Subprocessors overview & TIA

Cover sheet

Date of last review/update: 2024-02-21
‍
Content description
‍Part 1 Question matrix: This part aims to describe the planned processing, its purpose and proportionality.

‍Part 2 Security measures: This part aims to ensure and document how the basic principles in art. 5 GDPR is complied with.

‍Part 3 Examples of risks and action plan: This part aims to exemplify the risks that may be identified with the data subject's freedoms and rights linked to the intended processing. Part 3 also aims to highlight the various measures that may need to be taken in connection with the risks identified for the treatment. This part is for help and information only.

‍Part 4 Risk assessment: Part 4 aims to describe the identified risks associated with the freedoms and rights of the data subjects as well as their potential consequences. The risks identified are then measured to assess the likelihood of their occurrence and the consequences for the data subjects. Linked to each identified risk, the measures planned to be taken to either eliminate, reduce, avoid or accept the risks are then described.

‍Part 5 Overall assessment and conclusion: Part 5 aims to describe the results of the completed TIA. In this part, it must be stated whether the completed TIA is considered to be within the scope of what the Company can approve and whether the processing can therefore be carried out or whether prior consultation must be obtained from the Privacy Protection Authority or whether the Company should refrain from the processing altogether.

1. Question matrix

The question matrix below aims to describe the transfer and the underlying purpose.

Overall general description of the intended treatment and the flow of the work process.

Learnster uses Trembit as a development partner for development and support of Learnster's LMS (learning management system).

To whom should the personal data be transferred?

Trembit LCC

Where will the treatment take place (geographically)?

The processing is limited to taking place only in connection with customer-initiated support cases that need to be escalated to third line support and where the development team needs to deal with a suspected bug or similar problem. Processing is limited to a few selected key employees in Ukraine. Manipulation is limited to be conducted only by a developer with access to visually review user data on a screen. No data is downloaded or ever stored or processed outside the EU. Data is only available in an active ongoing SSH or admin session and as soon as the SSH or admin session is terminated, the data is no longer available to the developer. The ongoing session is always doubly encrypted via VPN as well as TLS or SSH, depending on the session type, which means that even if the session were to be intercepted by a third party, the information cannot be used due to encryption. All data access is logged and tracked so that, if necessary, it can be reviewed during, for example, an audit.

Who will be affected by the treatment? In other words, whose personal data and which personal data will be processed?

That is whose personal data will be processed and which personal data will be covered by the processing? Registered users in Learnster, e.g., Learnster's customers' employees, customers, partners, resellers, customers' employees, partners' employees, resellers' employees, etc.

Specify how the personal data will be transferred, as well as how long it will be stored. (one-time transfer or ongoing)

Manipulation is limited to occurring only by a developer with access to visually review user data on a screen. No data is downloaded or ever stored or processed outside the EU. Data is only available in an active ongoing SSH or admin session and as soon as the SSH or admin session is terminated, the data is no longer available to the developer.

Will sensitive personal data be transferred?

No.

Description of why the transfer is to be assessed as proportionate and necessary.

The processing takes place in connection with customer-initiated support cases that need to be escalated to third line support and where the development team needs to deal with a suspected bug or similar problem where there is no other way to proceed with the case than to involve developers in order to be able to debug the possible problem.

Description of measures that contribute to safeguarding registered rights and ensuring that registered persons can exercise these.

The information is encrypted during transfer and the processing is only conducted by a developer with access to see the data on their screen during an ongoing SSH or admin session. As soon as the session is finished, all data access rights are terminated. The data is stored outside the EU and is always encrypted during transmission.

2. Security measures

a) Would it be practically, technically and economically possible for the data exporter to instead transfer the personal data in question to a location in a whitelisted country?

No.

Background: Learnster and Trembit have relevant agreements in place, and Trembit has implemented the relevant Standard Contractual Clauses (SCCs) and has adapted its operations according to the SCCs.

b) Is the personal data transferred under any of the exceptions in accordance with the applicable data protection law (e.g. art. 49 GDPR)?

‍No.

c) Is the relevant personal data transferred to the target jurisdiction in cleartext (i.e. without encryption in transit)?

‍No.

d) Is the personal data in question accessible in the target jurisdiction in cleartext by the data importer/recipient or a third party (i.e. the data is either not encrypted or access to the keys to decrypt)?

‍No.

e) Is the personal data in question protected by a transfer mechanism approved by applicable data protection law (e.g. EU Standard Contractual Clauses for GDPR, approved BCR or - in case of transfer - post contract in accordance with the EU SCC), and can you expect compliance with it, to the extent that the target jurisdiction allows it?

Yes.

Background: Trembit has currently implemented relevant SCCs and will implement and adapt its operations according to the new SCCs/recommendations according to information.

Based on the answers above, the transfer is: APPROVED

3. Risk assessment

Description of risk (sections of law)

As Ukraine is not currently part of the EU, the country is not covered by the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). Ukraine has an ongoing application process into the EU and was granted candidate country status on June 23, 2022. As part of the application process, Ukraine is actively working to align the country's laws regarding the handling of personal data with EU legislation. According to the action plan to fulfill the EU-Ukraine Association Agreement, which was approved by the Cabinet of Ministers of Ukraine on October 25, 2017 No. 1106 (only available in Ukrainian here), Ukraine has committed to align its data protection legislation in compliance with the GDPR. A first draft law was rejected in June 2021, and a new draft law on personal data protection has been submitted to the Cabinet of Ministers of Ukraine on 25 October 2022. A summary of the draft law can be found here (however, only available in Ukrainian). The new bill includes, among other things, reasons for processing personal data, registered rights, responsibilities and security requirements for processing and cross-border data transfer.

Description of possible consequence

As Ukraine is not an EU member, there are risks that the processing of personal data of EU citizens in Ukraine is not compliant with the GDPR.

Risk assessment (1-4)

1. Probability: 1

2. Consequence: 3

3. Risk value: 3

Possible risk minimization measures

‍It is unlikely that the data being processed is at risk of being improperly processed as the data is encrypted in transit and the processing is only conducted by a developer with access to see the data on their screen during an ongoing SSH or admin session. As soon as the session is completed, all data access rights are terminated. The data is never stored outside the EU and is always encrypted during transfer.

4. Overall assessment

Overall assessment and conclusion
This is an overall assessment of whether the consequences of the transfer are deemed to be within the scope of what the Company can approve and that the transfer can therefore be carried out. Note that if the outcome of the risk value exceeds the value 6 in the case of inherent risk assessment in section 3, the Company should consider renouncing the transfer. However, an overall assessment of the circumstances in the specific case must always be made. Finally, below are other comments that may be useful to know regarding the transfer in question.

Regarding Trembit LLC and the risk associated with potential third-country transfers under the SCC, Learnster has conducted a risk assessment and concluded that the measures taken are sufficient for any potential data transfer, within the framework of using Trembit's services, to have a legal basis. We assess that the risk of potential unauthorized disclosure is unlikely since data is never stored outside the EU/EEA, and the data is always encrypted. This means the only way the data could be disclosed is through verbal transfer from the party who had the opportunity to visually read the data for a limited period. Furthermore, the data that Learnster stores is not of a sensitive nature, and therefore, the potential damage would be limited. We also assess that the data Learnster stores is unlikely to ever become of interest in an investigation or similar activity by Ukrainian authorities.

Learnster's overall assessment is that we have sufficient protective mechanisms in place to use Trembit's services.

Statement of the DPO/Data Protection Officer:

It is important that we follow the developments of these areas and update the risk assessment as and when any new rules/guidelines occur, if and when Ukraine becomes a member of the EU/EEA, alternatively when Ukraine accepts regulations to adapt to the requirements set according to the GDPR and that then the EU approves that their requirements live up to the GDPR.

1. Introduction

Given the critical nature of our clients' data Learnster is fully committed tomaintaining the highest security standards. This document outlines the securitymeasures, processes and procedures implemented by Learnster to ensure theprotection of client data and environments.

2. Data security

Encryption

• Data at rest: All client data and content is stored on servers within the EU/EES using Amazon Web Services as Learnster’s cloud provider. Stored data is encrypted using industry-standard AES-256 encryption with keys issued and controlled by Learnster and not accessible by Amazon Web Services or any other third party.
• Data in transit: Data transmission utilizes TLS 1.3 for secure communication.

Access controls

• Least Privilege Procedures: Strict least privilege principles are enforced, minimizing access to only individuals that need access and limiting the level of access to necessary access only.
• Access Control: Access control mechanisms are implemented based on user roles and permissions.
• MFA: Multi-factor authentication (MFA) is mandatory for all user accounts accessing any system managing client data.
• Regular Access Reviews: System Access is managed continuously and reviewed quarterly making sure that no anomalies are present.

Data lifecycle management

• Data Retention: Clear data retention and deletion policies have been implemented into Learnster and can easily be managed by clients to fit their individual needs according to compliance regulations. Automated deletion policies are enforced and cannot be disabled making sure to comply with regulations.
• Secure Data Deletion: Automated permanent data deletion functionality has been implemented into Learnster and can easily be managed by clients to fit their individual needs according to compliance regulations. Automated deletion policies are enforced and cannot be disabled making sure to comply with regulations.

Data backup and recovery

• Backup: All Learnster backups are encrypted with AES-256 encryption. All content uploaded to Learnster is encrypted with AES-256 encryption and rely on Amazon S3’s internal mechanisms for redundancy and versioning. All at rest data is encrypted using encryption keys owned by Learnster and not accessible by AWS or any other third party.
  ‍
  Learnster does a full daily backup of all databases and point in time recovery backups in between full backups. Point in time snapshots are kept for 30 days which means that Learnster can recover data to any second (except for the latest 0-5 minutes period) for the last 30 days. After the 30 days period, full daily backups are kept for 365 days meaning that backups older than 30 days can be restored with a granularity of a day.

• Recovery: In the unlikely event that two Amazon availability zones have long-term service interruptions, Learnster has been designed to recover with limited service interruption and a target maximum of 1 hour of data loss.

Infrastructure security

• Secure Cloud Provider: We utilize Amazon Web Services which is a reputable cloud provider with robust security practices and certifications (e.g., SOC 2, ISO 27001).

• Best Practices: We leverage AWS’ built-in security features, best practices and recommendations according to AWS Well-Architected Framework.

3. Application security

Secure coding practices

• Secure Coding Practices: Developers follow secure coding practices and guidelines to minimize vulnerabilities in the application code.
• Code Analysis: Static and dynamic code analysis tools are integrated into our build pipelines to automatically identify and address potential coding errors and security flaws.
• Code Reviews: All code is always peer-reviewed before it’s accepted into a build branch.
• Security Code Reviews: Regular security code reviews are conducted to ensure adherence to secure coding principles.
• Security Training: All developers conduct regular security awareness and coding best practices training.

Regular penetration testing

• Independent Penetration Testing: We conduct regular, at least yearly, penetration testing by independent external security experts to identify and remediate vulnerabilities in our application.
• Penetration Test Actions: Penetration testing results are reviewed and addressed promptly to minimize security risks.

Dependency and vulnerability management

• Dependency inventory: We maintain an inventory of all software dependencies used in our application.
• Vulnerability scans: Regular vulnerability scans are conducted to identify known vulnerabilities in dependencies.
• Updates: Updates are applied promptly to address vulnerabilities and maintain a secure dependency ecosystem.

4. Security processes

Incident response

• Incident Response Plan: Incident response plans are established to effectively handle security incidents.
• Incident Training and Testing: Regular training and testing/simulations are conducted to verify and test incident response plans and to ensure team readiness.
• Transparency and Communication: Learnster is committed to being transparent about our security practices and communicating any security incidents with all relevant stakeholders promptly and responsibly.

Security audits and compliance

• ISO 27001 Certification: Learnster is currently working on implementing all necessary procedures and processes for acquiring an ISO 27001 certification. An external audit has been planned and booked for Q3 2024.

Security awareness training

• Security Awareness Training: Regular security awareness training is provided to all employees to promote cybersecurity best practices.

5. Continuous improvement

Continuous evaluation and improvements: We are both continuously and regularly (at a minimum quarterly) evaluating and improving our security measures to adapt to evolving threats and industry best practices.

• Feedback and improvements: We encourage both external and internal feedback on our security posture and welcome suggestions for improvement.
• Improvement loop and procedures: All established security procedures and processes have built-in evaluation and improvement procedures with regular reviews and evaluations. Furthermore, we also aim at having continuous improvement loops built into our processes.