Information Security Policy

SECTION 1: GENERAL INFORMATION

Last updated 23rd May 2024
Last updated by Chris Thornton (Creative Director).
Website HelpKidzLearn.com (HKL).
Product Name(s) and Version(s) Games and Activities (GA), ChooseIt Maker (CM), ChooseIt Readymades (CRM), Insight (I), Inclusive Stories (IS).
Purpose and Functionality of Product(s) Online accessible services, enabling learners of all abilities to play, develop and achieve.
Product(s) Licensing Model SAAS on a monthly and/or annual basis.
Vendor's Company Name / Registration number Inclusive Technology Ltd (IT) / 3525459.
Registered Company Address Unit 8-9, Riverside Court, Huddersfield Road, Delph, Oldham, UK. OL3 5FZ.
Company Tax Number GB732822345
Total Number of Employees 20
HelpKidzLearn and Services Comply with Privacy Provisions Data Protection Act, UK/EU GDPR. Children's Online Privacy Protection Act (COPPA) of 1998. Family Educational Rights and Privacy Act (FERPA).
Information Security Management System (ISMS) N/A
Information Security Manager(s) Shared Accountability: Chris Thornton (Creative Director), Steven Hill (Principal Developer).
Data Privacy Officer/Manager Chris Thornton (Creative Director)
Policies and Standards Maintained
Documentation and Processes in Support of Business Resilience (Available Upon Request)
  • Business Continuity Plan
  • Incident Management/Response Plan
  • Data Breach Plan
Product Target and Intended Users Teacher/Payee: Administration of Account and Purchasing of Licences etc. Learner: Access Products (only)

SECTION 2 – SOLUTION ARCHITECTURE INFORMATION

Architecture Used for Hosting and Delivery of Product/Service Public cloud provider: Azure and AWS.
Customer or Solution Data Stored United Kingdom
Individuals, Groups or Roles that have Access to the Physical Environment where Customer Data is Stored and Processed Internal Administrative Staff
Access to Physical Environment Controlled (This question does not relate to cyber intrusion or hacking) Physical Locks
Validation of Third Parties, Suppliers, Vendors or Partners that Handle or Store Personal Information Suppliers/Resellers acting on behalf of HelpKidzLearn are assessed and sign contracts to adhere to privacy principles.
Utilisation of Third Party Code, Services or Other Resources PayPal, Mailchimp, Libraries (e.g. ReactJS). HelpKidzLearn contains no third party tracking pixels for marketing purposes; See Privacy Policy.
Management of Security and Integrity of Third Party Code Third parties are ISO27001 Certified.
Security of Backup Data (Security Controls: Encryption, Device Blocking, Data Anonymisation) Database and data (e.g. media) backups secured through encryption and access control.
Security of Data Stored on Portable Media Devices (USB Drives and Laptops) No data is stored on portable media devices; Acceptable use policy.
Security of Data in Development and Test Environments Isolated environment with internal visibility only.
Login and Authenticate using an Existing Social Media Account Solution does not integrate with social platforms.

SECTION 3 – DATA SECURITY AND PRIVACY INFORMATION

Personal Data Utilised and Stored by Solution

Staff and Teachers:

Staff Name Yes (If Payee - Can be anonymised)
Staff Email Address Yes (If Payee - Can be anonymised)
Staff Personal Information No
School Name Yes (Not required)
Any other staff data No

Students:

Student name Insight (only); Though not required.
Student home address No
Student telephone number No
Student email address No
Student date of birth Insight (only)
Student produced work/content No
Student attendance records No
Student behavioural records No
Student photos or videos ChooseIt Maker (only)
Student gender Insight (only)
Student medical or health No
Student biometric data No
Student geolocation data No
Grades or performance information No
Any other student data No

Parents:

Parent name Yes (If Payee - Can be anonymised)
Parent contact information Yes
Any Parent financial or payment data No
Any other parent data (e.g. employment details, reference checks etc.) Yes (Not required)

 

Utilisation and Storage of Data Classification Framework or Policy in Place Initial onboarding of employees includes police, criminal records and background check. N/A for contractors and/or 3rd parties.
Protection of Data at Rest and In Transit Public facing website(s) and APIs protected by HTTPS. Database data is protected at rest and in transit via enforced TLS 1.2 encryption over a private and isolated services subnet.
Employees that have Access to Customer and User Data Internal developers and sales staff for processing of orders only.
Training for Vendor Officers or Employees Accessing Protected Information Internal developers and sales staff receive training on governing confidentiality prior to receiving access to information.
Solution and/or Database Administration Functions Outsourced to 3rd Parties N/A - No support and/or administration functions are outsourced.
System Administrator Access to Systems that Store and Process Sensitive Data Protection via technical controls. Senior engineer only access (SQL).
Employees, Contractors or Other 3rd Parties Checks Initial onboarding of employees includes police, criminal records and background check. N/A for contractors and/or 3rd parties.
Controls to Prevent Unauthorised Access to Data Data is stored in an isolated network with no access from external/public sources. Web Application Firewall used to protect websites and APIs. Best-practice approaches used to protect APIs and authenticate users. Role-based access limits service connections to capabilities they require.
Controls to Prevent Copying or Theft of Data by Employees Technical controls, including Data Loss Prevention (DLP); Acceptable use policy.
Data (iIdentifiable, De-Identified or Summarised) Shared with and/or sold to any other Company, Entity, Organisation, Research Body, Government Department Other than as expressly set out in HKL Policy or as otherwise required or permitted by law, we will not share, sell, or distribute any personal information without prior written consent.
Exposing Users (Including Minors) to Information, Advertising or Content that can be Considered Detrimental or Offensive Nature Services do not deliver any advertisement and no detrimental and/or offensive material is served, or able to be served via HelpKidzLearn.
Geolocation or Biometrics Data Collected as Part of the Provision of the Service or Product N/A
Collection of Data that Constitutes the Minimum Possible Requirement to Operate the Service or Product and Supports 'Data Minimisation' N/A
Utilisation of Features that Ensure 'Privacy by Design' Yes; Secure coding guidelines and developer training.

SECTION 4 – LOGGING INFORMATION

Logs of Employee Access to Systems and Data Yes - Comprehensive logging; Risk assessment.
Duration of Logs Retained Logs retained for maximum 90 days.
Access to Logs Internal administrative staff only.
Security Incident and Event Logs Yes - Comprehensive logging (all elements of the solution).
Duration of Security Logs Retained Logs retained for maximum 90 days.
Access to Security Logs Internal administrative staff only.
SIEM or Other Monitoring and Alerting Solution to Triage and Manage Security Events and Incidents Yes - Log monitoring and alerting capability; Application insights, prometheus and grafana.

SECTION 5 – ACCESS AND AUTHENTICATION INFORMATION

User Authenticate to the Solution Email Address/Password.
Provision of Unique Usernames for All Users Yes - All usernames are unique.
Validation of Access for Legitimate User User access is managed by the Payee.
Responsibility for Managing the Creation, Provisioning, Maintenance and De-Provisioning of User Accounts Managed by the Payee.
Secured User Credentials Password encryption.
Support of Role Based Access Role based access (administrator, staff and student accounts).
Does the solution support Multi Factor Authentication i.e. MFA, 2FA etc? No support for MFA.
Access Apps on the User's Sevice to Deliver Supplemental Functionality N/A
Age Restrictions on the Use of the Service No age restrictions in place.
Parental Consent Rules for the Product or Service N/A
Public Facing or In-Solution Browsable Profile for Created User Accounts N/A
Minimum Standards Applied to Passwords for User Authentication Password minimum characters of 6 or more.

SECTION 6 – SECURITY ASSURANCE INFORMATION

Vulnerability Assessment Across Customer Solution and Corporate Environment Azure Vulnerability Scanning, Monitoring and Notifications.
Security Assessments Available to Consumers of Solution Yes - Available upon request.
Policy for Notifying Users of a Data Breach Notification to impacted users within 7 days of data breach event.
Date of Last Solution or Corporate Systems Data Breach N/A

SECTION 7 – DATA PRIVACY AND ACCESS INFORMATION

Owner of Content, Data Uploaded or Created within Product or Service Vendor.
Process for Individual User to Request a Copy of their Data Held by Company? Phone and email - Validation required.
Account Closure and Complete Deletion of Profile and Associated Data Yes - Available upon request - Validation required.
Customer and User Data Retained after a User Profile is Deactivated/Deleted Immediate data deletion.
User or Customer Data Utilised to Target the Sale of Additional Services or Products Legitimate interest / Consent based.
Supply Complete Data-Set of All Accounts Following Discontinuation of the Service Yes - Available upon request.
Provide Evidence and Assurance for Validation Purposes of Particular Personal Data-Sets Held and/or Have Been Securely Deleted Yes - Available upon request.
Right to Complain About Possible Breaches and Unauthorised Disclosures of Data To report security related issues and/or impovements please contact the HelpKidzLearn information security team using the following contact details:

Email: [email protected]
Telephone: +44 1457 819790
Mail to: Chief Privacy Officer, HelpKidzLearn, Inclusive Technology Ltd. Unit 8-9, Riverside Court, Huddersfield Road, Delph, Oldham, UK, OL3 5FZ.

We are a small team and appreciate your support and assistance in improving our services for customers of learners with severe and complex needs.
Data Provision Audits No more than once a year, or following unauthorised access, upon receipt of a written request (at least 10 business days notice) we will allow an audit of the security and privacy measures in place to ensure protection of Student Data.