6.2 Engineering Team
At Astrid Education (“Astrid”, “us”, “we”), we are committed to safeguarding the security and confidentiality of all user data gathered and processed through our proprietary systems. This Data Security Policy outlines our approach to protecting users’ personal information and the measures we take to uphold data privacy. It applies to all employees, contractors, and third parties who handle or have access to data within our systems.
The creation of this security policy has been motivated by several factors. Firstly, we must comply with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR). Secondly, we aim to address growing concerns around user privacy and data protection in an increasingly digital world. Furthermore, maintaining customer trust is crucial, and we can establish this trust by demonstrating our commitment to data security and privacy. Finally, we have expectations from our customers, partners, and stakeholders regarding the protection of sensitive data which we must meet.
By implementing this policy, regularly reviewing it, and holding ourselves and our partners accountable to its standards, Astrid seeks to assure users that their data will be managed securely and in accordance with all legal and ethical obligations. Our goal is to provide a seamless experience that users can enjoy with full confidence in the privacy and protection of their information. Continuous evaluation of risks and threats, as well as open communication about security practices, will enable us to fulfill this commitment going forward.
The purpose of this policy is to establish guidelines and procedures for securely handling, storing and transmitting personal data in accordance with GDPR. This policy aims to minimize unauthorized access, use, disclosure, alteration or destruction of personal data and promote a culture of data privacy and security. As both a data controller and processor, we have obligations under GDPR to implement appropriate technical and organizational measures to ensure data confidentiality, integrity and availability.
This policy applies to all personal data collected and processed by Astrid, including:
In accordance with GDPR requirements, Astrid will only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes of providing our service to users. We will not retain personal data longer than necessary and will establish retention schedules to fulfill our data minimization obligations. See our Data Retention Schedule for more information.
Astrid adheres to core data protection principles in our handling of personal data. We follow the principles of data minimization by collecting and processing only the minimum amount of personal information required to provide our English learning service to users and operate our business. We limit the use of any data to the purposes stated at the time of collection as outlined in our privacy policy.
We strive to keep personal data as accurate and up to date as possible. Individuals can request corrections to inaccurate data. We protect the integrity and confidentiality of personal data through a combination of technical and organizational security controls. These controls establish appropriate safeguards based on a regular assessment of risks to users’ privacy.
To uphold our data protection principles, we enforce several key requirements. Examples of such measures include the adoption of password managers, multi-factor authentication where possible, and regular reviews of access controls and security policies at least every 6 months to address emerging threats.
All individuals handling personal data complete data privacy and security training upon hiring and annually thereafter. This mandatory training educates employees and contractors about their obligations under this policy and laws such as GDPR. We provide definitions and criteria to identify sensitive forms of data that require the highest levels of protection. Sensitive data includes personal information, system account credentials, and other data that, if compromised, could cause harm to individuals or damage the organization. Sensitive data is safeguarded through encryption of digital records and strict access control.
These policy requirements work together to build a robust data privacy program with multiple layers of protection for users’ personal information. However, continuous risk monitoring and policy review are still necessary in the face of evolving threats and regulations. Astrid aims to maintain a secure and prudent approach to data protection through an ongoing commitment to these principles and requirements.
In the event of a data breach incident, including but not limited to unauthorized access, loss, theft, or disclosure of user data, it is essential to promptly report the incident. Employees, contractors, and third parties must report any actual or suspected data breaches to Astrid’s designated Data Protection Officer (DPO) or the designated point of contact within the organization, as well as the appropriate authorities. Users must also be notified.
A data breach incident needs to be reported as soon as possible to enable appropriate containment and remedial actions. Failing to report such incidents in a timely manner could expose the organization to penalties and fines under GDPR. Upon receiving the report of a data breach incident, the DPO will evaluate the situation to determine whether the breach is likely to result in a risk to the rights and freedoms of the affected data subjects. If such a risk exists, the DPO will notify the relevant supervisory authority within 72 hours of becoming aware of the incident. The DPO will also notify the affected data subjects if the breach is likely to impact their personal data, again within 72 hours.
Prompt reporting and notification of data breaches are crucial to meet compliance requirements under GDPR and to minimize any impacts on data subjects. Employees should be aware of their responsibility to report data breaches in a timely and accurate manner.
The DPO oversees the implementation of this policy across Astrid. The DPO monitors compliance with GDPR, this policy, and other data privacy regulations to provide recommendations on meeting our obligations. They serve as the point of contact for individuals exercising data subject rights, such as requesting access to their personal information. The DPO will also liaise with supervisory authorities, such as the Swedish Data Protection Authority, regarding our data privacy practices and the reporting of any data incidents.
The Data Protection Officer (DPO) ensures compliance by staying informed about the latest guidance from regulatory bodies and updating this policy accordingly. They offer data privacy training and resources to employees and contractors. Moreover, the DPO plays a crucial role in evaluating risks and resolving concerns associated with the handling of personal data within the organization. Working in collaboration with the Engineering team, they actively integrate privacy considerations into system designs and software. To contact the DPO, please send an email to dpo@withastrid.com.
Our Engineering team is responsible for the technical implementation of data privacy and security controls. They integrate privacy by design and default into all systems, products, and software to uphold the standards of this policy. The team conducts routine audits and testing on the infrastructure, networks, and applications that store or transmit personal data to identify and mitigate potential security vulnerabilities.
The Engineering team monitors system activity and access for events that could threaten the privacy of users’ data. They use encryption and access control mechanisms to protect personal data both in transit and at rest. Access to sensitive data is restricted to only those individuals with a legitimate need-to-know for their job functions. The Engineering team stays up to date with industry best practices and security standards to guard against emerging threats.
All employees and contractors at Astrid must comply with this Data Security Policy. Employees are required to attend data privacy training to understand their responsibilities in protecting users’ personal information. Any data incidents, privacy violations, or concerns must be reported immediately to the Data Protection Officer. Failing to report policy breaches will be considered a violation itself.
Employees and contractors access and handle personal data on a need-to-know basis only. They maintain the confidentiality and security of the data they work with and do not share it improperly without authorization. Users’ privacy is a collective responsibility, and employees should alert the DPO regarding any activity that could jeopardize data protection standards. Non-compliance will result in disciplinary action, as outlined in the Enforcement section of this policy. Contractors in violation of policy terms may face termination of their agreements.
To ensure compliance with this policy and safeguard our users’ personal data, Astrid will take appropriate action against violations of this Data Security Policy. Failure to comply may result in disciplinary consequences for employees and contractors.
For employees, non-compliance with this policy may first result in verbal or written warnings. Serious or repeat offenses could lead to temporary suspension of data access privileges or termination of employment. Employees should be aware that certain violations of this policy may qualify as gross misconduct and result in immediate termination of employment.
For contractors and third-party partners, violations of this policy may be considered a breach of contract and result in termination of contractual agreements. We may also terminate relationships with vendors and service providers who fail to adhere to data protection standards.
Beyond internal disciplinary actions, serious policy breaches may prompt legal action against the individuals or entities responsible. We may have legal obligations under GDPR and other laws to report certain incidents to regulatory authorities, which could initiate investigations or impose fines and penalties. In some circumstances, willful or negligent mishandling of personal data could expose individuals to criminal charges.
Astrid trusts that all internal and external parties will comply with this policy and prioritize data protection. However, we will take appropriate and proportionate action against those who violate policy terms to mitigate the risks of unauthorized data access or disclosure. Protecting users’ privacy and security is a responsibility we take very seriously at all levels of our organization and in our partnerships. We strive for transparency, cooperation, and shared accountability on data protection matters with all stakeholders.