Subcontractors and Third Parties
Open LMS's designated sub-processors may have access to environments containing institution data as a part of delivering the services and all associated functionalities. Open LMS establishes agreements with its third-party partners and sub-processors that include privacy and security terms which are substantially the same as those set out in the Open LMS Master Services Agreement and other related policies. These require that commercially reasonable physical and logical safeguards are put in place to adequately protect client data from unauthorized use. Open LMS asserts responsibility for the acts or omissions of any subcontractors, sub-processors, or other third parties engaged by Open LMS, who have access to client data.
Data Protection Principles
Anyone processing personal data must comply with the six principles of good practice. These provide that personal data must be:
- Processed fairly and lawfully and in a transparent manner.
- Processed for specific, limited purposes.
- Adequate, relevant and not excessive for the purpose.
- Accurate and kept up-to-date.
- Not kept longer than necessary for the purpose.
- Kept secure.
In our business and all the work we do, we will comply with these principles, and will be able to demonstrate that we comply. All relevant employees will undertake regular training with regard to relevant data protection obligations and are responsible for keeping (client and other) records up-to-date.
Where we are providing SaaS or hosting services, we will perform such services with appropriate levels of security, which shall in no event be below industry standard levels of security.
With regard to system administration and technical support, we will ensure that only authorized staff can access the services and file systems in each datacenter and that they use their own login accounts and passwords to access the system and servers. This helps to ensure accountability and auditability. No personal data will be extracted from hosting infrastructures by support staff members, except temporarily and with the client’s express written consent.
Sites hosted by Open LMS on behalf of clients make use of some third party services and sub-processors contracted by Open LMS. This list includes all regions and possible deployments, not all sub-processors listed are used on every site. A Client may choose to add services, tools, and integrations to additional third parties which can expand the list based on their contracts and actions. Those sub-processors are not covered by this list.
Currently Open LMS uses the following sub-processors in some or all of our hosting environments.
Amazon Web Services: AWS hosts our infrastructure and has access to the environments and controls the physical infrastructure and security of that infrastructure. By agreement, AWS does not access or use data stored or handled by the services unless asked to do so in a specific investigation or to resolve an issue.
SendGrid: Open LMS uses tools to provide email services for client sites to email out to users and administrators. Some hosting environments use SendGrid to manage the large transactional emails for the site. Emails are sent on behalf of the Client to their users and SendGrid may process email addresses and user names. Relationships between Open LMS and SendGrid commit to preserving the integrity of our client data from unauthorized access.
Mailgun: Open LMS uses tools to provide email services for client sites to email out to users and administrators. Some hosting environments use Mailgin to manage the large transactional emails for the site. Emails are sent on behalf of the Client to their users and SendGrid may process email addresses and user names. Relationships between Open LMS and Mailgun commit to preserving the integrity of our client data from unauthorized access.
Open LMS uses monitoring and alerting tools to do our job successfully. External tools are engaged in providing data processing services for reports and monitoring of environments and sites by monitoring traffic and server side performance. Any tools used to process site activity do so without including personal data about users or actions; only non-personal and non-identifiable data is used. Relationships between Open LMS and these tool providers commit to preserving the integrity of our client data from unauthorized access.
Sales and Marketing
Clients and others may contact Open LMS for sales related activities or other marketing driven events. Their contact information is stored and processed in other tools as needed. All contacts have access to opt out of retention or use of their information that they have shared with us. No client site data is used or gathered into these tools by Open LMS. Examples: Signing up for a free trial site or requesting a sales quote.
Changes to Sub-processors
Open LMS may at times need to change or modify the relationships with sub-processors. Our policies enforce a commitment to maintain sub-processors who treat client data as private and do not share data with sub-processors for use outside of troubleshooting or the specific service engaged in. Interested parties may sign up for email notifications of changes on this page.