Security, Privacy, and Accessibility

Portflow Trust Portal

Self-service access to security, data privacy and compliance documents

This Portflow Trust Portal is your one-stop shop for information on Portflow’s commitment to security and compliance. Here, you’ll find the resources you need to evaluate Portflow as a trusted partner, whether you’re a potential customer or an existing one performing due diligence.

Within this portal, you’ll have access to Third-Party Audit Reports (Independent verification of the security controls and practices in place for Portflow’s cloud-hosted services) and Compliance Documentation (details on how Portflow adheres to industry data protection standards and regulatory requirements).

We encourage you to explore the portal and gain a comprehensive understanding of Portflow’s unwavering commitment to safeguarding your data and meeting your compliance needs.

Quick Summary

  • Annual third-party penetration testing

  • Will enter into a DPA

  • Deletes customer data on request
  • One or more annual third-party audit(s)
  • Has a disaster recovery plan
  • Has cyber insurance

Compliance & Conformance

1EdTech TrustEd Apps Certified Logo
SOC2typeII
Cyber Essentials Certified
TrustEd Apps Certified Data Privacy - 1edtech

Documents

Frequently Asked Questions

  • Production data: Ireland | eu-west-1 (Heroku on AWS)
  • Primary backup-data: Ireland | eu-west-1 (Heroku on AWS)
  • Secondary backup-data: Frankfurt, Germany | eu-central-1, Frankfurt (AWS)

Alumnus account

  • Google Oauth

Evidence import

  • Microsoft OneDrive

Evidence embedding

  • Canvas Studio
  • Kaltura
  • Panopto
  • Vimeo
  • YouTube
  • Yuja

LMS / VLE

  • Canvas LMS by Instructure
  • Brightspace by D2L
  • Blackboard Learn by Anthology (Q2 2024)
  • Moodle (Q2 2024)

Portflow customers’ data is automatically backed up both in real time and on a 24-hour schedule across multiple geographical locations within the EEA, rather than in a single data centre. This enables Drieam to provide superior disaster recovery in the event of an outage. At all times, we aim to be able to restore a full backup within four hours.

Data in transit is encrypted using SSL with a minimum of TLS 1.2 or higher. This ensures that all communication between your browser and our servers and amongst our servers is fully secure, in line with SOC 2 level II requirements..

The data at rest stored in the databases is encrypted using AES-256 block-level storage encryption to ensure its confidentiality and integrity. We use robust security measures to ensure that only authorized users have access to the data, in line with SOC 2 level II requirements.

User and management access it authenticated through either 2-factor authentication (2FA) or identity federation with existing provider (SSO via LTI 1.3).

Since the summer of 2024, Portflow introduced it’s first AI integration. This is an optional feature that can be enabled at the institution’s level by their administrators. This first AI feature allows users to create an analytic summary of received feedback on a goal. For this feature, Portflow uses the high-quality language model GPT 4o mini, offered through Microsoft Azure OpenAI Service, hosted in Sweden (EU). The integration and service ensures that there is no data transfer outside the EU, as well as that the prompt, input content (feedback), and outputs are not used to train or improve language models. In addition, user’s PII is not linked to the data sent to the AI service. More information on Microsoft Azure’s privacy and security can be found on Microsoft’s website.

Portflow is Vetted & Trusted by

Controls

  • Firewall access restricted
  • Intrusion detection system utilized
  • Network firewalls utilized
  • Network and system hardening standards maintained
  • Log management utilized
  • Data encryption utilized
  • Password policy enforced
  • Vulnerability and system monitoring procedures established
  • Continuity and disaster recovery plans tested
  • Incident response plan tested
  • Development lifecycle established
  • Whistleblower policy established
  • System changes externally communicated
  • Support system available
  • Access reviews conducted
  • Access requests required
  • Production deployment access restricted
  • Change management procedures enforced
  • Risks assessments performed
  • Data classification policy established
  • Data retention procedures established

Request documents

Request access to the following document(s) *