Ensuring the safety of your students: How Digital Theatre+ prioritizes security and privacy

The security and privacy of student information is not just a priority, it is an imperative for educational institutions. We understand that you have a significant responsibility to protect this information. 

At Digital Theatre+, we are committed to providing a safe and private educational environment. This post will explain how our service ensures the highest standards of security and privacy, and illustrate why Digital Theatre+ is a safe choice for your schools.

Unwavering commitment to security and privacy

Digital Theatre+ recognizes the importance of your trust, which is based on our unwavering commitment to data security and privacy. Our core pillars that we use to ensure data security and privacy are:

1. Integration with Identity Providers (IdPs): Utilising SAML 2.0 for secure authentication, ensuring you are always in control of user access and data exchange.
2. Use of Okta for Identity and Access Management: Ensuring data is securely managed within a dedicated Okta tenant, with strict access controls and background-checked staff.
3. Adherence to the Principle of Least Privilege: Implementing Just-In-Time provisioning via Okta and retaining accounts only as necessary, aligning with privacy policies.
4. Robust Encryption: Employing 256-bit AES encryption for data at rest and strong encryption for data in transit, including the use of x509 keys and TLS protocols.
5. Self-hosted Analytics with Matomo: Ensuring student and faculty data remains within the controlled environment, avoiding third-party data handling.
6. Transparency and Data Minimization: Clear communication about the type of data collected and its use, adhering to data minimization principles.
7. First-party Cookies: Using first-party cookies for tracking to maintain data within the service's controlled environment.

Integration with Identity Providers, at no extra cost

We facilitate this by integrating seamlessly with existing Identity Providers (IdPs) such as Google Workspace for Education, Clever, Classlink, and Entra ID - or any other SAML 2 IdP - utilising SAML 2.0 for secure authentication. This integration allows for precise control over user access and the information shared with Digital Theatre+, ensuring that only necessary data is exchanged.

By employing SAML for Single Sign-On (SSO), we eliminate the need for traditional rostering of data, which can often lead to the unnecessary sharing of personal information.

This means that personal data is not shared beyond the users who require access, enhancing privacy and reducing the risk of data exposure. 

Additionally, we provide SAML Single Sign-On at no extra cost, adhering to the best practices as outlined in the K-12 Education Technology Pledge by CISA, further ensuring a secure and privacy-conscious educational environment.

Protecting data at every level

Digital Theatre+ uses Okta to provide its Identity and Access Management Services. Okta has long been recognized as a leader in this space.

User information rests within a secure Okta tenant, exclusive to Digital Theatre+. Data is never removed from this location and is only accessed by our background-checked staff and through our secure applications. Okta's access, even for technical support, requires explicit approval from our Director of Technology and is granted only temporarily.

Digital Theatre+ adheres to the principle of least privilege.  User accounts are created and updated "on-demand" using Okta's Just-In-Time provisioning, eliminating the need for data pre-loading. Accounts are retained for a maximum of 14 months after the last login before permanent deletion, complying with our privacy policy and terms of service.

Encryption: The bedrock of data security

Data security extends beyond access controls. Digital Theatre+ utilizes robust encryption at rest and in transit. User data at rest is secured with 256-bit AES symmetric encryption using keys exclusive to Digital Theatre+. The data exchange itself is fortified with strong x509 keys for signing and encryption. Additionally, all HTTPS communication leverages robust encryption algorithms and keys (2048-bit RSA) and at least TLSv1.2.

For customers leveraging SAML Single Sign-On, the request and response exchange benefits from the same robust encryption using strong x509 keys. Furthermore, encryption keys for AWS services are managed through AWS KMS, adhering to industry best practices.

The Digital Theatre+ domain certificate is entrusted to the Director of Technology and secured on an Aegis Secure Key 3NXC. This device boasts FIPS 140-2 Level 3 validation and delivers 100% hardware-based 256-bit AES XTS encryption, with access requiring an onboard keypad PIN.

Analytics and cookies: respecting user privacy

Unlike many services, Digital Theatre+ hosts its own analytics through Matomo, ensuring that data about students and faculty does not fall into third-party hands. Our use of first-party cookies further reinforces this commitment, ensuring that all tracking remains within the controlled environment of our service.

Transparency in data practices

The amount of personal data sent to Digital Theatre+ depends on your Identity Provider configuration, reporting needs, and access restrictions requirements for content with mature themes. 

• In some instances, no personal data is processed at all. 
• Other scenarios may involve the email address, school identifier, and a user role indicator (student or teacher). 
• Optionally, first and last names can be provided but are not mandatory.

User identifiers

Digital Theatre+ requires a unique identifier for each user, formatted as an email address (e.g., identifier@scope.tld). This identifier does not need to be linked to a mailbox. 

If email-like identifiers are unavailable, Digital Theatre+ can transform another persistent identifier into a suitable format within their system.

For granular reporting by school, role, or grade, additional attributes will be required, and will be provided using the SAML Response from your Identity Provider.. 

Purposes

Digital Theatre+ collects this information solely for authentication and service delivery purposes. Digital Theatre+ doesn't share personal data with third parties unless required by law, nor do we sell information. We engage subprocessors to assist in delivering their services, ensuring compliance with applicable data protection laws.

We prioritize privacy and self-host our own analytics service using Matomo. This eliminates the concern of third-party trackers monitoring student and faculty activity. Additionally, all cookies used are first-party, belonging exclusively to domains within the *.digitaltheatreplus.com scope.

Conclusion

Digital Theatre+ understands the importance of protecting student data. We back up our commitment with robust security practices, including user authentication via trusted IdPs, encryption at rest and in transit, and strict key management protocols. Our data minimization practices and focus on first-party analytics demonstrate our commitment to privacy. 

By partnering with Digital Theatre+, you not only gain access to a wealth of educational content while ensuring the safety of your students and faculty, but you also partner with a team dedicated to providing a safe, secure, and enriching educational experience.  We invite you to explore Digital Theatre+ and experience the difference a safety-first approach can make.

Further reading

• CISA (2023). K-12 Education Technology Pledge. [Online] Available at: https://www.cisa.gov/securebydesign/k-12-education-technology-pledge
• Digital Theatre+. Privacy Policy. [Online] Available at: https://edu.digitaltheatreplus.com/privacy-policy
• OKTA.  2023 Gartner® Magic Quadrant™ for Access Management. [Online] Available at:
  https://www.okta.com/resources/gartner-magic-quadrant-access-management/ 
• Matomo.
  https://matomo.org/  
• Content with Mature Themes. [Online] Available at:
  https://support.digitaltheatreplus.com/content-with-adult-themes