Menu

Security and Privacy

You are here: Home Support Security and Privacy

IRIS Connect has data protection, privacy and safety at its heart

We understand how important it is for you to protect and safeguard everyone in your community, which is why IRIS Connect ensures outstanding security. We have thought very carefully about our legal responsibilities and your peace of mind, building a system that’s rooted in data protection, privacy and safety.

Why are data protection, privacy and security so important?

Video is a powerful tool for accelerating teaching and learning, but it is vital that the students featured in a lesson recording are appropriately protected at all times.

A school leader who purchases a system that does not meet basic data protection requirements exposes the school to a range of significant liabilities.

 

What questions should I ask?

Our platform is designed to be a safe professional learning community, but not all video technology providers prioritize your safety in the same way. Not everyone abides by the relevant legal frameworks and some don’t even provide very basic security measures.

Here are a series of basic questions you can use to help establish whether a video system puts your security first.

These considerations will help you check whether a provider is aware of the legal framework that schools have to operate within, provides an agreement that meets it and can look after your data in such a way that it will not be lost or accessed by others.

Questions for cloud-based solutions

Does the provider store all data at rest within a world-class data storage environment?

  • You must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you
  • You must take reasonable steps to check that those security measures are being put into practice

IRIS Connects stores all data within a world-class environment trusted by numerous government and public sector organizations to store highly sensitive data. The environment utilizes state-of-the art network security, electronic surveillance, physical security and multi-factor access control system to protect client data. The data centers are staffed 24×7 by trained security teams. This environment has qualified for the following assurance programs:

ISO 27001 (widely-adopted global security standard)
ISO 9001 (global standard for managing the quality of products and services)
G-Cloud (UK Government security standard)
FERPA (U.S. Department of Education)
FIPS 140-2 (U.S. government security standard)
DIACAP and FISMA (U.S. Federal Information Security Management)
DoD CSM Levels 1-2, 3-5 (U.S. Department of Defence)
IRAP (Australia) MTCS Tier 3 Certification (Singapore Security Management Standard)
PCI DSS Level 1 (Payment Card Industry Data Security Standard)
SOC 1/ ISAE 3402 ( Service Organization Controls reports)
SOC 2 ( Service Organization Controls reports)
SOC 3 ( Service Organization Controls reports)
CJIS (U.S. Criminal Justice Information Services)
CSA (Cloud Security Alliance) HIPAA (storage of protected health information)
FedRAMP (SM) (The Federal Risk and Authorization Management Program)

Does the provider provide a robust authentication process to protect access to personal data and / or user accounts?

The IRIS Connect system is based on individual user accounts and permissioning, where each user has their own personal username and password for their account in our platform.

Each account is linked to an email address, which needs to be verified. Further passwords cannot be reset by the Organization Administrator nor email addresses changed to gain access through the ‘forgotten password’ process.

The entire IRIS Connect platform (including the login page) uses SSL (https) to protect against ‘man in the middle attacks’ and ensure that users’ account credentials and data are sent securely through the latest industry standards.

Does the provider ensure all data transmitted to and from its cloud service is securely encrypted?


SSL encryption is a security protocol that allows sensitive information to be transmitted securely.

IRIS Connect ensures any data in transit is encrypted using the leading industry practice ( TLS 1.2 ).

Does the provider ensure all requests to delete data are complied with and data are disposed of responsibly and securely?


It is not only important to monitor data transfer and storage but also the deletion of data, where data are deleted from a live system, it should also be deleted from any back-ups as well.

Customer data (financial) will be retained in line with local legal frameworks.

Customer data (non-financial) will be disposed of following termination of license. Our secure data center employs industry standard procedures on the decommissioning of its storage devices at the end of their useful life.

Deleted data will be stored for 3 months in case the customer needs to retrieve it. The back-ups will be stored for a further 6 months before being destroyed.

There are certain occasions when information needs to be preserved beyond this limit, such as in the following circumstances:
• Legal proceedings or a regulatory or similar investigation or obligation to produce information are known to be likely, threatened or actual
• A crime is suspected or detected
• Information is relevant to a company in liquidation or receivership, where a debt is due to IRIS Connect
• In the case of possible or actual legal proceedings, investigations or crimes occurring, the type of information that needs to be retained relates to any that will help or harm IRIS Connect or the other side’s case or liability or amount involved 

Does the provider ensure that its security processes and systems are regularly reviewed internally and through independent services?

Utilizing independent services ensures that a wider analysis of the system is taking place, which can be important in introducing updated processes and highlighting weaknesses that might not be forthcoming from an internal review.

This alternative perspective review will assist in identifying any practices that could cause security, storage or usability issues.

IRIS Connect have partnered with ‘Well-Typed’ who are independent development consultants who regularly provide input and advice into the latest industry standards and best practice processes that are then incorporated into our new feature and security developments and infrastructure maintenance to provide the best experience for our users.

Does the provider ensure that adequate data recovery and back-up systems are in place?


Collecting and storing your data in a system involves financial, time and process investment and often this stored data is irreplaceable. This investment needs to be protected and if a recovery is required, the service provider must ensure they are able to restore this without alteration from a back-up.

By using Amazon S3 infrastructure IRIS Connect are able to ensure that all data stored in the web platform is backed up on an hourly basis.

Does the provider confirm that it has sufficient capacity to ensure a resilient, reliable and accessible service?

The service provider needs to demonstrate and provide evidence that their services are reliable, supported and will be able to meet your service needs.

IRIS Connect utilizes market leading services (Amazon S3) for data processing and storage. We regularly and automatically utilize their scaling infrastructure to deal with increases in service traffic.

IRIS Connect have provided 99.9% service uptime in the last 18 months during core operating hours (6am-4pm Pacific Time).

IRIS Connect provides free full support to all customers, enabling us to quickly resolve any issues logged. This is provided Monday – Friday between 6am-4pm Pacific Time.

The support team are available via live chat, email and phone.

Questions for local network-based solutions

Is data stored securely and backed-up in case of a disk failure?

Sensitive data needs to be secured both physically and digitally to safeguard against theft.

Further, the data needs to have a reliable, regular back-up; ideally to an off-site location in the event of a fire / flood etc.

IRIS Connect is a fully cloud-based solution with no devices permanently storing files.

For full user control and data security, videos are never stored on individual devices or local servers. Instead, they are encrypted, immediately uploaded to our platform and automatically deleted from the device they were recorded on.

The platform is designed to ensure that data remains in the secure, password protected environment, including adding Editing and Groups for cross-organizational sharing and not enabling the downloading of sensitive data to local devices.

Is the security of hardware regularly reviewed internally and through independent services?

As above, sensitive data needs to be secured both physically and digitally to safeguard against theft, which would place the data outside of the data subject’s control.

Further, the data needs to have a reliable, regular back-up ideally to an off-site location in the event of a disk failure, fire, flood etc.

IRIS Connect is a fully cloud-based solution with no local devices permanently storing data.

Are passwords stored in a secure database and in an encrypted format?


The use of passwords as a secure authentication step to safeguard data stored on the system will be compromised if the passwords are not stored in an encrypted format. This presents a security risk. When passwords are stored in an encrypted format, they will be useless if someone manages to gain access to them.

IRIS Connect’s Discovery Kit stores passwords in an encrypted format.

Has hardware passed rigorous safety testing and does it have a CE mark with supporting documentation?


CE marking is a mandatory conformity marking for certain products sold within the European Economic Area (EEA) since 1985. The manufacturer has to take certain obligatory steps before the product can bear CE marking, including a conformity assessment, setting-up a technical file and signing a declaration stipulated by the leading legislation for the product. The documentation has to be made available to authorities upon request.

All devices supplied by IRIS Connect are CE marked and have gone through independent testing to ensure they are inline with EEA product safety legislation.

IRIS Connect allows teachers to upload classroom video to our secure platform where they can share it with other educators at their school and other approved education organizations, so they can collaborate and learn from each other.

These videos often include students as they interact with the teacher and their peers in the classroom. Teachers are completely in control of these videos – only they can decide which educators can see them. IRIS Connect will not share these videos with third parties.

Am I able to request to see any data held of my child?

If you wish to view any recording that might include your child please ask your teacher and they will follow the appropriate policies and law for your region.

Who will be able to see these recordings?

IRIS Connect provides a secure, online platform for professional learning to a closed community of education professionals. Recordings can only be shared by your child’s teacher to users and groups that the school has approved.

In what circumstances would my child be recorded?

Teachers use IRIS Connect to record their classroom teaching so that they can be continually improving their instruction and meeting the learning needs of your student. Your student may be recorded in the classroom as they are learning.

Do I need to give permission / can I refuse for my child to be recorded?

Schools typically request permission from parents to video record their student during the registration process. Please consult your school to learn more about your local policies.

Besides educators, who else can see these videos? Will IRIS Connect share these videos with third parties?

Only educators with authorized accounts can access videos on the IRIS Connect platform. IRIS Connect never shares classroom videos with any third party in normal use. There are certain occasions, such as when a crime is suspected, in which IRIS Connect would comply with the law to release data if requested with appropriate authority.

Could these recordings be uploaded to other websites?

IRIS Connect does not enable the downloading of video content from the platform. When a video is downloaded, control of it could be lost with copies being made or it being uploaded to public access website. IRIS Connect has developed its platform to make it the safest and most secure environment for teachers to participate in video-based PD. In controlled circumstances and with appropriate authorization, downloading of a video is permitted, for example when evidencing teaching for a professional certification.

Our platform is designed with your security and privacy at its heart. You’ll be given your own password protected account on our cloud-based server, where any videos that you record will automatically be uploaded. This ensures video security, avoids storage problems and allows you to access your videos at any time and from anywhere.

When using IRIS Connect, you have complete control over who sees any of the videos that you create, sharing them with only individuals or groups that you choose. You also have the ability to delete or remove sharing privileges as you wish.

Can I download my reflection?

IRIS Connect does not generally enable the downloading of video content because when a video is downloaded, control could be lost and it could end up in anyone’s hands.

This means your community isn’t being appropriately safeguarded as the video is no longer private or secure and doesn’t adhere to relevant data protection laws.

We’ve built features into our platform that mean you should have no need to download your videos, including editing, sharing across organizations using Groups and anonymization.

If you feel you have a very exceptional reason for needing to download a video then please get in touch.

Can I share my reflection with someone outside of my organization?

With our Groups tool, you can create and join Groups to share practice around a particular focus both within and beyond your school.

But, to keep security a main priority, all Groups that include users from other organizations need to be approved by your Organization Administrator.

I would like to share a reflection but want to anonymize the individuals - is this possible?

The IRIS Connect platform provides an anonymization tool to further protect data. This feature enables easy anonymization of any reflection, which you can apply before sharing with colleagues.

  • Notified of Breach (Discovered or informed)
  • Containment/Recovery
  • Inform relevant Senior Management
  • Ascertain breach status
  • Ascertain if Law Enforcement should be notified
  • Recover or limit/damage from the breach
  • Investigation
  • Investigate : type of data, its sensitivity, what protections are in place (e.g. encryption), what has happened to the data, whether the data could be put to any illegal or inappropriate use, how many people are affected, what type of people have been affected (the public, suppliers etc) and whether there are wider consequences to the breach.
  • Investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.
  • Notification
  • Assess and notify which relevant parties should be notified of the breach.
  • Review & Evaluation
  • Conduct a full review of the causes and effectiveness of the response to the breach complied and reported to the board of Directors.
  • Implementation
  • Implement appropriate recommendations from the Evaluation report.



 

Platform-Image-4

Get started – it’s FREE!

✓  Try IRIS Connect Film Club
✓  Record, reflect on & analyze your practice
✓  Use coaching & collaboration tools

Further information about security and safeguarding policies:

If you have any questions about data protection, privacy or security, then please get in touch.

Contact UsOur Platform