Preamble

Securing and respecting the confidentiality of administrative and financial information, as well as documents provided by stakeholders such as families, is at the heart of Eduka Software's preoccupations.occupations of Eduka Software, which takes every measure to ensure the ongoing security of its data hosting infrastructure and web applications.

This article gives an overview of the technical and functional measures taken by Eduka Software and offered to schools through the Eduka Suite platform.

Eduka Software's data hosting and communication service, and its various components, have been presented to and explicitly validated by the Eduka Board of Directors.and explicitly validated by the Data Protection Officer of AEFE (Agence pour l'Enseignement Français à l'Etranger).

General Data Protection Regulation (GDPR)

Introduction

On May 25, 2018, the General Data Protection Regulation (RGPD) came into force . this European Union regulation, the text of which we strongly advise you to read, which can be found in several languages, concerns any company or organization even outside the borders of Europe : it applies whenever your database contains personal data (DCP) relating to European residents.

The RGPD affirms the primacy of the rights of natural persons with regard to their data, while presenting a framework for the use of this data, including imperative compliance with the following 3 mandatory criteria: Lawfulness / Transparency / Fairness.

Through this regulation, the European legislator aims to achieve 3 main objectives:

1. Strengthen the rights of individuals, notably by creating a right to erasure, portability and limitation of personal data
2. Make those who collect and process data (data controllers and processors) more accountable
3. Standardize the fundamental principles and obligations of each player

The aim of this document is to take stock of the functionalities implemented on your Edula platform to meet the requirements of these European regulations. Certain points require action on your part - the mention " [Action required] " will be indicated in the titles of the corresponding paragraphs - and we invite you to consider them carefully so that your platform always remains compliant with the RGPD.

Scope of application

More specifically, the RGPD applies to data processing carried out by an establishment responsible for processing or a processor located:

• within the European Union and the United Kingdom(establishment criterion)
• outside the European Union if the data concerns residents of the European Union(targeting criterion)

If your school is located in a country outside the EU, the following situations fall within the scope of the RGPD:

1. When collecting data from families residing in the European Union at the time of enrolment or re-enrolment (pursuant to Article 3(2) of the RGPD)
2. If the explicit targeting of individuals by the data controller concerns European nationals.
   Indeed, if a school communicates in the French language, welcomes a majority of French or French-speaking studentsais ou francophones et faciliter les inscriptions depuis la France ou d'autres pays de l'UE, cela constitue un ciblage caractérisé de ressortissants de l'UE (Référence: Recital 23 of the RGPD).
3. If the collection and/or processing of personal data concerns(s) minors (pursuant to Article 8 of the RGPD)
4. You store personal data of former students and their families who now reside in a member country of the European Union (application of Article 3(2) and Recital 14 of the RGPD)

However, point 4 above should be qualified because, under Article 17(3)(b) of the RGPD, if your local (non-EU) regulations require information containing personal data to be kept for a certain period of time (e.g.: enrolment records), then the fact that targeted individuals leave the country where your school is based to move to a European Union country will not be able to override your local law. You therefore need to know your legal obligations regarding the retention of personal data to know on which personal data the RGPD's right to erasure may apply.

Countries in line with the European Union for the RGPD

Article 45 of the RGPD authorizes transfers of personal data to a third country when the European Commission has decided that this country ensures an adequate level of protection.
This adequacy decision implies that the third country offers a level of data protection essentially equivalent to that guaranteed within the EU.
This assessment is based on several criteria, including:

• Respect for the rule of law, human rights and fundamental freedoms
• The existence and effective operation of one or more independent supervisory authorities
• The country's or international organization's international commitments in terms of data protection

Link to the European Union publication page specifying the up-to-date list of countries recognized as adequate, i.e. offering adequate data protection, in relation to the RGPD:Data protection adequacy for non-EU countries

Some definitions

Personal data (DCP)

Data is considered personal when it can directly or indirectly identify individuals.

For example : name, vehicle registration number, telephone number, photograph, biometric elements such as fingerprints, DNA, information making it possible to discriminate a person within a population such as, for example, place of residence, profession, sex, age, etc.

It may be information that is not associated with a person's name, but which can be used to identify him or her, and to find out about his or her habits or tastes.

Data relating to individuals belongs to those individuals: they must be able to monitor its use at all times - and thus judge whether the use of information technology infringes their identity, their privacy or their freedoms.

This is why all custodians of personal data must :

• be able to explain and demonstrate the purposes for which they collect and process such data
• be able to demonstrate to individuals that they care for and protect their data
• demonstrate its compliance with the criteria defined by the Data Protection Act and the RGPD

Data processing

Data controller

The data controller is the natural or legal person who determines the purposes and means of any operation (collection, recording, modification, deletion, etc.) applied to personal data. To determine the identity of the data controller, the following criteria can be used:

• "control" of the processing: what will it be used for, and how will it operate?
• "implementation" of processing: who decides to use it, and who uses it?

The data controller must be distinguished from those involved in its implementation, such as subcontractors.

Any person processing personal data on behalf of the data controller is considered a subcontractor within the meaning of the law.

Subcontracting does not relieve the data controller of its responsibility.
Example: In the case of external hosting of one of the school's websites, the host is considered to be the subcontractor.

Role and missions of the Data Protection Officer (DPO)

The RGPD places the Data Protection Officer (commonly known as the DPO) as a key player in the personal data governance system. Indeed, the missions assigned to him or her enshrine his or her role as pilot of the ongoing, dynamic compliance process in which every school concerned must be involved. As part of his duties, the DPO :

• advises and supports the school
• is responsible for monitoring compliance with the RGPD
• is the school's point of contact on RGPD matters with the supervisory authorities in Europe and with those concerned by the processing of personal data
• ensures documentation relating to data collection and processing
• may not represent the school alone before a supervisory authority in Europe at a summoned hearing, as this would place him/her in a conflict of interest situation. He/she may, however, accompany a representative of the school's management to contribute his/her expertise and answer questions.
• is not personally liable in the event of the school failing to meet its obligations under the RGPD. It is the school - and therefore a fortiori the data controller - that remains responsible for compliance with and application of the RGPD.
• can usefully document the decisions that have been taken by the management staff without having followed its recommendations as well as, where applicable, the reasons why its advice was not followed.
• may be entrusted with other tasks within the school, provided that this does not hinder the fulfillment of the duties specicifically assigned to him by the RGPD (including by depriving him of the time necessary to carry out his missions) and that this does not constitute a conflict of interest.
• must apply a level of vigilance and resources that is all the stronger as the risks presented by the school's processing of DCP are significant

Further details on the Data Protection Officer are available in the following article:The Data Protection Officer (DPO) - Eduka Suite

Roles of each party

In view of the above, subscribing to a license to use an Eduka Suitre platform requires the following roles to be assigned:

• The school head is the "controller" of personal data within the meaning of the RGPD and must comply with all related obligations
• Eduka Software is the "subcontractor", providing the web applications used to collect and process the personal data of the entire educational community on behalf of the data controller
• Eduka Software calls on a number of "subsequent subcontractors" to carry out its various missions on behalf of its customer establishments. These subcontractors are selected by Eduka Software for their in-depth knowledge of the international educational environment, and in particular of French lycées abroad.they are selected by Eduka Software for their in-depth knowledge of the international educational environment, and in particular of French high schools abroad, for their technical and/or functional skills, for their professional background and for their level of mastery of Eduka Suite, and are bound to Eduka Software by a subcontracting agreement complying with the obligations of the RGPD.
• Each school concerned is obliged to appoint a Data Protection Officer (DPO) to ensure compliance with the RGPD in the activities of collecting and processing DCP in the Eduka platform.

Who does what in the data processing chain?

Data controller: rules to be respected

Data controller: questions to ask before using personal data

Details of data retention periods

Personal data processed as part of the school's operations cannot be kept indefinitely in the current database of your Eduka platform. A retention period in the current database must be established by the data controller according to the purpose of each item of data, which applies in particular to personal data.

Once the retention period in Eduka's current database has expired, the information must be deleted or stored securely outside your Eduka platform.outside your Eduka platform for archiving purposes, in accordance with the legal framework defined by your local regulations.

Depending on the laws and regulations of your country, each piece of information to be archived must be kept securely for a certain period of time, often referred to as thee Durée Utile d'Archivage (DUA), beyond which an associated action will be defined to respect the data life cycle defined within your school (eg: transfer to National Archives, destruction, conservation after sampling, etc.).

France's BO n°24 of June 16, 2005 is dedicated to "sorting and storing archives in the Education Nationale". These instructions help to clarify matters and are particularly useful for sorting at the end of the school year. Finally, note that decree no. 2019-906 of August 30, 2019 has extended the retention period for certain sanctions.

Examples of DCP retention periods set by this BO:

• Information collected as part of the organization of an examination: to be kept for the duration of the examination session
• Absence statistics: to be kept for 1 year
• Daily call registers, proof of absences: 10 years

For more information on the obligations relating to the retention periods for DCP, it is recommended to consult Article 5 and Recital (39) of the RGPD.

Individual rights

Any end user of an Eduka Suite platform must be able to exercise their RGPD rights with the school concerned, namely:

• Right of access [Ref.: Article 15 of the RGPD]: enables the user to find out whether his or her personal data is being processed, to obtain a copy of it and to know its purposes, recipients and retention period
• Right of rectification [Ref: Article 16 of the GDPR] : enables end-users to request the correction or updating of inaccurate or incomplete personal data
• Right to erasure (or right to be forgotten) [Ref.: Article 17 RGPD]: enables end users to request the deletion of their personal data when it is no longer required or if the processing is unlawful
• Right to limitation of processing [Ref.: Article 18 RGPD]: allows you to request that the processing of your data be temporarily suspended, for example when the accuracy of the data is disputed
• Right to data portability [Ref: Article 20 RGPD]: allows you to receive your personal data in a structured, commonly used and machine-readable format, and to transmit it to another data controller
• Right to object [Ref.: Article 21 of the GDPR]: allows you to object at any time to the processing of your personal data for legitimate reasons, or when the data is used for prospecting purposes
• Right not to be subject to an automated individual decision (including profiling) [Ref.: Article 22 of the GDPR]: protects against decisions taken solely by automated systems, such as profiling, where these produce legal or significant effects on the person

The institution concerned must provide a response to the requesting person within a legal period of 1 month, extendable by a maximum of 2 months in the event of particular difficulties to be justified [Ref.: Article 12(3) of the RGPD].

Eduka Software undertakes to assist the school concerned so that it complies with this response deadline. To this end, the school must obligatorily send Eduka Software the information relating to each request to exercise rights to the e-mail address [dpo@edukasoftware.comotherwise the request will not be processed.

In accordance with the regulations in force, Eduka Software may not demand payment from a customer in respect of any measures taken to respond to its request to exercise the RGPD right of an end user of an Eduka Suite platform.however, where a request from a data controller is manifestly unfounded or excessive, in particular due to its repetitive nature [Ref. : article 12(5) of the RGPD], Eduka Software reserves the right to invoice it for the administrative and technical costs associated with its investigation.

Finally, Eduka Software will not transmit any data directly to the end-users concerned by requests to exercise RGPD rights without prior written instruction from each institution concerned.

Application of the RGPD in the Eduka Suite platform

Privacy policy [Action required]

In order to meet transparency requirements concerning the collection and processing of personal data of your institution's Eduka users, your Eduka platform will now have to publish a specific web page entitled "Privacy Policy" (ref. Article 12 of the RGPD).

Legally speaking, this page must be offered for consultation before any information is collected, and must be accepted by your school's user. On your platform, this takes the form of a checkbox to be ticked when registering for the system:

The box must be checked to proceed with system registration. As this box is accompanied by a link to your privacy policy page, it is not activated by default. To activate it, please open the "Users" menu of the "Eduka System Configuration" module on the Administrator Portal, then activate the following option:

When you activate this option, the URL address of your privacy policy page must be entered in the field provided:

To make it easier for you to prepare this "Privacy Policy" page, we have attached a Word template (.docx format) of a " Privacy Policy " page in English and French.

• You can choose to use the template we've provided, in which case you'll need to complete the information highlighted in yellow. In particular, you'll need to include the contact details of your Data Protection Officer (DPO).
• Alternatively, you may decide not to use our template, in which case you'll need to create your own web page in its entirety, describing, among other things:
  • The user data collected by the application on behalf of the data controller
  • How this data is used
  • Data retention
  • How this information is processed
  • How users can exercise their right to access, rectify or delete their data
  • Security measures implemented to guarantee data confidentiality within the application
  • The name and contact details of the school's Data Protection Officer (DPO)

Once your " Privacy Policy " document is ready, you can put it online using the following means:

• From the "Eduka System Configuration" module of your platform's Administrator Portal > "Icons" menu, create a new customized " Static page " icon. Paste the content of your document in the field provided, then tick the box to make this page accessible to all visitors. You can retrieve the link to this new page by using the small "link" mention available above the main text box. A more complete tutorial is available in this article.
• If you have any doubts about the procedure for uploading the static privacy policy page, don't hesitate to send us your updated document by e-mail to support@edukasoftware.comand we'll put it online for you.
• We strongly recommend that you place a link to the " Privacy policy " page in the footer of your platform. The footer can be modified from the "Eduka System Configuration" module of your platform's Administrator Portal > "School " menu > "Footer" tab.

This checkbox is only compulsory at the time of registration, so if you consider it necessary, you should also request it from existing users. You can use the functions of the "Request Management" module to carry out an information update campaign, e.g. for all parents, in which your school's formulas are used.your update form will contain a single field requiring acceptance of the terms described in your privacy policy page.

Download personal data [Action required]

Article 20 of the RGPD introduces the notion of a "right to data portability". For this reason, your Eduka platform offers all users, without profile restrictions, a feature to download account data in "machine-readable" formats on request.

After clicking on "Other settings", the "Download my personal data" button is accessible at the bottom right of the "Account settings" page on the standard web version or on the mobile version of Eduka Software.

When the user clicks on this button, the platform will generate a password and a password-protected compressed file (.zip) containing the following information:

• An Excel file in standard format containing all the information available on :
  • The student, supervisor and family file (in the case of a family account)
  • The form available on the "staff portal" (if it's a staff account)
  • The form available on the "company portal" (if a payer account)
  • Former student record (if a former student account)
  • History of this data, if available
  • Metadata: system registration date, registration IP address, etc.
  • An important clarification concerning access permissions is given below
• A compressed file containing the identity photos of people linked to the account
• A compressed file containing financial documents (invoices, receipts, reminders, etc.) linked to the account
• A compressed file for each "document container" (e.g. passport, visa, etc.) for which files are present in your database, only those containers to which the account has access

Clear history

In order to comply with Article 17 of the RGPD concerning the "right to be forgotten", we are introducing a history deletion feature. Indeed, currently any data entered by the parent is recorded in a history that can be consulted by the administration from the following page (as well as from individual records) :

Using the " Clear history " button, the Data Protection Officer (DPO) can delete all data in the "Old value" and "New value" columns, at the parent's request:

The change line remains in the database, but no longer contains the information itself. The message " Deleted " is displayed, and the name of the operator who made the deletion can be viewed by clicking on " Details ".

Deleting IP addresses

Your platform collects or calculates a range of metadata, some of which may enable visitors to be identified, in particular the IP address used by the visitor when registering for an account and during certain processes such as registering for activities or services. IP addresses can now be deleted by the Data Protection Officer (DPO) at the request of users. This can be done from the following page:

Technical measures to reinforce the security of your users' data

Your Eduka platform has been designed according to a modern, secure " Secure by Design " architecture. This section details the security measures implemented to protect our users' PCD. It is also important to remember that the level of security must be adapted to the risks raised by the processing of users' DCP in your establishment.

User access control

User profiles

Authorization profiles define the functions and types of information accessible to a user.

Logical access control

Logical access is controlled by a strong password of at least 8 characters, including at least 1 uppercase, 1 lowercase, 1 special character and 1 number, which must be personalized on first connection to the school's Eduka Suite platform.

Strong authentication

For school staff with administrative rights on the Eduka platform, strong authentication based on a second authentication factor is now mandatory.
For other users who so wish, it is possible to individually activate a second authentication factor.
In this case, users authenticated on their school's Eduka platform will have to enter a temporary code in addition to their usual login and password. The temporary code can either be sent by e-mail, or generated on an application (recommended solution) for smartphone, tablet or computer. To activate strong authentication (2FA), users must access their account settings and click on "Strong authentication" :

They can then select their preferred operating mode:

The " Strong authentication by token " option requires downloading a third-party application (e.g. Google Authenticator; a list of compatible standard applications is indicated when the feature is activated). The application collects the secret key either by scanning the QR code, or by manual entry. Your device is then able to generate a one-time code valid for 30 seconds: this temporary code must be entered into Eduka to confirm connection to the system. To allow users to define the level of security they require, they can select the duration (each time they log on, every day, every 3 days, 7 days, 15 days, 30 days, or every 60 days) from the "Request code" drop-down menu.

This so-called " OTP " (One Time Password) system is based on a widespread standard available on many websites and applications, including banking systems. It guarantees optimum security for users: a hacker who discovered a user's login and password by any means could not connect to the account, as he would not have the secret key enabling the temporary code to be generated. Authentication by temporary password sent via e-mail is considered slightly less secure: users often enter the same password for different services. If a hacker has a user's login and password, and these are also valid for logging into the user's e-mail box, then strong e-mail authentication becomes useless.

On the administration side, a feature has been added to user management to enable you to deactivate strong authentication in the event of a user request (loss of smartphone, change of e-mail address, etc.). Please note, however, that to use this feature, the operator must ensure that the user requesting deactivation of strong authentication is indeed the person they claim to be.

IP whitelist for administrative profiles

In order to reinforce the security of the application for management staff, i.e. to prevent any ill-intentioned user from obtaining access permissions to the management modules for which he/she is not authorized, a whitelist of IP addresses has been created.in order to reinforce the security of the application for management staff, i.e. to prevent a possible malicious user from obtaining access permissions to management modules to which he/she should not be entitled (e.g. theft of an administrative operator's login and password), the system administrator can activate the restriction to a white list of IP addresses for administrative profiles. From the "Eduka System Configuration" module > "Profiles" menu of the Administrator Portal, simply click on " IP address whitelist " to bring up the pop-up window:

This will allow you to declare a list of IP addresses or address ranges (CIDR or wildcard format) authorized to access this profile. If the visitor does not have an authorized IP address, the profile will not be activated and the visitor will not have any access rights linked to the profile.

Traceability measures

E-mail logging

Data recorded in a platform's e-mail log: date and time sent, sending account, subject, recipients, message ID, status, operator.
The e-mail log can be accessed from the "Eduka System Configuration" module > "Advanced / Logs" menu > "E-mail" tab of the Administrator Portal, and searches for sent e-mails from date to date.
The administrative user can also access technical logs and blacklist management for e-mails.
Details of a platform's e-mail communication activity are kept in an active database for a maximum period of 6 months.

SMS logging

Data recorded in a platform's SMS sending log: date and time sent, message identifier (SID), sender's number, recipient's number, status date, cost, segments, operator and details.
E-mail log accessible from the "Eduka System Configuration" Module > "Advanced / Logs" menu > "SMS" tab of the Administrator Portal, where you can search for sent sms from date to date.
Details of a platform's SMS communications activity are kept in the active database for a maximum of 6 months.

User logging

Data recorded in the user log: date and time of connection, user connected, module accessed, page, IP address, action duration, device model.
User log accessible from the "Eduka System Configuration" Module > "Advanced / Logs" menu > "Users" tab of the Administrator Portal, where you can search for users connected to the school's platform from date to date.
Details of user activity on a platform are kept in the active database for a maximum of 30 days.

Data import logging

Data recorded in the data import log: Date and time of import, type of data imported, name of file imported, objects created in database, objects updated, operator.
Log of data imports into an Eduka platform accessible from the "Eduka System Configuration" Module > "Dataes / Import de données " > "Historique" on the Administrator Portal, where you can search for data imports from date to date.

History of API requests

Data recorded in the history of REST API requests from the Eduka Suite API catalog: date and time of request, API user configured, Function (services), request parameters, status, details, IP address.
History of API requests accessible from the "Eduka System Configuration" Module > "Advanced / API" menu > " tabLog" tab of the Administrator Portal, where API requests processed by the platform server can be searched from date to date.

Software update history

Data recorded in the software update history: revision type, revision number, release date, useful details.
Eduka platform update history accessible from the "Eduka System Configuration" Module > "Advanced / Update" menu > "History" tab in the Administrator Portal,

Logging of database operations

Data recorded in the database operation log: Date and time of operation, operator designation, type of operation, file name, file size.
Database operation log for an Eduka platform, accessible from the "Eduka system configuration" module > "Data / Database" menu > "Operations log" tab in the Administrator Portal.

Eduka <> Pronote synchronization history

Data recorded in the history of Eduka <> Pronote data exchanges: batch code (Pronote "Eduka" direction), student name/first name, type of synchronization, old value, new value, date and time, operator.
History of Eduka <> Pronote synchronizations accessible from the "Eduka System Configuration" Module > "Data / Synchronizations" menu > "History" button on the Administrator Portal, where synchronization searches are performed from date to date for a selected school year.

Notification history

Data recorded in the message history for each notification: message type, date and time, sender, recipients, subject, attached files, send and read indicators, number of clicks, details.
Notification sending history for an Eduka platform accessible from the "Communication" Module > "Messages / History" menu of the Administrator Portal, with message searches from date to date.

Software protection measures

A number of protection measures have been implemented in Eduka Suite environments:

• Automatic update of new software versions with patches
• Secure OS (Ubuntu) updates for virtual machine containers
• Shared anti-malware application: ClamAV
• NetData system for monitoring and alerting the data hosting infrastructure
• Intrusion detection and network monitoring system: Cloudflare WAF & Nginx reverse proxy
• LAN containment of virtual machine containers
• LXC container virtualization solution: Proxmox VE 8 (HA mode: high availability)
• Ceph Reef (v18) distributed storage system for hot triplication of data on each of our digital infrastructures
• The server hosting each school's Eduka Suite platform is protected by a hardware firewall and a software firewall (UFW).
• Anti Dos/DDoS protection from Cloudflare (see details below)
• Protection against SQL injections through the exclusive use of PDO queries
• Protection against XSS attacks by filtering user data using various methods, including the CSP standard
• Protection against clickjacking; masking of headers revealing server component versions
• Google reCaptcha anti-fraud and anti-abuse protection service available and can be activated by the Eduka administrator
• Access control :
  • authorization profiles define the functions and types of information accessible to each profile ;
  • access can be restricted to a white list of IP addresses for administrative profiles
  • 2FA mandatory for users with administrative profiles (since September 2024)
• Protection against successive password reset requests: 1 hour between 2 consecutive password reset requests for the same user account
• Protection against brute-force hacking :
  • 2 seconds (resp. 1 second) latency between 2 successive password authentication attempts (resp. 2FA temporary code)
  • account temporarily blocked for 1 hour after 20 (resp. 5) unsuccessful password (resp. 2FA temporary code) authentication attempts within 24 hours
  • Automated e-mail notification of temporary blocking of Eduka account after 5 successive unsuccessful 2FA attempts
• Cloudflare : This service optimizes data performance and security, protects against denial-of-service attacks (DoS and DDoS) and offers a number of other technical advantages in terms of data quality.other technical advantages in terms of platform access quality and data hosting infrastructure. For more information on Cloudflare's security and privacy guarantees, pleaseclick on this linkandthis one. The use of Cloudflare's digital service was explicitly validated by AEFE prior to the technical implementation of this infrastructure, in order to guarantee compliance with measures and best practices for the protection of privacy and data confidentiality.
• API security: configuration of API users restricted by IP whitelist and request pool, each request requiring a valid access token.
• Security audits (also known as "Pentests") carried out annually since 2018 by independent OSCP-certified experts: last audit carried out in August 2025 by French auditing company Claranet.

Data encryption

Several data encryption methods have been implemented in Eduka Suite:

• Access to the fullweb platform over an HTTPS mode connection secured in TLS v1.2 minimum (since July 30, 2024) with a 2048-bit SSL certificate signed in SHA-256 provided by Cloudflare.
• Encryption of data backups (.enc extension) : AES 256-bit (CBC mode) with dual-factor encryption keys:one factor linked to the platform itself, so that a backup can only be restored for the original school; and one factor linked to Eduka Software. This guarantees the following 2 elements:
  • Only Eduka Software's technical team can decrypt a backup. The school system administrator can download and restore a backup from the Eduka application, but cannot decrypt it for any other use
  • A school system administrator can only restore backups that have been generated on a school platform. For example: an administrator from school A illegally obtains a backup from school B. He will not be able to restore the backup on a School A platform. Backups from school B can only be restored on school B's platform
• Encryption of financial data stored in database with symmetrical AES 256-bit encryption in CBC mode
• S3 object storage system for files/documents secured with AES 256-bit symmetric encryption in CBC mode

Data backup

Eduka Suite features a high-performance, highly secure backup and replication mechanism based on the following elements:

• Automated backup via a scheduled task on the server: backups are not encrypted, but stored in a directory not accessible via the web. As a result, only administrators with access to the server can obtain the backup
• Automatic weekly replication of the backup to a secure backup storage server to which only Eduka's technical team has access (secure transmission with maximum-security encryption certificate)
• One or more optional encrypted replications to storage servers provided by the school, at a frequency defined by the school and secured by the school's own technical and technological resources
• Manual encrypted backup possible at any time, from the "System configuration" module > "Database" menu of the platform
• Backups secured by complex encryption (see details in previous paragraph)

Attachments to this article

Please find enclosed the following documents:

• Generic examples of confidentiality policies in .docx format, in French and English, where certain sections need to be filled in, in particular those concerning your school's Data Protection Officer (DPO).
• Templates for school data processing activity registers in .docx format, in French and English, where you can customize certain activities specific to your school.