Skip to content

Encryption Policy

Breakout Learning Inc.


Purpose

This policy defines the organizational requirements for the use of cryptographic controls and cryptographic keys to protect the confidentiality, integrity, authenticity, and nonrepudiation of information. Breakout Learning Inc. abides by the policies required by vendors and other partners.


Scope

This policy applies to all systems, equipment, facilities, and information within the scope of Breakout Learning Inc’s information security program. It includes all employees, contractors, part-time and temporary workers, service providers, and anyone employed to work on behalf of Breakout Learning Inc in relation to cryptographic systems, algorithms, or keying materials.


Background

This policy outlines the high-level objectives and implementation requirements for Breakout Learning Inc.’s use of cryptographic algorithms and keys to ensure secure communications, data protection, and compliance with external security requirements.


Roles and Responsibilities

  • Chief Technology Officer (CTO):
    Responsible for overseeing the implementation of cryptographic controls.
  • Policy Manager:
    Ensures that the policy is followed and updated as needed.
  • IT Security Team:
    Responsible for implementing and maintaining encryption controls according to this policy.

Policy

Cryptographic Controls

Breakout Learning Inc. uses cryptographic controls to protect systems and information. The following table outlines the specific controls applied:

Name of System / Type of Information

Cryptographic Tool

Algorithm

Key Size

PKI for Authentication

OpenSSL

AES-256

256-bit key

Data Encryption Keys

OpenSSL

AES-256

256-bit key

Virtual Private Network (VPN) Keys

OpenSSL and OpenVPN

AES-256

256-bit key

Website SSL Certificate

OpenSSL, CERT

AES-256

256-bit key


Public Cloud PII Protection

  • PII Encryption at Rest:
    Breakout Learning Inc. relies on its cloud provider to handle encryption at rest for all data that may contain personally identifiable information (PII). This ensures compliance with data protection regulations.
  • Databases:
    All cloud-hosted databases are encrypted using the cloud provider's default encryption mechanisms. Regular audits are conducted to verify correct encryption settings.
  • Blob Storage:
    All blob storage services are configured to encrypt objects at rest using the default cloud provider settings. Periodic reviews validate the effectiveness of these encryption controls.
  • Authentication Data:
    Authentication-related data (e.g., passwords, tokens, certificates) must be stored encrypted at rest. Access is strictly controlled and limited to authorized personnel only.

Obtaining Information

Breakout Learning Inc.’s cloud-based software platform customers can obtain information regarding:

  • The cryptographic tools used to protect their information.
  • Available capabilities to apply their own cryptographic solutions.
  • The countries where cryptographic tools are used to store or transfer data.

Revision History

Version

Date

Editor

Approver

Description of Changes

1.1

2024/10/01

Nikita Rogatnev

Joshua Oster-Morris

Standardized role titles across all relevant policies, replacing previous variations

1.0

2024/01/01

Joshua Oster-Morris

Jake Shepherd

Initial version