The security and privacy of student information is not just a priority, it is an imperative for educational institutions. We understand that you have a significant responsibility to protect this information.
At Digital Theatre+, we are committed to providing a safe and private educational environment. This post will explain how our service ensures the highest standards of security and privacy, and illustrate why Digital Theatre+ is a safe choice for your schools.
Digital Theatre+ recognizes the importance of your trust, which is based on our unwavering commitment to data security and privacy. Our core pillars that we use to ensure data security and privacy are:
We facilitate this by integrating seamlessly with existing Identity Providers (IdPs) such as Google Workspace for Education, Clever, Classlink, and Entra ID - or any other SAML 2 IdP - utilising SAML 2.0 for secure authentication. This integration allows for precise control over user access and the information shared with Digital Theatre+, ensuring that only necessary data is exchanged.
By employing SAML for Single Sign-On (SSO), we eliminate the need for traditional rostering of data, which can often lead to the unnecessary sharing of personal information.
This means that personal data is not shared beyond the users who require access, enhancing privacy and reducing the risk of data exposure.
Additionally, we provide SAML Single Sign-On at no extra cost, adhering to the best practices as outlined in the K-12 Education Technology Pledge by CISA, further ensuring a secure and privacy-conscious educational environment.
Digital Theatre+ uses Okta to provide its Identity and Access Management Services. Okta has long been recognized as a leader in this space.
User information rests within a secure Okta tenant, exclusive to Digital Theatre+. Data is never removed from this location and is only accessed by our background-checked staff and through our secure applications. Okta's access, even for technical support, requires explicit approval from our Director of Technology and is granted only temporarily.
Digital Theatre+ adheres to the principle of least privilege. User accounts are created and updated "on-demand" using Okta's Just-In-Time provisioning, eliminating the need for data pre-loading. Accounts are retained for a maximum of 14 months after the last login before permanent deletion, complying with our privacy policy and terms of service.
Data security extends beyond access controls. Digital Theatre+ utilizes robust encryption at rest and in transit. User data at rest is secured with 256-bit AES symmetric encryption using keys exclusive to Digital Theatre+. The data exchange itself is fortified with strong x509 keys for signing and encryption. Additionally, all HTTPS communication leverages robust encryption algorithms and keys (2048-bit RSA) and at least TLSv1.2.
For customers leveraging SAML Single Sign-On, the request and response exchange benefits from the same robust encryption using strong x509 keys. Furthermore, encryption keys for AWS services are managed through AWS KMS, adhering to industry best practices.
The Digital Theatre+ domain certificate is entrusted to the Director of Technology and secured on an Aegis Secure Key 3NXC. This device boasts FIPS 140-2 Level 3 validation and delivers 100% hardware-based 256-bit AES XTS encryption, with access requiring an onboard keypad PIN.
Unlike many services, Digital Theatre+ hosts its own analytics through Matomo, ensuring that data about students and faculty does not fall into third-party hands. Our use of first-party cookies further reinforces this commitment, ensuring that all tracking remains within the controlled environment of our service.
The amount of personal data sent to Digital Theatre+ depends on your Identity Provider configuration, reporting needs, and access restrictions requirements for content with mature themes.
Digital Theatre+ requires a unique identifier for each user, formatted as an email address (e.g., identifier@scope.tld). This identifier does not need to be linked to a mailbox.
If email-like identifiers are unavailable, Digital Theatre+ can transform another persistent identifier into a suitable format within their system.
For granular reporting by school, role, or grade, additional attributes will be required, and will be provided using the SAML Response from your Identity Provider..
Digital Theatre+ collects this information solely for authentication and service delivery purposes. Digital Theatre+ doesn't share personal data with third parties unless required by law, nor do we sell information. We engage subprocessors to assist in delivering their services, ensuring compliance with applicable data protection laws.
We prioritize privacy and self-host our own analytics service using Matomo. This eliminates the concern of third-party trackers monitoring student and faculty activity. Additionally, all cookies used are first-party, belonging exclusively to domains within the *.digitaltheatreplus.com scope.
Digital Theatre+ understands the importance of protecting student data. We back up our commitment with robust security practices, including user authentication via trusted IdPs, encryption at rest and in transit, and strict key management protocols. Our data minimization practices and focus on first-party analytics demonstrate our commitment to privacy.
By partnering with Digital Theatre+, you not only gain access to a wealth of educational content while ensuring the safety of your students and faculty, but you also partner with a team dedicated to providing a safe, secure, and enriching educational experience. We invite you to explore Digital Theatre+ and experience the difference a safety-first approach can make.