Last updated: 21 May 2025
Security and compliance are always top of mind at eduMe and we understand its significance to both customers and partners.
We have a dedicated information security programme and are dedicated to its continual improvement. eduMe’s security practices are aligned with the ISO 27001 standard and the SOC 2 Trust Services Criteria.
Compliance
GDPR
eduMe aims to ensure compliance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). eduMe adheres to the principles with which any party handling personal data must comply.
SOC 2 Type II
eduMe Limited was audited by Prescient Assurance. We have obtained the AICPA’s SOC for Service Organizations, SOC 2 Type II. eduMe’s SOC 2 Type II report can be requested through your Customer Success Manager.
If you have any further enquiries please contact us at [email protected].
Infrastructure Security
Hosting
eduMe utilises Amazon Web Services (AWS) as its cloud service provider. We offer EU (Dublin, Ireland) and US as data residency options for our customers.
eduMe leverages AWS's security and compliance controls for data centre physical security and cloud infrastructure. To protect customers from threats, we follow AWS best practices validated by our compliance automation tool Drata. AWS data centres are ISO 27001 and FISMA certified. For more information refer to Security and Compliance at AWS.
Monitoring & Logging
Logging
We monitor our database and application server performance with tools provided by AWS and Datadog, and with additional application performance monitoring tools and log analysis tools. We have alerts configured for downtime and degraded service.
Availability
To ensure users have real-time service availability updates, eduMe maintains a Status page.
In an emergency situation, we expect to benefit from AWS RDS point in time recovery, which allows us to restore data to any point in time in the previous 35 days, so we expect data loss to be very small.
Encryption
eduMe uses secure connections for all data transfers (TLS). Data is encrypted at rest in our databases (See RDS encryption documentation).
Security Practices
Access Control
We implement role-based access control based on the principle of least privilege. A subset of eduMe's personnel has access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents and implement data security. Access is controlled, logged, and managed by enterprise password manager apps and types of authentication.
Change Management
Pull requests (PR) are peer reviewed. Every PR that is merged is automatically subjected to a formal QA and release process.
Incident Response
We have an incident response policy in place that applies both to incidents reported by customers or third parties, as well as issues detected automatically by our monitoring capabilities.
Personnel Security
All of our employees undergo a background check and provide two character references during the hiring process. Security awareness training takes place annually and is tracked in our automated compliance tool.
All employees are issued corporate laptops that are monitored daily to ensure key security controls are in place (company approved password manager, hard-disk encryption automatic updates, up-to-date anti-malware software).
Independent Penetration Testing
As a minimum, eduMe undergoes an external penetration test by an independent third party.
Vulnerability Disclosure Policy
Please refer to our Vulnerability Disclosure Policy page for more details.
Have a security concern?
If you think you have received a phishing email or need to report a security concern to eduMe, please contact [email protected]. A genuine eduMe email will always come from a edume.com domain. Phishing emails may attempt to spoof (impersonate) the email address that eduMe sends emails from. They appear to come from an edume.com address but are actually sent from a different domain. Do not click on any links or attachments in suspicious emails.
