Welcome to our Trust Center

Our mission to help keep every child safe and thriving in their digital life and to empower the schools and parents who care for them. That includes building our products and services with security, privacy, compliance and ethics in mind.

Find out more below and if you have any questions please contact us.

None of us is as powerful as all of us

soc2_type1

 

soc2_type2

 

ferpa

cspc

coppa

atlis

michael-h-profile

A message from our
Chief Information Security Officer

 

“Security, privacy, compliance and ethics are at the core of everything we do. We are relentless in our commitment to protecting our products as well as the schools, parents and children who depend on them.

As Chief Information Security Officer for Qoria, and a father of four children, I couldn’t feel a greater responsibility to this mission. Here in our Trust Center you'll find more information on our approach. If you have any questions please contact us. 


Michael Hyndman

Chief Information Security Officer (CISO)

Responsible Disclosure Program

Responding quickly to vulnerabilities is an important part of our approach to security. We work with external security researchers to challenge our products and we welcome vulnerability reports via our responsible disclosure program.

Qoria Trust Principles

qoria-trustandsafety-sub-security
Security
We invest significantly in security and risk reduction across our products, infrastructure and enterprise.
qoria-trustandsafety-sub-compliance
Compliance

We align with industry frameworks, standards and certifications to give peace of mind.

qoria-trustandsafety-sub-privacy
Privacy

We maintain a global privacy program to ensure the agency of our customers and the protection of their data.

ethics
Ethics

We take our ethical practices extremely seriously. We seek to be proactive and accountable in all that we do. Find out more.

Security

Operational safeguards

  • Security operations center (SOC & SIEM): Our SOC continuously monitors our cloud environment for threats. 

  • Incident management: Our Incident Response plan governs how we identify, contain and recover from incidents. 

  • Incident simulation testing: The response capability of our organization, executives & engineers are tested in annually simulated cyber attacks / tabletop exercises.

Technical safeguards

  • Data encryption (transit and rest): Our products are hosted in the world’s top cloud providers, giving us industry-leading, out of the box capabilities for encryption during transport and at rest.

  • Endpoint detection and response (EDR): We use industry leading endpoint detection and response across our enterprise and infrastructure assets.

  • Disaster Recovery: Critical data is backed up with top tier regional redundancy in place and infrastructure as code, and designed to be restored quickly if needed.

  • Identity and access management: User and admin account hygiene is monitored carefully. MFA is enforced on key systems with hardware token based MFA required for highly privileged access.

  • Vulnerability identification: We use multiple mechanisms to continuously discover vulnerabilities across our global infrastructure (including both internal and external assets) and code base. 

Administrative safeguards

  • Attack surface management: We continuously monitor our external attack surface and products for misconfigurations and vulnerabilities at least daily. 

  • Dedicated in-house security & data privacy capability: We have dedicated expertise in product and application security, cloud security, data privacy, enterprise security and more. These teams and our overarching security and privacy strategy are managed by our Chief Information Security Officer.

  • NIST framework: Our security investments are guided by industry standard and risk based frameworks, such as NIST.

  • Employee background checks: Our employees are all background checked. 

  • Data breach notification: We provide notification to customers of data breaches inline with all relevant regulatory requirements.

  • Vulnerability management: Our internal vulnerability management policy governs how we identify and respond to vulnerabilities. 

  • Employee privacy and security awareness training: All staff are required to undergo LMS based training in cyber security along with security briefings to connect with the security team. 

  • Vendor / third party risk management: Vendors and third party products are risk assessed via our third party risk management process. 

  • IT security & privacy policies: We have a number of security policies which govern data privacy, incident response, identity and access, asset security, acceptable use, vulnerability management and more.

  • Asset management: We have in place comprehensive internal and external asset management to ensure that we maintain a reliable view of our security posture. 

  • Data security posture management: We take proactive steps to minimize data storage and processing in our environment and ensure that risks to data are actively minimized.

Physical safeguards

  • Data center security: We use industry leading data centers which are compliant with SOC 2, HIPPA, PCI DSS and ISO 27001.

Product security

  • Code vulnerability scanning & management: We scan our code for dependency vulnerabilities and our policy governs how and when teams are expected to fix these. 

  • Penetration testing: We perform penetration testing at least annually (sometimes more regularly) on our products.

  • Responsible disclosure reporting: We encourage external researchers to report any vulnerabilities they find in our products so that we can address them quickly.

  • Secure-by-design software development: Security is a key consideration in software and feature development from the outset - our security team is involved in the review of each new initiative & build design. 

  • Privacy-by-design software development: Privacy is a key consideration in software and feature development from the outset - our privacy team is involved in the review of each new initiative.

Compliance

SOC 2

We have successfully completed SOC 2 Type I and II audits for Linewize School Manager and Classwize, Smoothwall Monitor, Smoothwall Cloud Filter, Smoothwall Cloud Reporting and Linewize Pulse. For any further information about this, please contact us.

FERPA

Family Educational Rights and Privacy Act (FERPA) protects access to and sharing of a student’s education record. It gives parents and eligible students the right to see, check, review, and correct student records. Qoria follows these rules when we receive a verified written request from a school district.

COPPA

Children's Online Privacy Protection Act (COPPA) ensures that the gathering of personal info online from kids under 13 in the U.S requires parental consent. Qoria follows COPPA rules for children's online safety; student accounts are given through trusted educators or schools, who get parental approval first.

NIST CSF

The NIST CSF framework is a widely used set of standards, guidelines and best practices to manage cybersecurity risk.

The National Data Processing Agreement (NDPA)

The NDPA is designed to streamline contracting and set common expectations between US schools/districts and marketplace providers. School districts who would like to sign the NDPA with us can contact us at privacy@qoria.com.

iKeepSafe

iKeepSafe certifies technology used by children and in educational settings with qualified experts. They help vendors meet complicated and demanding standards of compliance required by federal and state laws, so they can sell their technology with full confidence and protection. Our iKeepSafe certified products include Monitor, Pulse, Classwize & School Manager.

GDPR (UK & Europe)

The General Data Protection Regulation (GDPR) is a European Union and UK regulation on information privacy.

CPRA & CCPA

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) aim to enhance consumer privacy rights, giving individuals more control over their personal information.

2Ed NY

Under Education Law §2-d educational institutions must protect students' personally identifiable information (PII) by ensuring that the use and disclosure of PII benefits students. It also prohibits the inclusion of PII in public reports or other public documents.

SOPIPA

The Student Online Personal Information Protection Act (SOPIPA) applies to websites, applications, and online services that provide programs or services for K-12 students. Amongst other things SOPIPA prohibits the sharing of student data and using that data for targeted advertising on students for a non-educational purpose.

Australian & New Zealand privacy principles

Australian and New Zealand laws that govern how businesses can collect, store, use and share customer information.

ST4S

ST4S is a national privacy and security initiative by Education Services Australia to assess online products and services, against a nationally consistent privacy and security control framework, used by schools across Australia and New Zealand. Our Pulse product has been assessed by ST4S. 

Privacy

List of cookies

See the cookies that are used by our products and their purpose.

List of data processors

See a list of the data processors that we use.

Privacy policy

Our privacy policy explains how we protect your data, agency & rights.

Privacy policy for kids

We provide a simplified version of our policy for kids to read.

Data processing agreement

Our data processing agreement regulates the processing of data.

Marketing and advertising policy

Find out more about our marketing and advertising policy.

soc2_type1

 

soc2_type2

 

ferpa

cspc

coppa

atlis