Encryption Policy
Breakout Learning Inc.
Purpose
This policy defines the organizational requirements for the use of cryptographic controls and cryptographic keys to protect the confidentiality, integrity, authenticity, and nonrepudiation of information. Breakout Learning Inc. abides by the policies required by vendors and other partners.
Scope
This policy applies to all systems, equipment, facilities, and information within the scope of Breakout Learning Inc’s information security program. It includes all employees, contractors, part-time and temporary workers, service providers, and anyone employed to work on behalf of Breakout Learning Inc in relation to cryptographic systems, algorithms, or keying materials.
Background
This policy outlines the high-level objectives and implementation requirements for Breakout Learning Inc.’s use of cryptographic algorithms and keys to ensure secure communications, data protection, and compliance with external security requirements.
Roles and Responsibilities
- Chief Technology Officer (CTO):
Responsible for overseeing the implementation of cryptographic controls. - Policy Manager:
Ensures that the policy is followed and updated as needed. - IT Security Team:
Responsible for implementing and maintaining encryption controls according to this policy.
Policy
Cryptographic Controls
Breakout Learning Inc. uses cryptographic controls to protect systems and information. The following table outlines the specific controls applied:
Name of System / Type of Information |
Cryptographic Tool |
Algorithm |
Key Size |
PKI for Authentication |
OpenSSL |
AES-256 |
256-bit key |
Data Encryption Keys |
OpenSSL |
AES-256 |
256-bit key |
Virtual Private Network (VPN) Keys |
OpenSSL and OpenVPN |
AES-256 |
256-bit key |
Website SSL Certificate |
OpenSSL, CERT |
AES-256 |
256-bit key |
Public Cloud PII Protection
- PII Encryption at Rest:
Breakout Learning Inc. relies on its cloud provider to handle encryption at rest for all data that may contain personally identifiable information (PII). This ensures compliance with data protection regulations. - Databases:
All cloud-hosted databases are encrypted using the cloud provider's default encryption mechanisms. Regular audits are conducted to verify correct encryption settings. - Blob Storage:
All blob storage services are configured to encrypt objects at rest using the default cloud provider settings. Periodic reviews validate the effectiveness of these encryption controls. - Authentication Data:
Authentication-related data (e.g., passwords, tokens, certificates) must be stored encrypted at rest. Access is strictly controlled and limited to authorized personnel only.
Obtaining Information
Breakout Learning Inc.’s cloud-based software platform customers can obtain information regarding:
- The cryptographic tools used to protect their information.
- Available capabilities to apply their own cryptographic solutions.
- The countries where cryptographic tools are used to store or transfer data.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |