Skip navigation

SECURITY

Protecting data privacy and security is a top priority for Sumo Apps.

Sumo Apps, operates the services offered on sumo.app (the "Sumo Apps Website"), including the Sumo Apps platform (the "Sumo Apps Platform"), and any associated mobile applications (the "Sumo Apps Apps") or products and services that Company may provide now or in the future (collectively, the "Service").

Protecting data privacy and security is a top priority for Sumo Apps. Our Privacy Policy and Student Data Privacy Addendum solidify the commitments that Sumo Apps and schools make to each other, including our security and privacy commitments. Capitalized terms not defined in this document, such as "Student Data", are defined in our Student Data Privacy Addendum. We regularly evaluate our policies and practices to improve security and to keep up with the latest practices of the security industry.

This document is designed to provide technical readers, such as Chief Information Officers or Chief Technology Officers at school districts, additional clarity and specifics about our security commitments. While this document is written for technology experts who often play a key role in assessing our policies, we recognize that data security is just as important to families, teachers, and students as it is to school officials. If you would like to find out more and access materials that are written to help you digest the more technical information, please reach out to our team at support@sumo.app


Encryption at Rest and In Transit

Access to the Sumo Apps Service occurs via encrypted connections

(HTTP over TLS, also known as HTTPS) which encrypt all data before it leaves the Sumo Apps Service's servers and protects that data as it transits over the internet. All of our Services are in Amazon Web Services (AWS) and served from either Cloudfront or Elastic Load Balancer (ELB). We use HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections and our TLS configuration receives an A+ from Qualys SSL Labs.

Student Data is stored at our Service Provider, AWS, and the following applies to their technical and organizational measures. In addition, we secure decentralized data processing equipment and personal computers. All personally identifiable information is encrypted at rest using modern encryption algorithms. In AWS S3, we use AES256 with AWS managed keys, in Aurora (MySql) we use AES-256 with customer managed keys and in Redshift we use AES-256 with AWS managed keys. Additionally, we use MongoDB with AES-256 with keys managed by AWS..

Network Security

The Sumo Apps Services use AWS, to host the infrastructure. AWS undergoes strict ongoing security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. See https://aws.amazon.com/compliance/programs/ for more details.

Network access to the Sumo Apps Services infrastructure is highly restricted. AWS hosted infrastructure resides in a dedicated Virtual Private Cloud (VPC) which is designed to ensure that only authorized traffic over approved ports is allowed. We use ThreatStack to monitor for suspicious activity.

Patching

We use automated processes to regularly install security updates on the infrastructure that powers the Sumo Apps Services, these processes include:

AWS Managed Services (e.g., Relational Database Service):** AWS proactively notifies our engineering team when updates are available and we apply them in a timely fashion.

AWS EC2:** All EC2 instances are monitored by ThreatStack and AWS inspector and updates are applied in a timely fashion

Sumo Apps Application:** Monitored by Snyk.io and Github for vulnerabilities and they are updated in a timely fashion

Backups and Availability Control

We have a data backup and recovery capability that is designed to provide a timely restoration of the Sumo Apps Services, with minimal data loss, in the case of catastrophic failure. These backups are encrypted and stored in multiple availability zones. Additional technical and organizational measures to ensure that Student Data are protected against accidental destruction or loss (physical/logical) include:

Uninterruptible power supply (UPS);

Remote storage; and

Firewall systems.

Note: Student Data is stored at our Service Provider - currently AWS - and the above applies to their technical and organizational measures as well as any other relevantService Providers, such as MongoDB. In addition, we have a disaster recovery plan in place.

Physical Access Controls

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Student Data are Processed*, include:

Note: The Sumo Apps Services are currently hosted in AWS and Student Data is stored at our Service Provider - currently AWS – which employs industry- leading physical security measures to protect their data centers and the above applies to their technical and organizational measures. These security features are regularly audited by third party auditors. You can learn more about AWS' physical security here. We also utilize MongoDB. You can learn more about Mongo DB's security here. In addition, we secure decentralized data processing equipment and personal computers.

Virtual Access Control

Technical and organizational measures to prevent data processing systems used for Student Data from being used by unauthorized persons include:

Data Access Control

Access to the Sumo Apps Services infrastructure is highly restricted. We limit access to individuals who need access to do their jobs such as engineers, data scientists, product managers, and support personnel. All access to our infrastructure is logged. All access to our infrastructure requires the use of strong passwords and multifactor authentication.

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Student Data in accordance with their access rights, and that Student Data cannot be read, copied, modified or deleted without authorization, include:

Disclosure Control

Technical and organizational measures to ensure that Student Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Student Data are disclosed, include:

Entry Control

Technical and organizational measures to monitor whether Student Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include: