Data Protection Policy
Breakout Learning Inc.
Purpose
This policy outlines the procedures and technical controls that Breakout Learning Inc. has implemented to support the protection of data, including email addresses.
Scope
This policy applies to production systems that create, receive, store, or transmit Breakout Learning Inc. customer and employee data (hereafter referred to as "Production Systems"). All such systems must follow the requirements and guidelines described in this policy.
Roles and Responsibilities
- Chief Information Security Officer (CISO):
Responsible for ensuring the establishment, review, and enforcement of information exchange agreements and corresponding security controls. - Legal and Compliance Team:
Ensures that agreements fulfill legal and regulatory requirements. - IT Security Team:
Implements and monitors the technical aspects of the agreed-upon security controls.
Data Protection Implementation and Processes
Customer Data Protection
Breakout Learning Inc. hosts its services on GCP (Google Cloud Platform) in the us-central1 region, with data replicated across multiple regions for redundancy and disaster recovery.
Access Controls
Breakout Learning Inc. employee access to production systems is controlled by an approval process, and access is granted temporarily. Access is reviewed by the security team on a case-by-case basis.
Separation of Customer Data
Customer data is logically separated at the database level using unique identifiers. The API layer enforces separation to ensure that each client can only access their designated data.
Purpose, Collection, and Use of Email Addresses
Breakout Learning Inc. collects and retains email addresses for the following purposes:
- To deliver personalized learning experiences to users.
- To improve AI models for product offerings.
- To comply with contractual and legal obligations.
Email addresses are collected and processed following data protection laws and are secured with encryption at rest and in transit.
Security Measures for PII (Email Addresses)
Since email addresses are the only PII, the following security measures are implemented in place of DLP software:
- Encryption:
Email addresses are encrypted both at rest and in transit to prevent unauthorized access. - Access Controls:
Access to email addresses is restricted to authorized personnel with a legitimate business need. Role-based access controls (RBAC) are in place to ensure proper authorization. - Monitoring and Logging:
Access to systems containing email addresses is monitored and logged. Regular audits are performed to detect any unauthorized access or activity.
Deletion Protection for Cloud Resources
Breakout Learning Inc. implements deletion protection mechanisms to safeguard customer and employee email addresses on cloud systems. This includes role-based access controls (RBAC), deletion confirmation workflows, regular backups, and monitoring of deletion activities.
Event Logs
All systems handling email addresses, accepting network connections, or making access control decisions will record and retain audit logs that include the following:
- Type of action (e.g., create, read, update, delete, or accept a network connection).
- Subsystem performing the action.
- Identifiers for the subject requesting the action (e.g., user name, computer name, IP address).
- Identifiers for the object the action was performed on (e.g., file names, database records).
- Before and after values when the action involves updating a data element.
- Date and time of the action.
- Action outcome (whether allowed or denied).
Audit logs are securely stored, monitored, and periodically reviewed to ensure data integrity and accountability.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |