Overview of Security Policies by SMART Technologies ULC

Last Updated July 5, 2018

Overview

This document provides information about the security policies that SMART uses to secure its web services and any collected user data. SMART takes security seriously and follows industry best practices to secure our user’s data and our services.

Access Control

Physical Security

We host our web services on Google Cloud and Amazon Web Services. They provide state of the art security for all their data centers. They have the following certifications; ISO 27001, SOC 2/3 and FedRAMP. For details please see the following resources:

https://www.google.com/about/datacenters/inside/data-security/

https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

User authentication

Users authenticate with our services using their Google or Microsoft account. The authentication is then done using OAuth 2.0 and Open ID connect. This ensures that authorization is handled by your trusted identity provider.

Customer Data Access

Access to customer data is given when investigating incidents or issues and, in those situations, it is only given to folks who need access. All SMART employees who have could be given access to Customer data undergo background checks performed by a third party. This includes criminal background checks, education and previous employment verification.

As a customer you may make a request to know what data SMART has collected about you and make a request to delete such data. 

Security and Vulnerability Testing

SMART performs internal security audits every quarter. These audits focus on a wide range of potential attack vectors and potential security concerns. We also engage a third party to run a security audit on a yearly basis, which includes manual penetration testing and running dynamic scanning tools.

As a customer you may request the results of such security audits or provide SMART with your own security questionnaire to fill out. 

Data Protection

In Transit

We use https and TLS version 1, 1.1 or 1.2 for all data in transit.

At Rest

Data at Rest is encrypted using AES256 or AES128.

Availability

Backups

We are currently performing backups every 2-24 hours depending on the data. These backups are stored in a Google Cloud Storage bucket which allows us to leverage the Google infrastructure to ensure the security and safety of our backups.