Home Data protection and security

Data protection and security

Over 2,000 companies in more than 50 countries trust Gamelearn to manage their data. We are absolutely committed to them: our networks, servers and applications have the most comprehensive security standards to guarantee that the data of our customers and their students are protected. Our customers can relax knowing that their information is safe, their interactions are secure, and their businesses are protected.

Data center and network security

We follow industry best practices to guarantee the confidentiality and integrity of your data. Gamelearn servers are hosted at Tier IV or III+ facilities that are SSAE-16, PCI DSS and ISO 27001 compliant. Our Customer Success, IT and Security teams respond to any security alerts 7 days a week, 24 hours a day.

Applications security

We take all necessary measures to develop and test security threats against our systems and ensure our customers’ data is protected. Furthermore, Gamelearn has also used external security experts to conduct penetration tests on the different applications in our family of serious games.

Product security characteristics

We allow our customers and students to easily manage access to our platform, with authentication options and single-sign on (SSO). All communications with Gamelearn servers are encrypted using industry HTTPS standards over public networks. This means that traffic between you and Gamelearn is completely secure.

GDPR Compliance

We implement the best security practices not only online with industry compliance practices, but also by applying the strictest security and data protection requirements. We are fully compliant with the European Union’s new General Data Protection Regulation (GDPR).

Data center and network security

Physical security

Facilities

Gamelearn servers are hosted in Tier IV or III+ facilities that are SSAE-16, PCI DSS and ISO 27001 compliant. Our co-locations are physically and logically separated from other customers’ data centers. Gamelearn data center facilities work with redundant power sources, each of which has UPS and reserve power generators.

On-site security

Our data center facilities have a security perimeter with various control areas and levels, with security staff 7 days a week, 24 hours a day, a CCTV video surveillance system, several identification elements with biometric access control points, physical locks and alarm systems in the face of any security breach.

Monitoring

All Production Network systems, devices connected to the internet and circuits are constantly monitored and managed by Gamelearn staff. Physical security, power supply and connectivity beyond cage spaces or Amazon services are monitored by the facility providers.

Location

Gamelearn uses data centers in Europe, the area with the world’s most restrictive security policy.

Network security

Security team

Our IT and security team is available 7 days a week, 24 hours a day to respond in case of any event or security alert.

Protection

Our network is protected by redundant firewalls, routers with the best technology, HTTPS transport security over public networks, frequent audits, and a system of Intrusion Detection and/or Prevention technologies (IDS/IPS) networks that monitor and block malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security areas. The most sensitive systems, like our servers with databases, are protected in our most reliable and secure areas. Other systems can be found hosted in other areas depending on their sensitivity, function, information classification and risk. Depending on the area, additional security and access controls apply. DMZs are used between the Internet and internally between the different security areas.

Network vulnerability scanner

Scanning network security gives us in-depth knowledge that enables us to quickly identify systems that may be outdated or could potentially be vulnerable.

Third-party penetration test

Aside from our extensive scanning and testing programs, external experts have also carried out penetration tests on different Gamelearn Production Networks to ensure they are secure.

Security Incident Event Management (SIEM)

Our Security Incident Event Management (SIEM) system collects extensive logs from the main network devices and from hosting systems. The SIEM alerts the security team to any unusual event so the team can investigate it and respond promptly.

Intrusion detection and prevention

The entry and exit points in the data flow for our largest applications are monitored by Intrusion Detection System (IDS) or Intrusion Prevention Systems (IPS). These systems are configured to generate alerts when certain incidents or values exceed pre-set thresholds; they are also updated regularly on the basis of new security threats. This includes a monitoring system in operation 7 days a week, 24 hours a day.

Threat Intelligence Program

Gamelearn participates in several intelligence programs regarding security threats. We monitor threats reported to these intelligence networks and take actions based on our products and networks.

DDoS Mitigation

In addition to our own capabilities and tools, we contract DDoS scrubbing providers to mitigate Distributed Denial of Service (DDoS) attacks.

Security Incident Response

If we receive a system alert, the events reach our operations, network engineers and security coverage teams, who work 7 days a week, 24 hours a day. Staff are trained in response processes for security incidents, including communications channels and escalation processes.

Logical Access

Access to the Gamelearn Production Network is restricted by an explicit knowledge assessment; those who have fewer access privileges are frequently audited and monitored, and the system is controlled by our IT team. Staff who access the Gamelearn Production Network must use multiple-factor authentication.

Encrypted

Encrypted during transmission

Communications between you and the help team and the Gamelearn Customer Success team are encrypted using HTTPS best practice and Transport Layer Security (TLS) over public networks. TLS also supports email encryption.

Encryption of stored data

All customers of the Gamelearn help system and Customer Success benefit from a system protecting the encryption of stored data for attachments; we also have a full daily backup system.

Availability and continuity

Redundancy

Gamelearn uses a network redundancy service and clustering services to remove single points of failure. Our strict backup system ensures that Service Data is actively replicated in our systems and primary and secondary DR facilities. Our databases are stored in efficient Flash Memory devices, with multiple servers per cluster of databases.

Disaster Recovery

Our Disaster Recovery (DR) program ensures our services remain available and can be easily recovered in the event of a disaster. This is achieved through a robust technical environment, by creating Disaster Recovery plans and with testing.

Enhanced Disaster Recovery

With the Enhanced Disaster Recovery system, the entire operations environment, including Service Data, is replicated in a secondary site to enable the service to be recovered in the event the primary site is completely inaccessible.

Applications security

Secure Development (SDLC)

Secure Development (SDLC)

At least once a year, our engineers take training courses on IT security, covering aspects such as the most significant security breaches, common vector attacks and other Gamelearn security controls.

Node.js Framework Security Controls

Gamelearn support uses Node.js Framework Security Controls to limit exposure to the main security errors. This includes internal Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) controls, among others.

QA

Our Quality Assurance team reviews and tests our base code. Several of our applications security engineers identify, test and take action on the code’s security vulnerabilities.

Separate environments

The testing and preparation environments are physically and logically separated from Gamelearn video game environments. No Service Data is used in test environments.

Application vulnerabilities

Security penetration tests

In addition to our extensive internal scanning and testing programs, external experts have also carried out security penetration tests in our products’ various applications.

Product security characteristics

Authentication security

Single sign-on (SSO)

The single sign-on (SSO) system allows users to authenticate themselves in their own systems without needing to enter other access credentials within the Gamelearn service. They allow the use of the Security Assertion Markup Language (SAML) system.

Secure Credential Storage

Gamelearn follows best practice when storing security credentials; they never store passwords in human readable format and only as the result of a detailed and secure process.

API Security & Authentication

Gamelearn API only works through SSL (SSL-only) and in order to make API requests you must be a verified user. You can authorize against use of API by using basic authentication with your username and password, or with your username and an API token. You can also use OAuth authentication.

Additional security measures

Privileges and access roles

Access to data on the Gamelearn platform is governed by access rights and can be configured to give different privilege levels. Gamelearn has several permits for different users (read-only, student, distributor and administrator)

Transmission security

All communications with Gamelearn servers are encrypted using HTTPS industry standards over public networks. This ensures that all traffic between you and Gamelearn is secure during data transmission. In addition, over email our product uses Transport Layer Security (TLS), a protocol that encrypts and sends emails securely, mitigating the risk of anyone seeing or intercepting them without permission on email servers.

Email Signing (DKIM)

The Gamelearn platform offers DKIM (Domain Keys Identified Mail) for emails sent from Gamelearn where you have created an external email domain on our platform. When using this email service, its functionalities allow you to avoid your communications being intercepted.

GDPR compliance

GDPR compliance

Privacy policies

Gamelearn, its servers and its products are strictly compliant with all matters concerning the European Union’s new General Data Protection Regulation (GDPR).

Security by Design

Gamelearn servers have mandatory functions which cannot be amended by users who do not have permission to do so. In compliance with GDPR, continuous real-time audits will be carried out.

Personal data protection in the cloud

Gamelearn servers comply with ISO 27018, the first international code of practice that focuses on protecting personal data in the cloud.

Additional security measures

Security knowledge

Policies

Gamelearn has developed a long list of security policies covering numerous issues. These policies are accessible and are shared with all staff members and contractors who have access to information from Gamelearn.

Investigation of staff members

Background checks

Gamelearn servers have mandatory functions which cannot be amended by users who do not have permission to do so. In compliance with GDPR, continuous real-time audits will be carried out.

Confidentiality agreements

During the recruitment process, all new employees are informed of the need for them to sign confidentiality agreements.