Security Statement
We understand the sensitive nature of the video content we safeguard.
At ONVU Learning we ensure that security is a top priority.
Introduction
ONVU Learning is an innovative tool designed to aid teaching and learning. With its benefits come some risks which we are intent on effectively managing with you as you adopt it through your institutions.
We know how much care and attention schools pay to safeguarding students’ and staff’s well-being, dignity and data.
Our approach to data security is two-fold:
- Ensure our systems and processes are tightly controlled and meet the highest standard; and
- Work with our customers to achieve and maintain the highest degree of safety and security through their use of our system (which should be adopted like any other new approach being brought into existing or new strategies).
We also understand the particularly sensitive nature of the video content we safeguard and, at ONVU Learning (part of the ONVU Technologies Group), we ensure that security is the highest priority during design, implementation and operation of our solution
If you have any questions related to the management or security of your data which this statement does not answer please reach out to our team.
Our approach is guided by the National Cyber Security Centre (NCSC) and detailed below in four key areas of data security:
- Data encryption
- Authentication and access control
3. Security logging and incident management
4. Governance
1. DATA ENCRYPTION
Data-in-transit
All communication between ONVU Learning devices, client devices and cloud is encrypted using Transport Layer Security (TLS).
Data-in-rest
All video data stored on the camera is encrypted on a fixed SD Card using Advanced Encryption Standard (AES) 256. On the cloud, ONVU Learning data is encrypted using Amazon Web Services (AWS) secure storage. ONVU Learning uses AWS Identity and Access Control to restrict access to stored data and maintain separation from other AWS customers. All secure personal data, such as passwords, is irreversibly encrypted to prevent misuse.
All video footage is stored on the camera unless the user creates a clip. Only the video footage for the clip is then uploaded to the cloud. The user maintains who can access the footage. Video footage is kept on the camera for a maximum of 30 days.
2. Authentication and access control
Authentication to services and APIs
The ONVU Learning Cloud and Cameras use APIs to communicate and share information. APIs on the cloud are secured with TLS and a token-based authentication mechanism.
2-factor authentication
2-factor authentication (2FA) can be enabled by your admin for user accounts. During log-in users will be emailed a unique code which grants them access to the ONVU Learning website.
Single sign-on
ONVU Learning is integrated with Microsoft Single Sign On, this can be enabled by your admin. This ensures users on your domain authenticate securely with their Microsoft Office 365 credentials.
Privilege separation
ONVU Learning implements a role-based permission model that enforces granular control over what users can access.
For internal staff, ONVU Technologies follows the Principle of Least Privilege to ensure that internal users can only access the data that they need to perform their duties and only for the time required to do so.
3. Security logging and incident management
Logging and event collection
The ONVU Learning Cloud collects security-critical logs which allows us to detect security breaches and troubleshoot issues. Security logs are not available to customers.
Security incident response and updates
Widely-known security vulnerabilities are actively monitored. The ONVU Learning Cloud and Cameras are regularly scanned against databases of known vulnerabilities.
ONVU Technologies periodically engage external network and application penetration consultants to test and review our security architecture and processes.
If a customer or security researcher identifies a security vulnerability, report them to: compliance@onvutech.com
4. GOVERNANCE
Data location and legal jurisdiction
ONVU Learning is hosted by Amazon Web Services (AWS) in the EU West region, meaning all cloud data is stored in the UK. AWS is subject to US legal jurisdiction. Amazon operates a Tier-3/4 data centre operation that is ISO 27001:2013, SOC2 Type II and PCI-DSS Level-1 compliant.
Staff Access and Qualifications
ONVU Technologies provide employees with security policies, training and guidelines with respect to safeguarding ONVU Learning customer data. These policies are readily available to employees.
Staff access to the ONVU Learning platform is strictly restricted to those responsible for providing essential support to users and ongoing maintenance.
When support is required, access to any customer’s video or user content can only be enabled by your administrator for the account and this is time limited.
All staff employed by ONVU Technologies, working on ONVU Learning in any capacity must undergo a criminal records (DBS) check.
Changes to this Statement
We will update this statement from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. If we make a material update, we may provide you with notice prior to the update taking effect.
Who to contact
If you have any questions about this notice, you can contact us in the following ways:
Email: compliance@onvutech.com
Telephone: +44 (0)207 371 6640