Online Learning NZ: How Intuto looks after your data and privacy

Last week, we focused on our great customer service team and in this article, we're focusing on our privacy and data storage policies. 

As an online learning provider, we know better than most how important your data and information are to you. We are honoured that you trust us with your intellectual property: all your training courses, your hard-earned knowledge and your business details, as well as certain financial information, and we take the responsibility of protecting it seriously.

The platform

Our philosophy when it comes to the platform is to make sure that it’s as easy to use and intuitive as possible, supporting mobile and desktop learning for all learners including accessibility features for the sight impaired.

To that end, we do not build features lightly. New features are chosen based on close consultation with our customers and a good understanding of who Intuto is and isn’t for. We don’t see the point in trying to build every possible feature or recreate the wheel if it exists in other systems; Intuto has a robust and modern application programming interface (API) that can be used to integrate with other systems to extend functionality beyond Intuto’s capabilities and provide a more seamless experience within our platform for learners and administrators alike.

Because of our heavy use of API, Intuto is built on a stack of mostly Microsoft technologies designed for enterprise scalability and security and implemented with the latest best practice guidelines.

We are confident in our privacy and security protocols and processes and we want you to be too, so we’re sharing some information about how we protect you and your data.

Accountability and policies

We have strict policies in place to inform the accountability of every team member from the moment they start with us. Part of every employee’s employment contract is a section on confidentiality and security standards, which they and their manager sign to commit them to following stringent rules for handling personal information.

Following on from that, we have an annual review of internal processes for information handling practices. Our software was audited for privacy and security by Augen Software Group (now known as CodeHQ), a Microsoft gold application development partner. This was part of a larger contract relating to reviewing and improving our software architecture.

We also have plans in place to identify security breaches or disclosures of personal information in error. Our two key processes are:

• We have an agreement with our third party server providers to alert us to any breaches in their systems, regardless of whether information was accessed or if it affected us directly.
• We have an external ‘auditor’ on contract who reviews our website security.

Our privacy breach protocols are kept very simple. In the event that any privacy breach is identified, whether electronic or hard copy, the CEO and CTO are immediately informed. Following a situation review, the affected customer is advised. This advice includes a summary of the breach, the individuals affected, the proposed communication with the individual, the extent of the breach and the proposed solution to minimise the opportunity for such a breach to occur in the future. We then propose a follow-up discussion with the customer one month after the breach.

However, to date, this has never happened to us at Intuto – and we work extremely hard to make sure it never does.

Data information flow

We use a secure third-party server provider called Vocus, and all our data is hosted in a secure data centre based right here in Auckland. An ISO 27001 information security certification at the Vocus data centre means you can be confident that your data is in safe hands.

We never store any of your data in paper format and your data is never shared or used for any purpose other than helping you create your e-learning program. When your data is transmitted electronically, it’s encrypted and done so securely.

If you ever decide to move your online learning to another provider, you can instruct us to destroy your data and we will do so immediately.

Safeguards

We have a range of safeguards in place to ensure the security of your data, starting with staff access. Staff members are only given access to data on an as-needed basis, and staff who no longer need your information have their access revoked. Every system access is tracked in our database, so we can see who has accessed and changed information.

We also use Microsoft’s authentication and security best practices to ensure that all data is protected from loss, theft, unauthorised access or inadvertent disclosure.

We maintain secure backups of the data as part of our third-party hosting agreement. Vocus has three separate locations with automated backup covering two of the three locations, allowing the backup to be transferred to the third location in the event of a catastrophic event.

Our staging servers – where we only store data for testing purposes, and delete it when the test is complete – are housed on site and protected by a monitored alarm and commercial-grade access security. Our own offices have a camera system and a monitored alarm with access only available to staff and approved contractors.

Training and awareness

As well as the section in the employment contract on confidentiality and security standards, new staff undergo an induction that covers privacy best practices and the requirement to keep client information secure and confidential.

Further to that, we run weekly staff meetings, where we consistently touch on customer data security, and regular training sessions.

As a customer of Intuto, we want you to feel confident that your data and privacy are safe with us. If you ever have any concerns about the way your information is being handled, please contact us and we can tell you more about everything we do to protect you.