Protecting Privacy: Lightspeed Systems Overview

Lightspeed Systems Commitment to Protecting Privacy

Our solutions connect technology and teaching in ways that make collection and use of data necessary.
Lightspeed Systems understands the need to safeguard the personal and confidential data of our customers, employees, and business partners. We believe privacy and security are everyone’s responsibilities and we provide innovative solutions that enhance rather than compromise data privacy and security. Lightspeed Systems offers valued, high-quality, and secure products and services that satisfy our users and associates while safeguarding their privacy rights.

We focus on security fundamentals, including secure practices to ensure that data shared and collected remains private and protected.

  • 1. We will always be transparent in the data we collect and how it is used.
  • 2. We will only collect the data that is necessary for the solutions and functions the school has purchased/contracted.
  • 3. We will always treat that data, as we treat our own data, with the utmost security and privacy.
  • 4. We will never sell your data; we will never share it without prior authorization from the customer; and we will never use it to attempt to sell advertising to students.

Data Collection

We define our data collection practices in our privacy policy: https://www.lightspeedsystems.com/privacy/#section-1

Information Provided Directly to Us Through Our Products

The information that we collect depends on the products, and features within those products, used by customers. We collect some information directly from school customers (e.g., information collected when signing up to use our products) and students (e.g., browsing information). We also collect some information automatically (e.g., product usage information).

Lightspeed Systems may have access to personally identifiable information about students (hereafter referred to as “Student Data”) in the course of providing its services to schools. We recognize Student Data is confidential and do not use such data for any purpose other than to provide services to their schools. In many instances, Lightspeed Systems receives Student Data only from schools and doesn’t collect data from its students. Depending on the products and services utilized by schools, schools may allow students to interact with Lightspeed Systems services. In those instances, the schools must provide students with login credentials and confirm that they have obtained appropriate parental consent, as needed, before students are permitted to access the service(s). Lightspeed Systems has access to Student Data only as permitted by schools and only for the purposes of performing services to schools.

The information that is collected varies depending on customers’ product licenses and implementation methods:

For Lightspeed Systems Web Filter customers using Lightspeed Systems Rocket appliances, appliances are hosted on each customer’s network. Customers have full access to their data and manage sharing of this data, including access by Lightspeed Systems staff for support needs. Lightspeed Systems support staff are located in the United Kingdom and United States. Customers may choose to enter personal information about students by integrating their student information systems (SISs); alternatively, customers may filter anonymously. If there is no SIS integration, the Lightspeed Systems customer support employees will only be able to see the name of the customer account and general web traffic information on the account. Customers may choose to add specific user information to their accounts, which may include unique SIS user IDs, usernames, first and last names, email addresses, and web traffic data.

Data from customers who use SaaS products, including Relay, Mobile Manager, and Classroom, is stored in a database that is hosted in the United States. Customers commonly sync student records to this shared database for classroom-specific management capabilities across these products. Customers have full access to manage this data. Lightspeed Systems employee access to this data is limited to customer support needs. We do not share this information with any third parties unless specifically directed by customers via signed documents. The personal contact information collected may include network usernames, email addresses, first and last names, school grades/year levels, class and group memberships, user search queries, and device location data.

Non-Personally Identifiable Information

We may collect certain non-personally identifiable information from visitors to our sites and users of our services. Non-personally identifiable information may include date and time of website visits; browser types (e.g., Chrome, Firefox, Internet Explorer); operating system types (e.g., Windows 7 or Mac OS); visitor ISP; and aggregate information of web history. We may collect data for schools to monitor and generate reports of their users’ online search queries; websites visited, including blocked websites users attempted to access; web activity; and device geolocation for purposes of asset recovery. In addition, we may monitor schools’ onboarding tasks; search queries committed on our websites; number of users’ sessions on our websites; cities and states/provinces where our services were accessed; responses to our survey questions; and content provided on managed devices via customizable fields.

We may also match non-personally identifiable information from registered members with personally identifiable information (such as the members’ names) in our database to track deployment progress, troubleshoot services issues, analyze usage, and otherwise monitor services for the purposes of improving our services. Lightspeed Systems and its third-party service providers use cookies (session cookies as well as persistent cookies) and other tracking mechanisms to automatically collect information including IP addresses, session sources, and other data which tracks users’ access to the services. We may combine this information with other personal information we collect from you (our third-party service providers may do so on our behalf).

Third-party advertising networks are never allowed to collect information about the users of our websites or services.

The Lightspeed Systems privacy policy can be viewed here:
http://www.lightspeedsystems.com/privacy

Account Contacts

To provide services purchased, we collect schools’ names, addresses, phone numbers, fax numbers, websites and authorized contacts, including support-entitled users (SEUs).

For purposes of communicating on sales processes, support processes and other important updates from Lightspeed Systems, we collect customer representatives’ first and last names, job titles, business phone numbers, business email addresses, and business billing address.

Support Entitled Users (SEU)

For purposes of providing product support, verifying SEU identity, and communicating product updates and release notes, we collect SEUs’ first and last names, job titles, business phone numbers, business email addresses, and business billing addresses.

Does Lightspeed Systems use a student information system?

Lightspeed Systems may receive data from student information systems via secured transmissions directly from its customers or through mutually agreed-upon and trusted third-party providers.

Network Operations Center Management and Security

Does Lightspeed Systems perform tests to identify vulnerabilities within their network?

Yes, Lightspeed Systems performs vulnerability management and intrusion prevention testing. Vulnerability management allows us to identify, classify, remediate, or mitigate vulnerabilities.

Are all network devices located in secure facilities and under controlled circumstances?

Yes, network devices are protected in multiple data centers by a variety of security measures. Lightspeed Systems uses a combination of restricted access, identification cards, access logs, biometric scanners and two-factor authentication for hosted services.

Are backups performed and tested regularly and stored off-site?

Yes, backups are performed regularly and range from real-time to once-daily replication. Data is stored at geographically different locations to enhance security of the information being stored. Our master databases have fully redundant replicas spread across multiple data centers in multiple locations.

How are these backups secured and disposed?

Lightspeed Systems uses online storage secured in data centers to house our backups. Only authorized persons with specific identification credentials can gain access. Data center interiors and exteriors are monitored by cameras and human security patrols. Disposal of backups is handled in accordance with lifecycle rules, which may range from 15 days to one year.

Are software vulnerabilities patched routinely and automatically on servers?

Yes, we subscribe to services and monitor security bulletins to determine risks and threats to our systems. System updates are routinely performed to address all security risks that apply to our systems.

Data Storage and Data Access

Where will the information be stored and how is at-rest data protected?

All information is stored in highly secured data centers. Data such as passwords are encrypted with a cryptographic hash function.

How will the information be stored?

Data is stored in the cloud with multi-tenant hosting and secured in our remote data centers. Lightspeed Systems complies with the Family Education Rights and Privacy Act (FERPA), which requires that school records be maintained separately from data from other school systems and users.

In addition, Lightspeed System is in alignment with guidelines from Privacy Technical Assistance Center, U.S. Department of Education (PTAC), which provides relevant information and guidance on privacy, confidentiality, and security resources for student data systems.

Where are the servers physically located?

Lightspeed Systems uses secure data centers in the United States to house our servers. Access to physical servers requires keying in an access code and providing a matching physical hand scan. Also, only authorized persons with specific identification credentials may gain access. Once the authorized persons have been verified, the data center interior requires further credentials to continue. The data center interiors and exteriors are monitored by cameras and regularly manned security patrols. Upon exiting the facility, authorized personnel must check out with the security desk and have any bags or boxes on their person inspected. If personnel remove equipment from the data center, they must provide a description of the equipment along with a serial number, if possible. This information is logged and a signature on that log entry is required.

How does Lightspeed Systems protect data in transit?

Sensitive data is hashed and sent through Secure Sockets Layer (SSL).

Who has access to information stored or processed by Lightspeed Systems?

Lightspeed Systems staff, support and development staffs have access to data processed by Lightspeed Systems. All employees undergo background checks upon hire.

Customer administrators: Customers are required to be on a Support Entitled User (SEU) list for their organization to gain support on their accounts. Calls from persons not on the SEU list are verified with district personnel and added to the list before Lightspeed Systems provides support.

Customer staff: Users can access the data collected and used by Lightspeed Systems. Schools may access and update account information and modify services by signing into administrator accounts. Adult users may access and change the information collected at any time during account creation and as often as necessary by choosing the “edit account information” option or other similar functionality offered in the services. To edit or access data not available through such accounts, users can contact our Privacy Officer at privacy@lightspeedsystems.com.

Student users and their parents/guardians: Student users of Lightspeed Systems services and their parents should contact their educational institutions or other organizations providing the service about access to the personal information collected by those institutions.

If student or other sensitive data is transferred/uploaded to the provider, are all uploads via SFTP or HTTPS?

Lightspeed Systems and any agreed-upon partners require that all data transfer use the Transport Layer Security (TLS) or Secure Sockets Layer version 3 (SSLv3) cryptographic protocol over a HTTPS connection. This means that unique session keys are used to encrypt and decrypt data transmissions and to validate transmission integrity.

Data and Metadata Retention

How does Lightspeed Systems ensure the proper management of data?

Lightspeed Systems staff members who have access to any student data are required to pass an exam on Lightspeed Systems privacy policies, acceptable use of data, and EU-US Privacy Shield as well as agree to strictly follow all privacy, security, and data policies.

How long will Lightspeed Systems retain data?

Following termination or deactivation of a school account, Lightspeed Systems may retain profile information and content for a commercially reasonable time for backup, archival, or audit purposes, but any and all student data associated with the school will be deleted promptly. We may maintain anonymized or aggregated data, including usage data, for analytics purposes. If you have any questions about data retention or deletion, please contact privacy@lightspeedsystems.com.

Development and Change Management Process

Does Lightspeed Systems follow standardized and documented procedures for coding and configuration management for all servers involved in delivery of contracted services?

Yes, Lightspeed Systems has internal documents and procedures for coding and deploying the applications. Lightspeed Systems utilizes an adapted version of SCRUM development practices to develop software. For programing standards and syntax, we have adopted the Github Style guide. Team code reviews help ensure adherence to standards and proper documentation. Lightspeed Systems products include hosted software and on-premise solutions. To address various product needs, we have developed systems and tools to ensure consistent development, testing, and deployment of software.

Does Lightspeed Systems notify school systems about any changes that will affect the security, storage, usage, or disposal of information received or collected directly from those schools?

Yes, Lightspeed Systems will notify customers, via the Community site and/or email, of changes that impact their data such as retention time frames, disposal time frames, changes to data usage, and security measures that change the way customers interact with Lightspeed Systems products.

Availability

Does Lightspeed Systems offer guaranteed service level?

Lightspeed Systems services are available at least 99.5% of the time. Our servers are redundant and continuously monitored for performance and availability. Current performance statistics can be viewed here: http://www.lightspeedsystems.com/sla/

What is the backup-and-restore process in case of a disaster?

Backups are performed regularly and range from real-time to once-daily replication. Data is stored at geographically disparate locations to enhance security of the information being stored. This includes both physical hardware located in our data centers, leased rack space, and virtual application stacks housed in cloud services. In the event of a system failure, all hosted products can be restored by Lightspeed Systems staff to full operation.

Audits and Standards

Does Lightspeed Systems provide school systems the ability to audit the security and privacy of records?

Lightspeed Systems will work with customers who wish to review the security and privacy of their data. This information will require a nondisclosure agreement (NDA) to be in place prior to the review. Customers will be allowed to review only data specific to their organizations.

Does Lightspeed Systems comply with a security standard such as the International Organization for Standardization (ISO) or the Payment Card Industry Data Security Standards (PCI DSS)?

Lightspeed Systems partners with data centers that are SSAE16 SOC-1 Type II Certified to store data safely and securely. Cloud compliance is designed and managed in alignment with regulations, standards, and best practices including, but not limited to: Health Insurance Portability and Accountability Act (HIPAA); Children’s Online Privacy Protection Act (COPPA); Privacy Technical Assistance Center, U.S. Department of Education (PTAC); and the Federal Information Security Management Act (FISMA). Customer security is enhanced with a hybrid cloud platform that provides tools that are tailored to educational needs.

Test and Development Environments

Is “live” student data used in non-production environment?

Lightspeed Systems uses some live data in our non-production testing to ensure that products perform as expected and for comparative performance testing. These systems require the same access to data as production systems and offer the same high level of security and data protection and privacy. The only difference is a greater number of employees have access to our test environments. All employees are required to participate in our PII training and certify they will follow our policies and practices.

Data Breach, Incident Investigation and Response

What happens if your online service provider has a data breach?

Lightspeed Systems will first work to rectify the situation and mitigate further data breach. Once this has been accomplished, a thorough Root Cause Analysis (RCA) will be performed and the proper steps taken to ensure the issue cannot occur again. Customers whose data may have been involved will be notified of the incident including details of the data accessed, RCA, and current status of the school’s data.

Do you have the ability to perform security incident investigations or e-discovery?

Yes, Lightspeed Systems will work with schools to make logs specific to the school’s data available. In the event of a security incident, we will endeavor to share critical details as they relate to the school data. This information will require an NDA to be in place prior to the dissemination of the data.

General Data Protection Regulation (GDPR)

Lightspeed Systems, Inc., has completed our work to comply with the General Data Protection Regulation (GDPR). This work includes documenting and protecting all processing activities that use personal information for both customers and our employees. Within our Privacy Policy, Lightspeed Systems, Inc., provides GDPR-compliant privacy language that explains the personal information that is processed for customers as well as an overview of the policies, procedures, and security measures that Lightspeed Systems utilizes to protect personal data for both customers and employees. We will continue to review and improve our processes as regulations and environments change.

What actions have you taken to prepare for the GDPR?

To meet GDPR compliance, we have done the following:

  • Updated our privacy policy to address GDPR requirements
  • Named a DPO (data protection officer)
  • Established a data governance team
  • Conducted risk assessments
  • Completed an external review
  • Conducted training of all employees
  • Updated our data security plan
  • Updated incident response plan and conducted game-day exercises
  • Implemented Privacy by Design for operations of software solutions, IT systems, networked infrastructure, and business practices
  • Developed a GDPR compliant DPA (Data Protection Agreement)
  • Implemented vendor risk assessment process and completed vendor assessments
  • Completed Privacy Impact Assessments of our processes and products
  • Implemented solutions to track compliance, explicit consent and on-going improvements

Contact Lightspeed Systems

How to contact us is defined in our privacy policy
https://www.lightspeedsystems.com/privacy/#section-8