Data protection and security

Gamelearn servers are hosted in Tier IV or III+ facilities that are SSAE-16, PCI DSS and ISO 27001 compliant. Our co-locations are physically and logically separated from other customers’ data centers. Gamelearn data center facilities work with redundant power sources, each of which has UPS and reserve power generators.

Our data center facilities have a security perimeter with various control areas and levels, with security staff 7 days a week, 24 hours a day, a CCTV video surveillance system, several identification elements with biometric access control points, physical locks and alarm systems in the face of any security breach.

All Production Network systems, devices connected to the internet and circuits are constantly monitored and managed by Gamelearn staff. Physical security, power supply and connectivity beyond cage spaces or Amazon services are monitored by the facility providers.

Gamelearn uses data centers in Europe, the area with the world’s most restrictive security policy.

Our IT and security team is available 7 days a week, 24 hours a day to respond in case of any event or security alert.

Our network is protected by redundant firewalls, routers with the best technology, HTTPS transport security over public networks, frequent audits, and a system of Intrusion Detection and/or Prevention technologies (IDS/IPS) networks that monitor and block malicious traffic and network attacks.

Our network security architecture consists of multiple security areas. The most sensitive systems, like our servers with databases, are protected in our most reliable and secure areas. Other systems can be found hosted in other areas depending on their sensitivity, function, information classification and risk. Depending on the area, additional security and access controls apply. DMZs are used between the Internet and internally between the different security areas.

Scanning network security gives us in-depth knowledge that enables us to quickly identify systems that may be outdated or could potentially be vulnerable.

Aside from our extensive scanning and testing programs, external experts have also carried out penetration tests on different Gamelearn Production Networks to ensure they are secure.

Our Security Incident Event Management (SIEM) system collects extensive logs from the main network devices and from hosting systems. The SIEM alerts the security team to any unusual event so the team can investigate it and respond promptly.

The entry and exit points in the data flow for our largest applications are monitored by Intrusion Detection System (IDS) or Intrusion Prevention Systems (IPS). These systems are configured to generate alerts when certain incidents or values exceed pre-set thresholds; they are also updated regularly on the basis of new security threats. This includes a monitoring system in operation 7 days a week, 24 hours a day.

Gamelearn participates in several intelligence programs regarding security threats. We monitor threats reported to these intelligence networks and take actions based on our products and networks.

In addition to our own capabilities and tools, we contract DDoS scrubbing providers to mitigate Distributed Denial of Service (DDoS) attacks.

If we receive a system alert, the events reach our operations, network engineers and security coverage teams, who work 7 days a week, 24 hours a day. Staff are trained in response processes for security incidents, including communications channels and escalation processes.

Access to the Gamelearn Production Network is restricted by an explicit knowledge assessment; those who have fewer access privileges are frequently audited and monitored, and the system is controlled by our IT team. Staff who access the Gamelearn Production Network must use multiple-factor authentication.

Communications between you and the help team and the Gamelearn Customer Success team are encrypted using HTTPS best practice and Transport Layer Security (TLS) over public networks. TLS also supports email encryption.

All customers of the Gamelearn help system and Customer Success benefit from a system protecting the encryption of stored data for attachments; we also have a full daily backup system.

Gamelearn uses a network redundancy service and clustering services to remove single points of failure. Our strict backup system ensures that Service Data is actively replicated in our systems and primary and secondary DR facilities. Our databases are stored in efficient Flash Memory devices, with multiple servers per cluster of databases.

Our Disaster Recovery (DR) program ensures our services remain available and can be easily recovered in the event of a disaster. This is achieved through a robust technical environment, by creating Disaster Recovery plans and with testing.

With the Enhanced Disaster Recovery system, the entire operations environment, including Service Data, is replicated in a secondary site to enable the service to be recovered in the event the primary site is completely inaccessible.

At least once a year, our engineers take training courses on IT security, covering aspects such as the most significant security breaches, common vector attacks and other Gamelearn security controls.

Gamelearn support uses Node.js Framework Security Controls to limit exposure to the main security errors. This includes internal Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) controls, among others.

Our Quality Assurance team reviews and tests our base code. Several of our applications security engineers identify, test and take action on the code’s security vulnerabilities.

The testing and preparation environments are physically and logically separated from Gamelearn video game environments. No Service Data is used in test environments.

In addition to our extensive internal scanning and testing programs, external experts have also carried out security penetration tests in our products’ various applications.

The single sign-on (SSO) system allows users to authenticate themselves in their own systems without needing to enter other access credentials within the Gamelearn service. They allow the use of the Security Assertion Markup Language (SAML) system.

Gamelearn follows best practice when storing security credentials; they never store passwords in human readable format and only as the result of a detailed and secure process.

Gamelearn API only works through SSL (SSL-only) and in order to make API requests you must be a verified user. You can authorize against use of API by using basic authentication with your username and password, or with your username and an API token. You can also use OAuth authentication.

Access to data on the Gamelearn platform is governed by access rights and can be configured to give different privilege levels. Gamelearn has several permits for different users (read-only, student, distributor and administrator)

All communications with Gamelearn servers are encrypted using HTTPS industry standards over public networks. This ensures that all traffic between you and Gamelearn is secure during data transmission. In addition, over email our product uses Transport Layer Security (TLS), a protocol that encrypts and sends emails securely, mitigating the risk of anyone seeing or intercepting them without permission on email servers.

The Gamelearn platform offers DKIM (Domain Keys Identified Mail) for emails sent from Gamelearn where you have created an external email domain on our platform. When using this email service, its functionalities allow you to avoid your communications being intercepted.

Gamelearn, its servers and its products are strictly compliant with all matters concerning the European Union’s new General Data Protection Regulation (GDPR).

Gamelearn servers have mandatory functions which cannot be amended by users who do not have permission to do so. In compliance with GDPR, continuous real-time audits will be carried out.

Gamelearn servers comply with ISO 27018, the first international code of practice that focuses on protecting personal data in the cloud.

Gamelearn has developed a long list of security policies covering numerous issues. These policies are accessible and are shared with all staff members and contractors who have access to information from Gamelearn.

Gamelearn servers have mandatory functions which cannot be amended by users who do not have permission to do so. In compliance with GDPR, continuous real-time audits will be carried out.

During the recruitment process, all new employees are informed of the need for them to sign confidentiality agreements.