Securing Schoolchildren's Data with Fonetti: A Clear Approach

Written By Colin Tankard

With data leaks increasingly making news headlines, it's no surprise that data security is a topic on everybody's mind. Data security has always been Auris's number 1 priority, especially because most of our users are schoolchildren. But how exactly do we protect this data? Here are the answers to your important questions about our data protection measures.

What data is stored?

We only store school administrator details such as email address, passwords, school names, and pupil names so that we can create reports on their reading progress. Additionally, audio recordings of reading are not stored - reading sessions are processed in real-time and only the results are stored under the administrator account. No other PII data is stored, and all identifiable information is encrypted at rest, and in transit, using modern encryption algorithms.

Where is the data stored?

Pupil data is stored at our service provider, Amazon Web Services, within Europe. Additionally, we use decentralised data processing equipment. We also ensure that all Fonetti servers are only accessed through encrypted HTTPS connections using HTTP Strict Transport Security. A HTTPS connection encrypts all data before it leaves the device and servers, as well as protects it while it transits the internet or within a data centre. Our TLS configuration receives an A+ from Qualys SSL Labs.

Who has access to user data?

Access to the Fonetti servers is highly restricted. Only people who need the data to do their jobs, such as engineers, data scientists, product managers, and support personnel, have selected access to only the data they need, not all data. These individuals also need strong passwords or multifactor authentication to access our infrastructure, and all access to our infrastructure is securely logged.

How do you make sure only the right people can access user data?

We implement an array of technical and organisational measures to ensure that individuals entitled to use a data processing system gain access only to such Data in accordance with their access rights, and that Data cannot be read, copied, modified or deleted without authorisation.
These measures include:

  • Internal policies and procedures,

  • Control authorisation schemes,

  • Differentiated access rights (profiles, roles, transactions and objects),

  • Monitoring and logging of accesses,

  • Disciplinary action against employees who access personally identifiable information without authorisation, and

  • Reports of access.

Do you share user data?

We do not share any data with third parties for marketing or external processing. However, we do share analytical data (speech patterns) with the University of Edinburgh, who is our partner in the development of our Automatic Speech Recognition engine (ASR). This data is taken under consent of the user or guardian and anonymised so no details of the origin is given to the university. Once the analysed data has been tested through the ASR engine it is returned to Auris for deletion.

"Our approach to protecting data within our ASR is to build in protection at the design level. At any point in the process where we handle data we protect it by using encryption, access control and audit. This means we fully comply with data protection regulations especially GDPR where child data is a special category"

-Colin Tankard,

Chief Privacy Officer, Auris Tech Limited

 

If you have any further questions about our data security, please get in touch with us via email at info@auris.tech. Or, if you're an educator who's considering getting Fonetti for your school, you can fill in this form to request a demo.

Colin Tankard
Previous

Blog: Empowering Climate Action Through Digital Innovation
Next

Auris awarded 'Best ASR for Reading' at the 2021 Artificial Intelligence Awards