of the Eduka platform to administrative staff whose IP address is on a white list.

This feature provides enhanced protection so that even if an administrative user’s password is stolen, the attacker will not be able to access the Eduka platform because his IP address will not be in the white list of authorized IP addresses.

Protect access to the platform with Captcha

Principle: propose a “captcha” on the registration form, as well as on the password reset form.

This prevents excessive or automated use of certain features. The captcha component used is considered the industry standard. It requires registration with a third party service by the school.

Password security

Principle: force users to use a complex password composed of at least 1 upper case letter, 1 lower case letter, 1 number, and 1 special character, with a minimum of 8 characters.

This prevents the use of passwords that are too simple or present in the dictionary. This option is activated by default when the Eduka platform is delivered, and we strongly recommend that schools do not deactivate it.