Introduction
ADAM EduTech supplies software (“ADAM Software”) to Schools in order to manage their pupil databases. This software is designed to help schools manage the personal information of minors (their students, prospective students and alumni) and of their legal guardians.
ADAM EduTech has a responsibility to ensure that the software is secure and that the data stored within it is not accessed by personnel who are unauthorised to do so. However, the responsibility to maintain the data under the obligations of the Protection of Personal Information Act remains with the information holder which, in this case, are the individual schools concerned. These schools licence the software from ADAM EduTech who both grants the schools a licence to use the software and to receive user support from ADAM EduTech’s support personnel.
ADAM EduTech acts as an “operator” in terms of the POPI Act and is appointed as such by a the Information Officer of the school, acting as the “responsible party“.
Conditions of lawful processing
The following sections cover the lawful processing of personal information as defined by the act in Section 4, paragraph 1 of the Act.
Schools must seek the appropriate consent for information processing of their customers’ personal information and that of their children – many of whom will be minors.
ADAM EduTech makes no warranty on behalf of its customers, the schools, that they are acting in accordance with the POPI Act with their use of the software.
In the provision of the data hosting platform, ADAM EduTech does provide some additional services which places it as the custodian of backups of information gathered and processed by its customers. This is elaborated on below.
Accountability
It is the school’s responsibility as the “responsible party” to ensure the conditions for the processing of personal information. The school acknowledges and accepts accountability for the capturing of the information into the ADAM Software.
Processing limitation
It is the School’s duty of the “responsible party” to fulfil the requirements of Sections 9 – 12 of the Act.
Purpose specification
Data is hosted in the ADAM Software database to assist schools with the management of pupil data and associated information. The purpose behind each type of data captured and stored in the ADAM Software needs to be justified by the school who is the “responsible party”.
Information quality
The ADAM Software provides some tools related to ensuring the the quality of the information stored is accurate. This includes data validation of captured data. However, the accuracy of this data is the responsibility of the school who is the “responsible party”.
Openness
The school, as the “responsible party” needs to ensure that they are open and honest about the data that they collect about their “data subjects” – the pupils and their parents and/or guardians.
Security safeguards: The school as the responsible party
The school, as the “responsible party” is responsible for ensuring that their user privileges are appropriately set up for each user to ensure limited access to the information stored in the ADAM software and that the users should not access functions or areas of the software for which they are not authorised to access.
In providing the necessary access to their users, the information officer of the school warrants that the users concerned have been given the appropriate training in handling the personal information of the data subjects stored in the ADAM software. The responsibility of managing user access is the school’s alone.
Certain users, appointed by the school’s Information Officer can be allowed administrative access to the server. This, by virtue of its function, allows the user or users concerned to access all personal information stored in the database. Such access should not be given lightly.
The school also undertakes to ensure that users are using secure passwords and that two-factor authentication is set up and in use by users who have access to personal information of data subjects on the platform.
Where employees leave the employ of the school, the school is responsible for the timely removal of access to the ADAM software.
ADAM EduTech as user support provider
From time to time, the school may request support as allowed by the Service Level Agreement that exists between the school and ADAM EduTech. In fulfilling these duties, employees of ADAM EduTech are able to access all information and functions within the ADAM software. This is required in order to provide software support and the ability to address “bugs” in the software.
ADAM EduTech support employees have signed confidentiality agreements whereby any personal information of data subjects that they come across in the course of their support duties may not be replicated in any way, or used in any form other than to provide support to authorised employees of the school. ADAM EduTech support employees are under strict instruction not to divulge any information found i the course of their work to any third party.
Because the school is the responsible party for the information stored within the ADAM software, ADAM EduTech support employees may not undertake any operation which modifies data on behalf of any employee of the school. They may, however, under instruction of the school’s Information Officer, modify the data stored in the ADAM software. In these cases, the scope of the data that is modified will be strictly limited as required. From time to time, the school may request support as allowed by the Service Level Agreement that exists between the school and ADAM EduTech. In fulfilling these duties, employees of ADAM EduTech are able to access all information and functions within the ADAM software.
In these cases the scope of the data that is modified will be strictly limited as required. From time
ADAM EduTech as software developers
ADAM EduTech develops and maintains the ADAM software. In the course of its duties in developing the ADAM software, ADAM EduTech may use the schools’ data in order to test and ensure that the software works as anticipated.
Before testing, schools data undergoes a randomisation process which replaces personal information, including names, ID numbers, phone numbers and email addresses (amongst many other elements of data) with random samples of data. This ensures that even if the information in the developmental environment is compromised, the personal information of the data subjects is not at risk.
Such testing will take place on a local area network only and the test software with the schools information will not be accessible outside the local network on which it is being tested. ADAM EduTech programming staff have limited access to the data. When not in use, all copies of unencrypted data are removed from development machines.
ADAM EduTech as your hosting platform
The ADAM software requires a server to run on. Some schools choose to host the ADAM software on their own server infrastructure. Other schools choose to have ADAM EduTech host the ADAM software instead. The responsibility of securing this hosting environment lies with the respective hosts.
Where ADAM EduTech acts as a hosting provider for a school’s version of the ADAM software, this necessarily means that ADAM EduTech has an obligation to protect the infrastructure on which the server is hosted. The following precautions are taken on each server instance:
1. Only a minimum number of ports and services are enabled on the server. This essentially means that we expose only the web service and the remote management service.
2. All access to the remote management service requires complex authentication. We use an encrypted channel (SSH) which requires certificate authentication. Password based logins are disabled.
3. All servers are patched with the latest security releases on a regular basis. This helps to mitigate the vulnerability to recently discovered security flaws.
4. Backups are encrypted with complex passwords. ADAM EduTech stores off-site copies of the database backups. The password that is used to encrypt the backup is random (numbers, upper and lower case letters), long (30 characters) and unique to each school. This helps to mitigate against unauthorised access to a backup of the information. Backups are also stored in a remote server location to ensure that there is recoverability of the information in the event of data loss on the server. The passwords to decrypt the backups are stored in a separate location to the backups themselves.
All schools’ data, which will include personal information of their pupils, staff and families, is stored within data centres located physically in South Africa. We never transmit this data to servers outside of the country.
ADAM does make use of servers located in Europe and whose operators are GRDP compliant, but these servers are used to synchronise software updates across the ADAM servers and provide other support services to the ADAM software and users, including this website and our help website.
Telemetry Data
The servers hosted in Europe collect telemetry data from the ADAM servers. This data is submitted by the ADAM software running for each school to the telemetry servers at regular intervals.
This telemetry data is limited to aggregated statistics to give us insight into the following usage patterns:
1. Numbers of pupils, staff and families
2. Number of logins over the last 30 days
3. Software versions
4. Times of last backups
5. Numbers of messages sent via the Messaging Centre
These statistics are transmitted to the server using industry standard HTTPS protocols and are thus unreadable by any party who might intercept the traffic. No personal information – not even anonymised data – is sent to the telemetry servers.
Backups
The information required to run the ADAM software fits into two broad categories: the database which contains the information and the document repository which contains electronic versions of documents stored in the software.
The ADAM software creates snapshot backups of the database at configurable intervals each day, week, month and year. The number of each of these backups can be configured by the school. Extra back ups are automatically deleted as soon as the next back up is made. The backups are password protected with long, complex passwords, unique to each school.
Where schools make use of ADAM EduTech’s hosted platform, these backups are transferred once per day to an off-site server in their password protected form to an alternate physical location. At this point, any backups that exceed the limits set by the school are automatically erased as well.
ADAM Software's security measures
The ADAM software has a number of security features that are built in to assist schools with the protection of information in the database. These protect the software at a number of different levels from unauthorised access. These features are constantly revisited as new techniques to secure the information is available.
The ADAM software’s security measures, like many computerised security systems are vulnerable to the dangers of Social Engineering.
This is where users either unwittingly or intentionally give access to ADAM to third parties either by divulging their login credentials to another person or third party, or being tricked into divulging their credentials by means of a “spoofed” website or interface.
Browser based protection
Modern web browsers can help software applications achieve excellent levels of security. ADAM has implemented the following security techniques which are enhanced by modern web browsers:
HTTPS Redirect
All ADAM EduTech hosted servers will automatically redirect any insecure access of the software to HTTPS to mitigate against eavesdropping. This redirection is enhanced by HSTS.
HTTP Strict Transport Security (HSTS)
Once a web browser has accessed an ADAM server securely for the first time, it will not allow the user to access the server insecurely. This ensures that all communication between the server and the browser must happen over a secure “HTTPS” channel and mitigates against eavesdropping of personal information.
Policy Headers
The ADAM software sends policy headers to tell browsers what activities are allowed. This helps mitigate the types of attack that a malicious actor can perform.
Cross-site request forgery (CSRF) protection
ADAM makes use of CSRF tokens to ensure that a maliciously crafted website or link does not perform actions that a legitimate user of the site might not be aware of.
Secure Cookies
The ADAM software makes use of secure cookies which cannot be read by JavaScript making authentication spoofing attacks difficult for malicious actors.
Content security policy
This allows the ADAM software to alert the browser to run only approved scripts and load only approved style sheets.
Other protections
In addition to the protections listed above, the ADAM software also implements the following mechanisms of protection:
Random authentication tokens
This means that authentication spoofing attacks are made more difficult and impenetrable by enumeration attacks.
Privilege checks on every page request
The ADAM software has a sophisticated privilege system which allows individual users to get a very specific set of privileges on the system. ADAM checks these privileges at each click to ensure that the users can only see what they need to see.
Time delayed logins
To mitigate against credential stuffing attacks, the ADAM software implements a random delayed login when incorrect credentials are supplied. If ADAM detects an increased number of incorrect attempts, the delay is increased accordingly. This makes ADAM impractical to target for a credential stuffing attack or even a distributed credential stuffing attack. If a genuine user logs in, they may notice a delay in the login process but should not be kept waiting for long.
Logged in session reporting
ADAM reports to teachers how many currently valid login sessions there are and allows them to terminate those sessions remotely.
Second factor authentication
ADAM can optionally allows staff to enable 2FA with the use of One-Time Passwords (OTP) using a time based OTP solution (TOTP).
Login session length
ADAM can restrict the length that a user remains idle before logging them out automatically. This length can be set by the school.
Passwords
Passwords are not stored in the ADAM database. Instead, the ADAM software stores an encrypted, bcrypt-hashed version of the password. This is a one-way hash which is not possible to reverse. The hashes are encrypted in an attempt to reduce brute-force attacks on individual passwords. Encryption and hashing are done by standard language-provided functions.
Password breach notifications
ADAM checks every new password against a breach notification database and warns users if they are using a password that has been compromised in a previous data breach. ADAM makes use of the “Have I Been Pwned” Pwned Passwords API (v3) which uses a technique called k-anonymity to ensure that passwords are not disclosed during the check.
Data subject participation
“Data subjects” are allowed to request what personal information is stored about them. To this end, the ADAM software has tools that can enable this, but this process must be initiated by the school who is the “responsible party” to ensure that information is not disclosed to unauthorised parties.
The ADAM software does facilitate data subject participation through online detail update forms, which allow the data subjects to update their data. This information however:
1. might not be a representation of all the data that has been collected by the “responsible party”;
2. will be verified by the “responsible party” before any changes are committed to the database; and
3. cannot directly be removed from the database by the “data subject”.
Marketing and bulk mail to data subjects
The school, as the “responsible party”, undertakes to obtain consent to send bulk mail to the data subjects stored in the database. ADAM allows for focused and targeted communication to data subjects to ensure that schools have the option of ensuring that communication is sent to the relevant parties only.
Many schools may use ADAM to distribute promotional and fundraising material to parents. It is up to the school to ensure that their use of the communication facilities provided in ADAM are compliant with the regulations and requirements of POPI. Where parents request to be removed from the bulk mailing list, schools must be aware that this will prevent the parent from receiving all of the information sent via ADAM’s Messaging Centre.
ADAM will never distribute the contents of the schools’ databases in any form to any third party whatsoever, without the strict and explicit written authorization from the school’s appointed Information Officer..
Updates and revisions to this document:
2021/06/01: Original document
2021/06/14: Updated to clarify that database backups are themselves encrypted and not merely stored in a password-protected environment.
2021/07/08: Updated to include information about some internationally hosted servers which collect telemetry data from all ADAM servers.