Security Whitepaper

Last Updated: January 31, 2024

Along Security Principles

Along is a free, web-based, digital teacher-student connection builder - helping teachers to better understand their students and increase student engagement in the classroom. The Services (defined below) enabled by Along have been developed to facilitate meaningful communication (in the form of multiple choice questions, asynchronous text, video and/or other supported methods of communication) between teachers and students through research-informed reflection questions and resources.

Along is offered by Gradient Learning and is being developed with input from educators, students, school leaders, and our technology partners from the Chan Zuckerberg Initiative (CZI). Gradient Learning also operates the Summit Learning program, where strong partnerships with schools and educators begin with a commitment to transparency, privacy, and security.

Along embeds these same values in its design, development, and operation, and is currently piloted in several school districts. We've outlined our commitments to educators, students, and parents in our Privacy Policy, User Agreement, Code of Conduct, and this Security Whitepaper. Should you have security questions or concerns, please contact the Along team at support@along.org.

Our information security program implements and maintains controls that align with the SOC2 Framework. We regularly evaluate our policies and practices to improve security and to keep up with the latest practices in the security industry.

Gradient Learning uses several service providers to host and deliver along, listed in our third-party service provider list. Any CZI staffers working on Along that need access to student, teacher, or parent data follow the same rigorous Data Privacy Addendum that Along commits to its users.

We do not make money from students and teachers using Along, nor do we allow ads to be placed on Along. We do not and will never sell or rent students' personal information.

Infrastructure Security

Encryption at Rest and In Transit

Access to the Along service occurs via encrypted connections (HTTP over TLS, also known as HTTPS), which encrypts all data before it leaves Along’s servers and protects it as it transits over the internet. We use HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections. All personally identifiable information is encrypted at rest using modern encryption algorithms such as AES­-256 or stronger.

Network Security

Along uses Amazon Web Services (AWS) to host the infrastructure. AWS undergoes strict ongoing security assessments from external audit firms to ensure compliance with security standards, including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. See AWS' Compliance Programs for more details on their security programs.

Network access to the Along infrastructure is highly restricted. AWS-hosted infrastructure resides in a dedicated Virtual Private Cloud (VPC) designed to ensure that only authorized traffic over approved ports is allowed. Along’s development infrastructure resides in a separate VPC. We leverage built-in AWS services like AWS GuardDuty to monitor suspicious activity.

Patching

We use automated monitoring to notify us of available patches, systems, and security updates on the infrastructure that powers Along. Our engineering and security teams regularly review and incorporate updates to ensure the Along infrastructure is current. For critical updates, we have on-­call rotations to provide a designated point person available to respond immediately.

Access Management

Access to the Along infrastructure is highly restricted. We limit access to individuals who need access to do their jobs, such as engineers, data scientists, product managers, and support personnel. All-access to our infrastructure requires the use of strong passwords and multi­factor authentication. In addition, access to our infrastructure is logged.

Backups

We have a data backup and recovery capability designed to provide timely restoration of Along, with minimal data loss, in the case of catastrophic failure. These backups are encrypted and stored in a different region than production databases.

Physical Security

Along is hosted in Amazon Web Services (AWS), which employs industry­-leading physical security measures to protect their data centers, such as a full 24/7 onsite security team, video surveillance, and perimeter intrusion detection systems. Third-party auditors regularly audit these security features. You can learn more about AWS’ physical security here.

Application Security

Secure Software Development Lifecycle

In addition to designing our systems with privacy and security in mind, we employ manual and automated processes to identify potential vulnerabilities. This includes mandatory code review, automated source code scanning, automated dependency scanning, and periodic reviews of Along by external security experts. In addition, we run a Vulnerability Disclosure Program, which allows security researchers who identify vulnerabilities to disclose them to us responsibly.

If you suspect or know of a security vulnerability in the Along product, please contact us at security@along.org.

Browser Security

We use an up-­to-­date Content Security Policy (CSP) to prevent unauthorized JavaScript from running in the context of the Along, and we use standard countermeasures to protect against Cross­-Site Request Forgery (CSRF).

Authentication

Along exclusively uses Single Sign-­On via Google for Education or Microsoft Office 365 to authenticate students and teachers. This means their schools manage passwords for students and teachers and are never available to us.

All staff who work on Along use Single Sign-­On systems are required to use strong passwords and multifactor authentication.

Access Control

Along data models and authorization methods enforce strong access control for student-teacher communication. Only a student’s authorized teacher can interact with that student’s data, and students cannot see each other’s content.

Staff who work on Along are subject to access controls that limit their access to only the data reasonably needed to do their job. All Along access follows established procedures and is logged. Logs themselves are further protected to ensure their integrity.

Security Governance and Policies

Incident Response

We have an established process that is followed whenever we detect suspicious or abnormal activity on Along that might have a security implication. To support this process and our efforts to ensure Along is available, our engineering and security teams have on-­call rotations to provide a designated point person available to respond to any suspicious or abnormal activity.

As part of our incident response process, we perform post-­incident reviews of major incidents, including security and non-­security related (such as site outages). These reviews are designed to ensure that we learn from past incidents and, if needed, improve Along to prevent them from occurring again.

Was this article helpful?
2 out of 2 found this helpful