SkillsPlay recognises Customer information and data as the most critical aspect and important success factor in our business.  Having your trust in our handling of your data is crucial to SkillsPlay.

To ensure data is secure SkillsPlay have implemented a set of safeguards and processes covering all parts of data handling end to end. In addition, clear policies, principles and procedures enable continuous considered implementation of new features in our BrightGame platform to ensure data stays secure.  

SECURITY CONTROLS

SkillsPlay have implemented and maintains the following security controls for customer and user data, consistent with globally cloud service provider industry best practices, including:

1. Controls, Policies & Procedures.  Appropriate technical and administrative controls, and organizational policies and procedures.
2. Named person in the role as a dedicated Chief information security officer (CISO) with focus on security in all areas of the SkillsPlay business.
3. Access Authorisation.  Access controls for provisioning users, which shall include providing Customers mechanism to view Customer users and their access privileges for licensed users.
4.  System and application logging where technically possible. SkillsPlay retains logs for a maximum one (1) month, verify such logs periodically for completeness.
5. Malicious code and/or software. Malware prevention software (e.g. antivirus) is implemented on infrastructure where applicable.  Using the BrightGame platform does not demand any Customer hardware instalment.  Users can choose to install an App on mobile devices.
6. System Security. System and IT security controls at SkillsPlay follow industry best practices, including: (i) A high-level diagram, which will be provided to Customers upon request; (ii) the BrightGame platform uses a mix of industry standard cloud and software firewalls to dynamically limit external and internal traffic between our services; (iii) A program for evaluating security patches and implementing patches using a formal change process within defined time limits; (iv) SkillsPlay run regular penetration testing by an independent third party, with a detailed written report issued annually by such third party and provided to Customers upon request; (v) Documentation of identified vulnerabilities ranked based on risk severity, and corrective action according to such rank.
7. Asset Management.  An asset management policy is kept current, including asset classification (e.g., information, software, hardware).
8. SkillsPlay runs regularly cross company Risk Assessments to ensure potential risks are identified and managed.  
9. A Password policy and controls are implemented to protect data, including complexity requirements and multi factor authentication where available.
10. The BrightGame platform uses sub-processors to strengthen the scalability. All sub-processors hold the highest level of security and have current certifications for, among others, ISO27001 and SOC2 Type 2. A list of sub-processors is attached in Annex A.

DATA SECURITY

SkillsPlay have a strong commitment to our Customers and users data. Compliance with the GDPR is a top priority for SkillsPlay and our customers. The GDPR aims to strengthen personal data protection in Europe, and impacts the way we all do business.  With Cloud, taking advantage of the global market is important to SkillsPlay, delivering a learning platform to all.  SkillsPlay is diligent with its use of sub-processors, and never makes transfers outside the Europe/EEA without having appropriate safeguards in place. This may, where required, include additional safety measures.

1. SkillsPlay will handle our Customers and Users data securely, and consistent.  To ensure this is a cross company focus, SkillsPlay contracts experts that are support data protection.  
2. SkillsPlay have implemented encryption on all Customer and user data.
3. At Rest: Customer data only resides in the production environment encrypted with industry best practices.
4. In Transit: All network communication uses TLS v1.2 or higher. We are committed to securing “A+” on any SSL Server tests.
5. Data availability. SkillsPlay is establishing BrightGame platform architecture to multiple live data stores for availability
6. The BrightGame platform runs continuous backup processes to ensure data and information consistency with highest standards. Testing of the backups is done regularly.
7. SkillsPlay never uses real Customer data in our development environment.

OPERATIONAL SECURITY

Running a service demands high focus on structure, best-practices, and proven methods.  At the same time implement usage of new technologies when and where appropriate. This demands clear structure and procedures. For this SkillsPlay has implemented, among others, following measures:

1. A Business Continuity and Disaster Recovery policy and plans.  These are tested on a regular basis. The plans include infrastructure and applications used to host Customer Information and provide Services to our Customers.
2. To structure the work done SkillsPlay uses an compliant with ISO 27001.
3. The operation is thoroughly monitored with uptime checks, logs, trends analysis and Intrusion Detection System (IDS). Any significant issues are alerted on 24/7.
4. SkillsPlay strategy includes development of geo redundancy in the BrightGame platform distribution of assets with no fixed maintenance windows; The service is expected to be available continuously.

PEOPLE SECURITY

To ensure SkillsPlay deliver on Customer expectation on quality, security, and privacy, SkillsPlay have enforced controls on employee level

1. All employees are required to secure their equipment following the Information security policy, including antivirus, encryption, and Multi-Factor Authentication (MFA).
2. Our strategy includes running background checks and signing confidentiality agreements with all employees according to applicable laws. In addition training them in Information Security and Secure Development Practices.
3. For SkillsPlay inclusion, equality, respect and honesty is important in everything we do, and we commit to conducting regular training in our policies, including  
   1. Inclusion and Accessibility Policy
   2. Anti-bribery & Anti-corruption Policy
   3. Anti-Slavery & Anti-Child Labor Policy
   4. Gender Equality & Anti-discrimination Policy 
   5. Whistleblowing policy 
4. Systems access control strategy means our Employee’s level of access will be determined by the job position. Access reviews will be performed periodically, and access will be removed if no longer necessary. SkillsPlay enforces the principle of least privilege (PoLP).