Lightspeed Systems® is Your Trusted Partner

Lightspeed Trust

Information security and data protection is an integral part of our core beliefs. We have dedicated security and compliance teams, who are committed to keeping your information safe and secure. Lightspeed Systems employs strict policies and procedures to ensure availability, integrity, and confidentiality of customer data.

Lightspeed Systems® Service Status

Service Level Agreement (SLA)

Lightspeed Systems® provides hosted services including mobile device management, web filtering, app analytics, and classroom management for schools. Our services are available at least 99.9% of the time, with servers being continuously monitored for performance and availability.

Lightspeed Product Suite screenshots

Lightspeed Security

Administrative Safeguards

Employee Background Checks

All Lightspeed Systems employees undergo background checks and sign a non-disclosure agreement before hire.

Data Breach Notification

If we learn of a data breach, we will follow our Incident Response Plan and notify our customers without undue delay.

Incident Management

We have a written Incident Response Plan which details the processes for detecting, reporting, identifying, analyzing, and responding to Security Incidents impacting Lightspeed Systems networks and Customer Data.

Employee Privacy & Security Awareness Training

Upon hire and on an ongoing basis, all employees are required to undertake privacy and security training, which covers privacy practices and the principles that apply to employee handling of personal information, including the need to place limitations on using, accessing, sharing and retaining personal information.

We provide training on specific aspects of security that they require based on their roles. For example, the product development team undergoes privacy by design and secure software development training. Employees are also subjected to regular phishing emails.

Vendor Selection & Risk Management

Lightspeed Systems may use sub-processors to perform services and are only entitled to access customer data only as needed to perform the Services and shall be bound by written agreements that require them to provide strict levels of data protection required by Lightspeed and applicable regulations. Here is a list of our subprocessors.

Pre-engagement and ongoing vendor assessments are conducted to ensure proper data privacy and security practices are in place throughout the vendor relationship.

Changes to vendor services provided or changes to existing contracts require a security risk assessment to confirm that the changes do not present additional or undue risk.

Policy and Procedure Documents Align With the NIST Privacy/Security Frameworks

Lightspeed Systems reviews its systems against the CIS Controls and NIST Frameworks, and any identified risks or gaps are addressed accordingly.

We have a designated Data Governance team that holds periodic meetings to ensure data integrity.

We have implemented various policy documents across the Organization for data protection, such as, but not limited to: Incident Response Plan, Security Policy, Vulnerability Remediation Policy, IT Standards Policy and Data Deletion Policy.

Lightspeed Security

Technical Safeguards

Data encryption

Data is encrypted in transit and at rest.

Data Retention & Deletion

Lightspeed Systems has implemented a Data Retention Policy. Where appropriate, our solutions utilize automated rules to purge data according to policy.

Data Backup

We perform regular backups of data and systems. Backup intervals are dependent on the type of data and range from minutes to once per day.

Vulnerability Remediation

Lightspeed Systems has a Vulnerability Remediation policy to identify and remediate vulnerabilities according to the risk they present. We utilize patch management software to monitor systems and ensure patches are implemented.

Malware Protection

Lightspeed Systems has in place anti-malware and anti-spam solutions to protect servers and workstations.

Logging & Monitoring

Lightspeed Systems has deployed logging and monitoring solutions to identify and investigate possible security events.

identity & access control

Access to personal information is limited through login credentials to those employees who require it to perform their job functions. In addition, Lightspeed Systems utilizes access controls such as Multi-Factor Authentication, Single Sign-On, least privilege and access on an as-needed basis, strong password controls, and restricted access to administrative accounts.

Our solutions allow customers to create ‘Admin’ roles that provide only the rights needed to perform the required functions.

Lightspeed Security

Physical Safeguards

Workplace Security

Lightspeed Systems maintains the following controls designed to prevent unauthorized access to our offices:

  • Facility access is limited to authorized individuals by use of keys/key fobs or access badges.
  • Lightspeed offices have fire suppression and fire detection systems or devices as well as emergency exits and evacuation routes.
Data Center Security

All data centers where data is processed and stored are located in the United States and hold SOC 2, HIPAA, PCI DSS and ISO 27001 certifications. Lightspeed has a process in place to log, monitor, and respond to events and anomalies in its systems and solutions. Data backup and recovery solutions are also in place.

Secure Design Principles

Lightspeed Systems practices security by design. We utilize a Secure Software Development Lifecycle based on the OWASP methodologies.

  • Our systems and processes take into account the core pillars of information security: Confidentiality, Integrity and Availability.
Compliance

Children’s Online Privacy Protection Act (COPPA)

COPPA applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age. Parental consent is required for the collection or use of any personal information of the users.

  • Lightspeed Systems complies with the Children’s Online Privacy Protection Act (COPPA), to ensure the online safety of children. Student accounts are provided only through a verified educator, school, or educational organization. Educators agree to obtain parental permission before issuing accounts to students. Please read Lightspeed’s COPPA Notice here.

We meet the following COPPA guidelines listed below and agree to:

  • NOT collect online contact information without the consent of either a parent or a qualified educator or educational institution.
  • NOT collect personally identifiable offline contact information.
  • NOT distribute to third parties any personally identifiable information without prior parental consent.
  • NOT entice by the prospect of a special game, prize, or other activity or to divulge more information than is needed to participate in the activity.
  • NOT use or disclose student information for behavioral targeting of advertisements to students.
  • NOT build a personal profile of a student other than for supporting authorized educational/school purposes.
Compliance

Family Educational Rights & Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of
Education.

  • Although FERPA applies to schools and not companies, Lightspeed Systems may be designated as a ‘School Official’ and as such, we are compliant with FERPA requirements and have committed to protecting the privacy of students’
    information, which is entrusted to us by the School Districts. The School Districts are in control of all student data and we proceed under their direction. Under FERPA, parents or eligible students have the right to access,
    inspect, review and rectify student records and Lightspeed complies with these rights when we get a verified written request from the School District.
  • Please note that Lightspeed Systems has no direct contact with students or parents.
Compliance

New York Education Law 2-D

Education Law § 2-d went into effect in April 2014. The focus of the statute was to foster privacy and security of personally identifiable information (PII) of students and certain PII related to classroom teachers and principals.Lightspeed Systems complies with the NY ED Law 2-D and the Parents Bill of Rights, which requires the following:

  • A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose;
  • The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency;
  • Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred;
  • To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs;
  • Parents have the right to have complaints about possible breaches of student data addressed;
  • Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII;
  • Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.
Compliance

Student Privacy Pledge

The Student Privacy Pledge is a public and legally enforceable statement by ed tech companies to safeguard student privacy, built around commitments regarding the collection, maintenance, and use of student personal information.

  • Lightspeed Systems has signed the Student Privacy Pledge to carry out responsible stewardship and appropriate use of student personal information.
Student Privacy Pledge badge
Compliance

Student Data Privacy Consortium (SDPC) and National Data Processing Agreement (NDPA)

The SDPC is a unique collaboration of schools, districts, regional, territories and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing
data privacy concerns.

  • The SDPC released the first National Data Privacy Agreement (NDPA) to streamline application contracting and set common expectations between schools/districts and marketplace providers.
  • Lightspeed is working with school districts in all the participating States to ensure we have Data Processing Agreements in place.
  • School districts who would like to sign the SDPC and NDPA with us are encouraged to email [email protected].
Compliance

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.

  • Lightspeed Systems is committed to meeting the requirements of the CCPA and protecting your data.
  • Our Privacy Policy provides detailed information on how Lightspeed Systems collects and processes your personal information.

California consumers may make a request pursuant to their rights under the CCPA by contacting us at [email protected].

Compliance

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) amends and expands on the California Consumer Privacy Act (CCPA). CPRA goes into effect on Jan 1, 2023. CCPA was amended to protect the personal data of California employees (B2E) and
business-to-business (B2B) contacts and requires all organizations collecting California resident data to apply more extensive protections, such as privacy risk assessments, data minimization and retention policies.The CPRA now focuses data rights on b2b relationships and employees – from transparent data disclosure to more vigorous enforcement and higher awareness of privacy risks related to data collection and processing — and accounting for
any data tied to California employees, businesses, and residents.Who does the California Privacy Rights Act protect?Any individual who is a California resident employee and a service provider/vendor, contractor, consultant, applicant, freelancer, and remote worker can reasonably be identified.Employee & B2B Data Rights

  • Right to know: Employees, contractors, and service providers have the right to know what data is being collected and managed with the right to access copies of “specific pieces of personal information.”
  • Right to access: Similar to consumers, employees will be able to submit a data subject access request (DSAR) to their employer for access to their information, with some exceptions.
  • Right to use and disclose: The right to request that a business limit or stop the use and disclosure of sensitive personal information.
  • Right to correct: The right to request that the business correct inaccurate information.
  • Right to opt-out: The right to opt-out of having personal information sold or shared.
  • Right to Leniency: The right to not be retaliated against for exercising any data rights.

Lightspeed Systems has the following procedures in place to ensure CCPA & CPRA compliance:

  • Data Subject Access Requests: Data subjects may exercise their rights by emailing our Privacy Team ([email protected])
  • Data Mapping: Mapping, inventory and classification of all data
  • Data Minimization: We only process data which is adequate, relevant, and limited to what is necessary to the purposes of the data being used.
  • Data Retention Policies: We have implemented Data Retention Policies across all our products and processes. Data is not kept for longer than reasonably necessary to fulfill the processing activity
  • Privacy Impact Assessments: We conduct risk assessments of all our products and processes, to ensure privacy and security by design.
Compliance

GDPR

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

  • Lightspeed Systems is committed to meeting the data protection requirements of the GDPR.
  • We have implemented the following processes to ensure GDPR compliance:
    • Data minimization – We only collect data necessary for a specific purpose and use is limited to the stated purpose.
    • Data mapping and classification – We maintain a detailed inventory of personal data, and then classify that data. This is a continuous process, which we constantly work on improving.
    • Article 30 Report.
    • Data retention – We keep data only for as long as it’s needed to fulfil the stated purpose and to meet our contractual obligations.
    • Data anonymization and pseudonymization.
    • Privacy Impact Assessments & Data Protection Impact Assessments of our processes and new product features.
  • We have a DPA with EU Standard Contractual Clauses and UK International Data Transfer Agreement, approved by the European Commission and the UK Information Commissioner’s Office, to protect the transfer of personal data outside of the EU/and UK.
GDPR Compliance logo
Compliance

Australian Privacy Act (1988)

The Australian Privacy Act 1988  regulates the handling of personal information in Australia. This legislation serves as the foundation of data collection and management policies across the country The Act outlines 13 Australian Privacy Principles (APPs) for managing the use personal and sensitive information

Who does the Privacy Act apply to?

The Privacy Act applies to Australian Government agencies and organizations with an annual turnover exceeding AUD 3 million that handle the personal information of Australian residents.

Fundamental Principles of the Australian Privacy Act (1988)

Lightspeed Systems is committed to meeting the data protection requirements outlined Australian Privacy Principles as follows:

  • Open and transparent management of personal information – We are transparent about the way we manage personal information. Our Privacy Policy details how we collect, use, disclose, transfer, and store information
  • Anonymity and pseudonymity – Lightspeed Systems utilizes anonymization and pseudonymization to protect individuals’ identity where possible, except in circumstances that require a personal identity to process the data.
  • Collection of solicited personal information – We practice data minimization and purpose limitation, and only collect data necessary to fulfill the requested service and the primary purpose. If a case ever arose where we needed to utilize the data for a secondary purpose, we will notify our customers and obtain their Consent.
  • Dealing with unsolicited personal information – We have automatic blocking for unsolicited information. For cookies on our websites, we have configured our Cookie Banner with an opt-in as a default setting for all cookies except for the Strictly Necessary cookies.
  • Notification of the collection of personal information – The Educational Institutions are notified of the student and staff data that is collected. This is detailed in the Data Processing Agreements which we execute with our customers. We also maintain a Data Schedule for each of our products, which details the data collected and why it is collected.
  • Use or disclosure of personal information – We use personal data that is relevant to the original purpose for which the information was collected. Please refer to the ‘Third Parties: How We May Share Your Data’ section of our Privacy Policy to get more details of the circumstances in which data may be disclosed.
  • Direct marketing – We do not practice direct marketing to students/parents. Marketing is only directed at Educational Institutions and they are provided with an clear and visible option to opt out of all marketing communications.
  • Cross-border disclosure of personal information – Cross-border data is only disclosed with Organizations who comply with the Australian Privacy Principles, and upon executing a Data Processing Agreement binding them to the required privacy and security practices.
  • Adoption, use or disclosure of government related identifiers – We do not use a government-related identifiers as our own, or disclose an identifier of a person, unless We are authorized to do so by the law, or the identifier is needed to verify the identity of the individual.
  • Quality of personal information – We have systems in place to ensure quality of personal information received is accurate, complete and up to date.
  • Security of personal information – We employ administrative, technical and physical safeguards required for data protection, as detailed on this page.
  • Access to personal information – Individuals have the right to access their personal information, as stated in our Privacy Policy under the ‘Cross-Border Data Protection’ section.
  • Correction of personal information – Individuals have the right to correct their personal information, as stated in our Privacy Policy under the ‘Cross-Border Data Protection” section.
Compliance

U.S. Department of Commerce’s Data Privacy Framework (DPF)

On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF) entered into force. The EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce, the European Commission and the UK Government to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union/ European Economic Area and the United Kingdom, while ensuring data protection that is consistent with EU and UK laws.Lightspeed Systems complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Lightspeed Systems has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Lightspeed Systems is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Lightspeed Systems commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

For more details on our compliance with the Data Privacy Framework, please review the ‘International Data Transfers’ section of our Privacy Policy.

Compliance

Office of Foreign Assets Control (OFAC)

The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United​ States.

  • Lightspeed Systems, its subsidiary companies and affiliates are committed to full compliance with all international sanctions including but not limited to those imposed by the United States, the European Union, and the United Kingdom.
  • International sanctions are the laws, regulations, executive orders, council determinations and other government actions which prohibit a broad range of commercial and financial transactions. It is the policy of Lightspeed Systems to comply with all applicable international sanctions.
  • Lightspeed Systems considers an effective compliance program addressing export controls with policies and procedures to be an important, vital part of our business operations and ethical code of conduct.
  • We screen all international orders against various lists of sanctioned and prohibited persons and destinations prior to acceptance. Any order received, directly or indirectly, from a sanctioned person or intended for ultimate end use by sanctioned person or in a sanctioned destination, will be rejected.

Lightspeed Systems employees receive annual OFAC awareness training to ensure compliance.

Entity Name Subprocessing Activities Entity Location (HQ)
Amazon Web Services, Inc. Application Hosting & Storage United States
LightEdge Data Center United States
Microsoft Corporation (Microsoft Azure) Application Hosting & Storage United States
Entity Name Subprocessing Activities Entity Location (HQ)
Ably.io Presence Monitoring United Kingdom
Adobe Sign Electronic Signature Provider United States
FullStory Product Analytics United States
Greenhouse Software Inc. Recruitment Management Software United States
Microsoft Corporation Email and Collaboration Tools United States
Namely Payroll Management Software United States
NetSuite Accounting Systems United States
Pendo.io Inc Software Experience Management United States
Salesforce Customer Support – CRM Provider United States
Twilio Communications Technology Provider United States