Lab-Aids Data Security Policy




 

1. Purpose

This document outlines how Lab-Aids, Inc. (“Lab-Aids”) and our partners, Magic Software, Inc. (“Magic Software”) and AGP C2C Fund LLC ("EvoText"), protect users’ data.

Lab-Aids offers students, teachers, and staff at schools, school districts, charter schools, individual/private customers, and state educational agencies (collectively referred to as "educational agencies" [EA]) the ability to access their respective curriculum online via platforms created by:

  • Science Curricula: "MagicBox," created by Magic Software

  • Mathematics Curricula: "Content2Classroom," created by EvoText

Lab-Aids works with both Magic Software and EvoText to provide reliable and useful online access to curricula provided by Lab-Aids, while at the same time ensuring that students’ and teachers’ data is protected.

The purpose of this data security policy include defining, documenting, and supporting the implementation and maintenance of the administrative, technical, and physical safeguards Lab-Aids has selected to protect personally identifiable information (“PII”), student work, and other associated data it collects, creates, uses, and maintains.

2. Scope

2.1 Data In Scope

This data security policy applies to all user data accessible from the Lab-Aids Science Portal and the Lab-Aids Math Portal, which includes PII (personally identifiable information), directory information, assessment data, platform analytics, API credentials, SSO details, and licensing information. Therefore, it applies to every server, database, and IT system that handles such data, including all devices that are regularly used for email, web access, or other work-related tasks involving such data.

This policy applies to Lab-Aids employees and subcontractors that have access to these data via the Lab-Aids Science Portal (online science curriculum platform; https://portals.lab-aids.com) and the Lab-Aids Math Portal (online math curriculum platform; https://math-portals.lab-aids.com). It applies to any records that contain personal (and other sensitive) information in any format and on any media, whether in electronic or physical format, that are produced by or associated with the Lab-Aids Science Portal or the Lab-Aids Math Portal.

2.2 Data Out of Scope

Public information lawfully obtained that is available to the general public, including publicly available information from federal, state, or local government records, is not subject to this policy, nor is sales data regarding online licenses purchased for the Lab-Aids Science Portal or the Lab-Aids Math Portal. Other data can be excluded from the policy by company management based on specific business needs.

3. Principles and User Responsibilities

3.1 Overview

Lab-Aids provides employees and contracted third parties (“users”) with access to information they need to carry out their responsibilities as effectively and efficiently as possible. This access shall be granted based on the principle of “least privilege,” which means that each user will be granted the fewest privileges necessary to complete their specified tasks.

3.2 Principles

1. Each user shall be assigned a role that determines the least amount of privileges they need to carry out the specified tasks.

2. Each user shall be identified by a unique user ID so that individuals can be held accountable for their actions.

3. The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts.

4. Each Lab-Aids employee and subcontractor shall read this data security policy, and sign a statement that they understand the conditions of access.

5. Records of user access may be used to provide evidence for security incident investigations.

3.3 User Responsibilities

1. All users must log out of the Lab-Aids Science Portal or the Lab-Aids Math Portal (and other platforms that contain data specified in section 2.1) whenever they leave their desks to reduce the risk of unauthorized access.

2. All users may not produce or obtain physical copies of sensitive or confidential information (as defined in section 2.1).

3. All users must delete files containing sensitive or confidential information stored on local machines/devices within 24 hours.

4. Local machines/devices that can be used to temporarily store or access such data must be password protected and automatically lock after 10 minutes of inactivity.

5. All users must keep their passwords confidential and not share them.

3.4 Bring Your Own Device (BYOD) Policy

All users must understand that whenever a device is connected to the Lab-Aids’ network, systems, or other devices, opportunities exist for:

  • Introducing viruses, spyware, or other malware.

  • Purposefully or inadvertently copying sensitive and/or proprietary organization information to unauthorized devices.

  • Introducing a technical or network incompatibility to the organization that the user is not even aware of.

  • Loss of data that may adversely affect the organization if it falls into the wrong hands.

As a result of any of these circumstances, a user connecting their own device to Lab-Aids’ resources, systems, or networks could interrupt business operations, cause unplanned downtime for multiple users, and/or cause a data breach releasing data to unauthorized parties.

Equipment covered by this BYOD policy, referred to as “devices,” includes (but is not limited to):

  • Desktops, laptops, and tablet computers

  • Smartphones (defined as any cellular telephone that connects to the internet via Wi-Fi or a mobile provider network)

  • Flash, memory, and/or thumb drives

  • External hard disks

Where applicable, Lab-Aids will ensure the following to facilitate BYOD access as requested for a user’s device:

1. The device does not have a virus, spyware, or malware infection.

2. The device does not have any third-party software or applications that pose a threat to the systems and networks or that could introduce application incompatibilities (any such findings should be removed before proceeding). Lab-Aids’ reserves the right to make judgment calls regarding which applications (current or future) are appropriate for devices associated with company systems, networks, and data.

3. The device is properly protected against viruses, spyware, and other malware infections and that the system has properly licensed anti-malware software, when appropriate.

4. Devices must be protected by industry-standard encryption to prevent unauthorized access by third parties, where appropriate.

5. For mobile devices that will be associated with company systems, the device must utilize a password (or biometric password) that will automatically lock the device after one-minute period of inactivity and erase the contents of memory and storage after a maximum of 10 failed authentication attempts. Lab-Aids will also maintain the ability to remotely erase (wipe) these mobile devices in the event of loss or theft.

6. Devices must have all critical and security patches installed

7. When a device is to be decommissioned, Lab-Aids will remove any required encryption, VPN, and anti-malware licensing from the user’s device. It will also confirm that the user’s device does not contain any traces of data and will delete any that remain on the device.

8. Lab-Aids reserves the right to remotely wipe a device if it has been lost or the employee has been terminated and has not brought their device to Lab-Aids for decommissioning.

9. In the event that a user believes a device that is authorized to connect to the organization’s resources, systems, or networks might be infected with a virus, spyware infection, or other malware threat or might be somehow compromised, they must immediately notify Lab-Aids in writing of the potential security risk.

10. If a user loses or misplaces a personally owned or personally provided device that is authorized to connect to the organization’s resources, systems, or networks, they must immediately notify the IT department in writing of the potential security risk.

11. Whenever a user decommissions, prepares to return, or otherwise ceases using a personally owned or personally provided device that Lab-Aids has authorized for organization use, the user must notify Lab-Aids that the device will no longer be used to connect to organization resources, systems, or networks.

12. Users may not discard previously authorized devices until Lab-Aids approves the device for disposal.

13. Users must attest that they have read and understand this BYOD policy and that violations of this policy could result in termination of employment.

4. Technical & Physical Safeguards

4.1 Overview

Below are a list of the technical and physical safeguards used to protect data:

Lab-Aids Science Portal

1. All data is stored within the United States utilizing a AWS (Amazon Web Services) S3 bucket. All user data (including, but not limited to, usernames, passwords, PII, and performance data) is encrypted at rest using AES-256, and applications are running over HTTPS secure protocol for data in motion.

2. No known ID or token enumeration/brute force vulnerabilities on public-facing APIs or interfaces that return PII or sensitive information.

3. No storage of PII or other sensitive information in browser disk cache.

4. Native apps:

  • TLS connections at TLS1.0 or greater.

  • TLS certificate validity checking.

5. No tracking of user activity to third-party advertising networks.

6. No known high or critical severity security vulnerabilities.

7. Here are the security practices that both Lab-Aids and Magic Software incorporates regarding data in transit:

  • eBook (content) encryption using AES-256.

  • AWS – S3, signed URLs.

  • Amazon security standards, Amazon Security groups for servers.

  • Servers behind AWS WAF firewalls.

  • SSL for secure transactions.

  • Application runs on minimum database privileges.

  • All machines behind AWS VPC.

  • APIs are protected with OAuth 2.0 standards.

  • Sensitive information like passwords and keys are encrypted and pass through SSL protocol.

Lab-Aids Math Portal

Full list is forthcoming.

5. Incident Response

In the event of an unauthorized release, disclosure, or acquisition of data that compromises the security, confidentiality or integrity of the data maintained by Lab-Aids, Lab-Aids will provide notification to district within seventy-two (72) hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident. Lab-Aids shall follow the following process:

1. The security breach notification described above shall include, at a minimum, the following information to the extent known by Lab-Aids and as it becomes available:

  • The name and contact information of the reporting district subject to this section.

  • A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.

  • If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice.

  • Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; and

  • A general description of the breach incident, if that information is possible to determine at the time the notice is provided.

2. Lab-Aids agrees to adhere to all federal and state requirements with respect to a data breach related to the data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.

3. Lab-Aids further acknowledges and agrees to maintain and update this written incident response plan that reflects best practices and is consistent with industry standards and federal and state laws for responding to a data breach, breach of security, privacy incident, or unauthorized acquisition or use of data or any portion thereof, including personally identifiable information and agrees to provide the district, upon request, with a summary of said written incident response plan.

4. The district shall provide notice and facts surrounding the breach to the affected students, parents, or guardians.

5. In the event of a breach originating from the district's use of the platform, Lab-Aids shall cooperate with the district to the extent necessary to expeditiously secure the data.

6. Disposition of Data

6.1 Overview

After a complete written request is made from a EA, Lab-Aids shall ensure dispose of or provide a mechanism for the EA to transfer data obtained under an agreement or contract, within thirty (30) days of the date of said written request and according to a schedule and procedure that both parties agree to and find reasonable.

Data to be disposed of or transferred to the EA shall also include archived copies and other backups or disk images used to restore lost or corrupted data. Lab-Aids and the EA will also mutually agree on the process of providing evidence or certification of any deleted data.

7. Risk Assessment

7.1 Overview

As a part of developing and implementing this policy, both Magic Software and EvoText (in conjunction with Lab-Aids) conducts a periodic risk assessment, or whenever there is a material change in Lab-Aids', Magic Software's, or EvoText's business practices that may implicate the security, confidentiality, integrity, or availability of data.

The risk assessment shall:

1. Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing personal (or other sensitive) information.

2. Assess the likelihood and potential damage that could result from such risks, taking into consideration the sensitivity of the personal (and other sensitive) information.

3. Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to

  • Employee, subcontractor, and (as applicable) stakeholder training and management;

  • Employee, contractor, and (as applicable) stakeholder compliance with this policy and related policies and procedures;

  • Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal; and

  • Lab-Aids' ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.

4. Following each risk assessment, Lab-Aids will:

  • Design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks;

  • Reasonably and appropriately address any identified gaps.

  • Regularly monitor the effectiveness of Lab-Aids' safeguards, as specified in this policy.

8. Security Certifications

The Lab-Aids Science Portal utilizes a white-labeled product from Magic Software, Inc. called MagicBox, which uses AWS (Amazon Web Services) cloud infrastructure, and AWS utilizes all major security standards, such as ISO 27001, PCI-DSS, CSA Star, and FedRAMP compliance: https://aws.amazon.com/compliance/csa/

AWS aligns with the CSA STAR (Level 2) Attestation and Certification based on the determinations in our third-party audits for System and Organization Controls (SOC) 2 Reports and ISO 27001 - CSA STAR Level 2 Attestation is based on SOC 2. The SOC 2 Report attests that AWS has been validated by a third-party auditor to confirm that AWS control objectives are appropriately designed and are operating effectively. AWS also publishes a public version as the System and Organization Controls 3 (SOC 3) Report on the AWS website: https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf

CSA STAR Level 2 Certification is based on ISO 27001. AWS publishes the ISO 27001:2013 Certificate on the AWS website: https://d1.awsstatic.com/certifications/iso_27001_global_certification.pdf

MagicBox uses and maintains administrative, technical, and physical safeguards and practices that align with the NIST Cybersecurity Framework v1.1.

9. Monitoring

Lab-Aids, Magic Software, and EvoText will regularly test and monitor the implementation and effectiveness of its data security policy to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal (and other sensitive) information. Lab-Aids, Magic Software, and EvoText shall reasonably and appropriately address any identified gaps.

v1.3 August 2024
v1.2 March 2022
v1.1 November 2021
v1.0 August 2021