Security
We take your data security very seriously. All necessary measures are put in place to go above and beyond industry expectations and requirements.
Data Hosting
Data is hosted with Amazon Web Service (AWS) in Montreal. For more information on our supplier’s security processes, visit AWS Compliance.
Encryption at Rest
All data is encrypted at rest. Encryption algorithms such as AES-256 and Eksblowfish are used.
Encryption in Transit
All data is encrypted in transit with TLS/SSL.
Vulnerability Scanning
We have several vulnerability scanning processes. From the quality control process through to final delivery. Vulnerability scanning tools such as AWS Security Hub, AWS Detective, AWS GuardDuty are in place to monitor the infrastructures.
Incident Response
Response and resolution times are relative to the criticality level of the vulnerability found. This includes escalation procedures, rapid mitigation and communication.
Penetration Tests
Automatic penetration tests are carried out regularly, along with analyses of SSL certificates, server configurations and outdated technologies, to protect against the top 10 vulnerabilities established by OWASP.
Protection Against Intrusion
Our web applications are protected by AWS Web Application Firewall. This service protects us against common web exploits and bots that can affect availability, compromise security, or consume excessive resources.
Technology Updates
In order to eliminate security vulnerabilities, improve the platform's features and enhance support for new devices, the latest operating systems and web browsers will be supported.
Logging and Monitoring
We actively monitor various cloud services used by the platform.
Security Standard
We work actively to comply with security best practices, like OWASP’s ASVS V4.0 d’OWASP.
Data Continuity and Disaster Recovery
We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We use monitoring services to alert the team in the event of any failure affecting users.
Confidentiality
All team members are required to sign and adhere to an industry-standard confidentiality agreement before their first day of work.
Background Checks
We conduct background checks on all team members in accordance with local laws.
Access Security
Permissions and Authentication
Access to cloud infrastructure and other sensitive tools is restricted to authorized employees who require it for their roles. Where appropriate, we have single sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure that access to cloud services is protected.
Least Privilege Access Control
We apply the principle of least privilege when it comes to identity and access management.
Password Managers
All company-issued laptops use a password manager for team members to manage passwords and maintain password complexity.
Cyber Risk Insurance
Optania is protected by cyber risk insurance.
Third Party Service Providers
To obtain support with the delivery, maintenance, protection and improvement of our services, Optania shares information with a small group of trusted partners, suppliers and organizations to be processed on our behalf and in accordance with our instructions, privacy policies and any privacy, security or other requirements. These companies only have access to the information necessary to provide the intended services to Optania.
The first table below shows the third-party service providers that Optania uses for its product, how Optania uses their applications, and the information that is shared with or collected by these providers. The second table contains the same information, but for the providers used in our operational activities.
This list may change over time, and we will strive to keep it up to date. If you have any questions, please contact us at support@optania.com.
Third Party Service Providers for the Optania Product
| Name | Link to their Privacy Policy | How is the provider's service used? | Data collected by these partners or shared between them and Optania |
|---|---|---|---|
| Amazon Web Services | //aws.amazon.com/fr/agreement/ | AWS provides Optania with servers and document storage. | All content uploaded by users (files, images) is hosted by AWS. The application code is hosted on AWS servers. All user data and product events are stored here. All personal data written is encrypted at rest and the transfer is also encrypted. |
| Bugsnag | //docs.bugsnag.com/legal/privacy-policy/ | Bugsnag allows us to track errors and anomalies on our servers. | User-level production of server logs and product event logs. |
| Google Analytics | //policies.google.com/privacy | Google Analytics allows us to manage and monitor user interactions. | Optania records user event data in Google Analytics to better understand their behaviour. |
| Sendgrid | //www.twilio.com/legal/privacy | SendGrid allows us to send updates by email. | Email addresses and other associated user-level data (e.g., name). |
| Sentry | //sentry.io/privacy/ | Sentry allows us to monitor and view our servers’ performance. | User-level production of server logs and product event logs. |
| Stripe | //stripe.com/en-ca/privacy | We use Stripe to process online payments. | Billing information, name and address of the customer purchasing the product, type of sale, sale amount, method of payment and payment details (credit card information). |
| Zoho Desk | //www.zoho.com/privacy.html | Zoho allows us to organize and respond to support requests. It also allows us to manage the knowledge base. | As part of the process of responding to support requests, Optania provides Zoho Desk with the email address of teachers who submit a request and the content of these requests (e.g. bug reports). Users can also provide information directly to Zoho Desk while their support request is being responded to and while they communicate with a customer service representative. |
Third Party Service Providers for our Operations
| Name | Link to their Privacy Policy | How is the provider's service used? | Data collected by these partners or shared between them and Optania |
|---|---|---|---|
| GSuite for Work | //policies.google.com/privacy?hl=fr-CA | This workspace is used by Optania for internal emails, documents, slideshows, spreadsheets, etc. | Optania uses Google services to store its own emails and files. As part of its use of these services, Optania may communicate personal information to Google, for example, if a user sends an email to an employee requesting support. |
| Slack | //slack.com/intl/en-ca/trust/privacy/privacy-policy | This messaging platform is used for Optania's internal communications and notifications. | As part of the investigation following a bug report or other support request, and the resolution of the bug where appropriate, members of the Optania team collaborate using Slack instant messaging, and in doing so may share the email address of the person making the request and the content of the request (e.g. bug reports, other support centre request) internally. |
| Trello | //www.trello.com/privacy/ | This internal project management platform is used to organize the work done by our staff. | Trello is a work management platform that allows us to organize projects and tasks between our different teams. We use it to manage product development. |
| Zoho CRM | //www.zoho.com/privacy.html | Zoho is used to manage and track conversations with potential and current customers. | Zoho retains copies of email exchanges and customer information, including name, email address, physical/mailing address, and organization name. |