As an industry pioneer and the world's leading personalized and collaborative learning platform provider, information security, legal compliance, and data privacy are top organizational priorities for us. Data privacy by design and by default are essential considerations when building our learning platform.
The purpose of this article is to outline our efforts and the attributes of the platform that address security, compliance, and privacy — so that end users can use our services with peace of mind.
Our Security Certifications
ISO 27001 Certification: Sana uses an Information Security Management System (ISMS) certified under ISO/IEC 27001 as the basis for all information security measures. The ISO/IEC 27001 standard provides guidelines and general principles for planning, implementing, maintaining, and improving information security in an organization.
SOC 2 Compliance: In addition to our ISO certification, Sana adheres to the SOC 2 standards. SOC 2 compliance ensures that we manage our data based on the five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
GDPR Compliance: Sana's usage and processing of data is compliant with the EU General Data Protection Regulation (“GDPR”). For additional information please refer to the Sana Data Processing Agreement.
Annual Penetration Testing: To ensure the robustness of our security measures, Sana conducts annual penetration testing. This rigorous testing is performed by an independent third party and is designed to identify and rectify any vulnerabilities in our systems. The results of these tests are used to continuously enhance our security posture.
How we partner with sub-processors and subcontractors
How we partner with sub-processors and subcontractors
We carefully vet suppliers during the procurement process and only use suppliers for specific and necessary purposes to enhance Sana for our end-users. We expect the same technical and security measures from our suppliers as we uphold for ourselves. For our most critical sub-processors, we require ISO 27001 and SOC 2 Type 2 certification, and GDPR compliance. All contracts with chosen suppliers address our demands on the supplier's IT environment and information security measures. Each supplier is obligated to account for their technology, routines, and processes as well as their IT and information security policies.
Non-disclosure agreements and other relevant regulatory agreements are signed by our suppliers before the service is taken into service, and we conduct regular control of suppliers' access rights and other aspects of the agreement with the supplier.
How we ensure business continuity
How we ensure business continuity
Sana has an average yearly downtime of less than 0.001%.
Testing: We perform both automated testing and manual QA assessment in relation to every Sana release. 100% of the critical user flows are covered through our automated testing infrastructure. We trigger automated testing of critical user flows upon code merges in both development branches and production branches For the management of defects in production code, please refer to our SLA https://www.sanalabs.com/download/legal/Sana-Labs-Service-Level.pdf
Data backup: Trained personnel manage and follow up on backup execution to ensure the integrity, confidentiality, and accuracy of the backup data. Data are fully anonymized within 30 calendar days of the backup date and stored indefinitely.
Disaster recovery: We carry out rigorous IT and management processes when a serious incident occurs. We continually work on keeping processes and routines updated. The Google Cloud Backup and Disaster Recovery infrastructure, and the Google Cloud scheduling and support policies play a central role in our disaster recovery routines. The continuity plan is tested at intervals based on regular risk assessments.
High degree of digitization: All the services and tools are digitally accessible using Google Accounts’ SAML-based Federated SSO. As a result, most employees can continue to work from other locations even if our offices are closed or not accessible due to an extreme event.
How we prevent unauthorized access to our systems and processes
How we prevent unauthorized access to our systems and processes
Access control to systems: We prevent unauthorized persons from using systems and processes by adhering to the principle of least privilege and using role-based permissions when provisioning access to systems, and utilizing multi-factor authentication for access to systems with highly confidential data.
We ensure that persons authorized to use Sana have access only to data relevant for their access rights by utilizing leading password validation and recovery techniques, ensuring passwords are hashed and salted, and offering SSO to our partners. We also routinely conduct vulnerability scanning, malicious activity detection, and block suspicious behavior automatically. In addition, we also utilize firewalls to segregate unwanted traffic from entering the network.
Access control to physical facilities: We prevent physical access of unauthorized persons to our physical office locations by using comprehensive physical and identity access management, consisting of redundant key-card access points, video surveillance, and 24/7 identity management. We also routinely provide effective, secure, and immediate onboarding and offboarding of employees, contractors, and third parties.
We prevent physical access of unauthorized persons to core systems by partnering with industry-leading data center and cloud infra providers. These providers equip their data centers with 24x7x365 surveillance and biometric access control systems. Additionally, all providers are ISO27001, ISO27017, ISO27018, SOC2 Type II, PCI DSS, and CSA STAR certified.
Data Encryption: We ensure that personal data cannot be read, copied, altered, or deleted by unauthorized persons during electronic transmission or during transport or storage on data media. We ensure that customer data at rest is encrypted with AES-128 and AES-256, and data in transit is encrypted with TLS 1.2. We are also alerted to encryption issues through periodic risk assessments and third-party penetration tests on an annual basis
The following diagram highlights our approach to IT security.
How we manage risk
How we manage risk
We adopt appropriate risk management and security risk management controls such as conducting periodic reviews and assessments of risks, and monitoring compliance with our policies and procedures, and keeping an up-to-date risk mapping signed off by senior management.
How we secure operations
How we secure operations
We ensure that the appropriate operations safeguard against malicious code by maintaining different systems and methods to protect the IT infrastructure, using active monitoring to ensure that antivirus scanners and spam filters are active and updated, installing the latest security updates and patches, and ensuring all employees take security training at least once a year.
How we uphold security with our staff
How we uphold security with our staff
Our most critical resource is our people, and we aim to hire the best talent globally. In order to ensure our staff comply with the laws and regulations, as well as the terms and conditions of supplier and customer agreements, we require that Sanians conduct themselves in a manner consistent with our guidelines regarding confidentiality, business ethics, and professional standards. We also require our personnel to enter into confidentiality agreements, and acknowledge receipt of, and compliance with, Sana Labs's confidentiality and privacy policies.