Hosting approach and client support model
Many Anthology products are regionally hosted. Access from outside the hosting location may be necessary for client support, product maintenance purposes and additional functionalities. Our client support is generally provided by the regional teams during regular business hours. To provide full 24/7 follow-the-sun support, Client Support’s global team of staff may access environments containing client data to support a client support request from any of our support locations (e.g. US, Colombia, India, the Netherlands, Australia). Additionally, the product teams (development/operations personnel) in our global locations may have access to environments containing client data where required to maintain the products (e.g. reviewing performance issues) and to provide specialist expertise for client support cases. Additionally, our vendors (third-party subprocessors) may require access to client data for them to provide the contracted services. Any access only takes place on a need-to-know-basis.
Protecting your transferred data
To ensure that client/student data receives a high level of protection when it is accessed from outside the hosting locations, we use the 2021 Processor-to-Processor EU Commission Standard Contractual Clauses (P2P SCCs) that are incorporated within Anthology’s group of companies through intra-group data transfer agreements. In May 2019, we also submitted our Binding Corporate Rules (for Processors) for authorization and will mainly rely on the Binding Corporate Rules for transferred EU personal information once authorized. Through our internal policies, Anthology also applies a GDPR-level of standards globally to all of its departments and teams to ensure that client data receives the same high level of (EU) protection worldwide.
Further measures to protect transferred personal information:
- When data is transferred via the internet, it is encrypted in transit
- Encryption at rest is available for all key products
- Employees only have access to the personal information they need for the performance of their role (least-privilege principle)
- Employees must use multi-factor authentication for remote access to the IT infrastructure
- A select number of products are ISO 27001-certified and on the roadmap to be ISO 27018-certified
- Detailed contractual commitments regarding the level of security controls
- Contractual protection for personal data of our clients in the case of any requests by foreign authorities
Additional measures for EU/EEA/UK clients (“Schrems II”)
Anthology has conducted a transfer impact assessment based on the ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’ by the European Data Protection Board (“EDPB Recommendations”). Please contact [email protected] if you require further information.