Lightspeed Systems® is your trusted partner

Security and Compliance

Information security and data protection is an integral part of our core beliefs.  We have dedicated security and compliance teams, who are committed to keeping your information safe and secure. Lightspeed Systems employs strict policies and procedures to ensure availability, integrity, and confidentiality of customer data.

System Status

We know you rely on Lightspeed Systems solutions to do amazing things, so we continuously monitor our services internally and through 3rd-party services. Find interruptions in services, updates, and maintenance announcements here.

Security

Lightspeed Systems understands the need to safeguard the personal and confidential data of our customers, employees, and partners. Privacy and security is our responsibility, and we provide innovative solutions that enhance, rather than compromise, data privacy and security.

Compliance

Since 1999, Lightspeed Systems has been partnering with schools around the world to protect students and make learning adaptable to the ever-changing technological landscape. The nature of our business mandates us to be compliant with the various student data privacy laws, to ensure student data is safeguarded.

Lightspeed Systems Service Status

Service Level Agreement (SLA)

Lightspeed Systems provides hosted services including mobile device management, web filtering, app analytics, and classroom management for schools. Our services are available at least 99.5% of the time, with servers being continuously monitored for performance and availability.

screenshots on desktop and mobile devices for distance learning software

Lightspeed security

Administrative Safeguards

Employee background checks

All Lightspeed Systems employees undergo background checks and sign a non-disclosure agreement before hire.

Incident Management

We have a written Incident Response Plan which details the processes for detecting, reporting, identifying, analyzing, and responding to Security Incidents impacting Lightspeed Systems networks and Customer Data.

Data Breach Notification

If we learn of a data breach, we will follow our Incident Response Plan and notify our customers without undue delay. 

Employee Privacy & Security Awareness training

Upon hire and on an ongoing basis, all employees are required to undertake privacy and security training, which covers privacy practices and the principles that apply to employee handling of personal information, including the need to place limitations on using, accessing, sharing and retaining personal information.

We provide training on specific aspects of security that they require based on their roles. For example, the product development team undergoes privacy by design and secure software development training. Employees are also subjected to regular phishing emails.

Vendor Selection & Risk Management

Lightspeed Systems may use sub-processors to perform services and are only entitled to access customer data only as needed to perform the Services and shall be bound by written agreements that require them to provide strict levels of data protection required by Lightspeed and applicable regulations. Here is a list of our subprocessors.

Pre-engagement and ongoing vendor assessments are conducted to ensure proper data privacy and security practices are in place throughout the vendor relationship.

  • Changes to vendor services provided or changes to existing contracts require a security risk assessment to confirm that the changes do not present additional or undue risk.

Policy and procedure documents align with the NIST Privacy/Security Frameworks

Lightspeed Systems reviews its systems against the CIS Controls and NIST Frameworks, and any identified risks or gaps are addressed accordingly.

We have a designated Data Governance team that holds quarterly meetings to ensure data integrity

The following policy documents have been instituted and implemented across the organization: Security Policy, Incident Response Plan, Vulnerability Remediation Policy, Patch Policy, IT Standards Policy, Data Classification Policy, Data Deletion Policy, Vendor Assessment Policy, Vendor Security Standards Verification Procedure, Password Policy, Clean Desk Policy, Privacy Inquiry Policy, Data Governance Policy , Building Access Policy and PIA & DPIA Procedure.

Lightspeed security

Technical Safeguards

Data encryption

Data is encrypted in transit and at rest.

 

Data Retention & Deletion

Lightspeed Systems has implemented a Data Retention Policy. Where appropriate, our solutions utilize automated rules to purge data according to policy.

 

Data Backup

We perform regular backups of data and systems. Backup intervals are dependent on the type of data and range from minutes to once per day.

Vulnerability Remediation

Lightspeed Systems has a Vulnerability Remediation policy to identify and remediate vulnerabilities according to the risk they present. We utilize patch management software to monitor systems and ensure patches are implemented.

 

Malware Protection

Lightspeed Systems has in place anti-malware and anti-spam solutions to protect servers and workstations.

 

Logging & Monitoring

Lightspeed Systems has deployed logging and monitoring solutions to identify and investigate possible security events.

identity & access control

Access to personal information is limited through login credentials to those employees who require it to perform their job functions. In addition, Lightspeed Systems utilizes access controls such as Multi-Factor Authentication, Single Sign-On, least privilege and access on an as-needed basis, strong password controls, and restricted access to administrative accounts.

Our solutions allow customers to create ‘Admin’ roles that provide only the rights needed to perform the required functions.

Lightspeed security

Physical Safeguards

workplace security

Lightspeed Systems maintains the following controls designed to prevent unauthorized access to our offices:

  • Facility access is limited to authorized individuals by use of keys/key fobs or access badges.
  • Lightspeed offices have fire suppression and fire detection systems or devices as well as emergency exits and evacuation routes.

data center security

All data centers where data is processed and stored are located in the United States and hold SOC 2, HIPPA, PCI DSS and ISO 27001 certifications. Lightspeed has a process in place to log, monitor, and respond to events and anomalies in its systems and solutions.  Data backup and recovery solutions are also in place.

Secure Design Principles

Lightspeed Systems practices security by design. We utilize a Secure Software Development Lifecycle based on the OWASP methodologies.

  • Our systems and processes take into account the core pillars of information security: Confidentiality, Integrity and Availability.

Contact us if you suspect a security vulnerability within Lightspeed Systems

Contact us if you suspect a security vulnerability within Lightspeed Systems

Compliance

Children's Online Privacy Protection Act (COPPA)

COPPA applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age. Parental consent is required for the collection or use of any personal information of the users.

  • Lightspeed Systems complies with the Children’s Online Privacy Protection Act (COPPA, to ensure the online safety of children. Student accounts are provided only through a verified educator, school, or educational organization. Educators agree to obtain parental permission before issuing accounts to students. 

We meet the following COPPA guidelines listed below and agree to:

  • NOT collect online contact information without the consent of either a parent or a qualified educator or educational institution.
  • NOT collect personally identifiable offline contact information.
  • NOT distribute to third parties any personally identifiable information without prior parental consent.
  • NOT entice by the prospect of a special game, prize, or other activity or to divulge more information than is needed to participate in the activity.
  • NOT use or disclose student information for behavioral targeting of advertisements to students.
  • NOT build a personal profile of a student other than for supporting authorized educational/school purposes.

Compliance

Family Educational Rights & Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

  • Although FERPA applies to schools and not companies, Lightspeed Systems may be designated as a ‘School Official’ and as such, we are compliant with FERPA requirements and have committed to protecting the privacy of students’ information, which is entrusted to us by the School Districts. The School Districts are in control of all student data and we proceed under their direction. Under FERPA, parents or eligible students have the right to access, inspect, review and rectify student records and Lightspeed complies with these rights when we get a verified written request from  the School District.
  • Please note that Lightspeed Systems has no direct contact with students or parents.

Compliance

New York Education Law 2-D

Education Law § 2-d went into effect in April 2014.  The focus of the statute was to foster privacy and security of personally identifiable information (PII) of students and certain PII related to classroom teachers and principals.

Lightspeed Systems complies with the NY ED Law 2-D and the Parents Bill of Rights, which requires the following:

  • A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose;
  • The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency;
  • Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred;
  • To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs;
  • Parents have  the  right  to  have  complaints  about  possible  breaches  of  student  data addressed;
  • Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII;
  • Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.

Compliance

Student Privacy Pledge

The Student Privacy Pledge is a public and legally enforceable statement by ed tech companies to safeguard student privacy, built around  commitments regarding the collection, maintenance, and use of student personal information.

  • Lightspeed Systems has signed the Student Privacy Pledge to carry out responsible stewardship and appropriate use of student personal information.
student privacy pledge signatory badge

Compliance

Student Data Privacy Consortium (SDPC) and National Data Processing Agreement (NDPA)

The SDPC is a unique collaboration of schools, districts, regional, territories and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns.
  • The SDPC released the first National Data Privacy Agreement (NDPA) to streamline application contracting and set common expectations between schools/districts and marketplace providers.
  • Lightspeed is working with school districts in all the participating States to ensure we have Data Processing Agreements in place.
  • School districts who would like to sign the SDPC and NDPA with us are encouraged to email privacy@lightspeedsystems.com

Compliance

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.

  • Lightspeed Systems is committed to meeting the requirements of the CCPA and protecting your data.
  • Our Privacy Policy provides detailed information on how Lightspeed Systems collects and processes your personal information.

California consumers may make a request pursuant to their rights under the CCPA by contacting us at privacy@lightspeedsystems.com

Compliance

General Data Protection Regulation (GDPR)

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

  • Lightspeed Systems is committed to meeting the data protection requirements of the GDPR.
  • We have implemented the following processes to ensure GDPR compliance:
    • Data minimization – We only collect data necessary for a specific purpose and use is limited to the stated purpose.
    • Data mapping and classification – We maintain a detailed inventory of personal data, and then classify that data. This is a continuous process, which we constantly work on improving.
    • Data retention – We keep data only for as long as it’s needed to fulfil the stated purpose and to meet our contractual obligationsWe have implemented the following processes to ensure GDPR compliance:
    • Data anonymization
GDPR compliance badge
    • We have a DPA with Standard Contractual Clauses, approved by the European Commission, to protect the transfer of personal data outside of the EU/UK.
    • Please reach out to privacy@lightspeedsystems.com to execute the DPA with us.
    • We have implemented appropriate technical and organizational measures to secure personal data.

Compliance

Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

 On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

  • Lightspeed Systems continues to maintain our Privacy Shield certification, which binds us to strict data protection principles.
  • We have incorporated the EU Standard Contractual Clauses into our DPA, to account for cross boarder data transfers. In some cases, we rely on the GDPR Article 49 derogation, where the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.

Compliance

Office of Foreign Assets Control (OFAC)

The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United​ States.

  • Lightspeed Systems, its subsidiary companies and affiliates are committed to full compliance with all international sanctions including but not limited to those imposed by the United States, the European Union, and the United Kingdom.
  • International sanctions are the laws, regulations, executive orders, council determinations and other government actions which prohibit a broad range of commercial and financial transactions. It is the policy of Lightspeed Systems to comply with all applicable international sanctions.
  • Lightspeed Systems considers an effective compliance program addressing export controls with policies and procedures to be an important, vital part of our business operations and ethical code of conduct.
  • We screen all international orders against various lists of sanctioned and prohibited persons and destinations prior to acceptance. Any order received, directly or indirectly, from a sanctioned person or intended for ultimate end use by sanctioned person or in a sanctioned destination, will be rejected.

Lightspeed Systems employees receive annual OFAC awareness training to ensure compliance.

For more detailed information on how we handle personal data and the details of our Services, please refer to our
Privacy Policy and Terms of Use.

Lightspeed Systems Subprocessor List

Entity Name

Subprocessing Activities

Entity Location (HQ)

Amazon Web Services, Inc.

Application Hosting & Storage

United States

Equinix

Data Center

United States

LightEdge

Data Center

United States

Microsoft Corporation (Microsoft Azure)

Application Hosting & Storage

United States

Entity Name

Subprocessing Activities

Entity Location (HQ)

Ably.io

Presence Monitoring

United Kingdom

DocuSign

Electronic Signature Provider

United States

FullStory

Product Analytics

United States

Greenhouse Software Inc.

Recruitment Management Software

United States

Incorta

Data Analytics

United States

Microsoft Corporation

Email and Collaboration Tools

United States

Namely

Payroll Management Software

United States

NetSuite

Accounting Systems

United States

Pendo.io Inc

Software Experience Management

United States

Salesforce

Customer Support – CRM Provider

United States

Twilio

Communications Technology Provider

United States