Hosting approach and client support model
Many Anthology products are regionally hosted. Access from outside the hosting location may be necessary for client support, product maintenance purposes and additional functionalities. Our client support is generally provided by the regional teams during regular business hours. To provide full 24/7 follow-the-sun support, Client Support’s global team of staff may access environments containing client data from any of our support locations (e.g., US, Colombia, India, the Netherlands, Australia). Additionally, the product teams in our global locations may have access to environments containing client data where required to maintain the products (e.g., reviewing performance issues) and to provide specialist expertise for client support cases. Additionally, our vendors (third-party subprocessors) may require access to client data for them to provide the contracted services. Any access only takes place on a need-to-know-basis.
Some products (e.g., SafeAssign), some product-specific Anthology capabilities (e.g., microservices supporting our products, content delivery networks) as well as many of our vendor-supported product functionalities (e.g., authentication, messaging, generative AI capabilities) may be provided from data centers outside of our clients’ usual hosting location. Such processing of personal information outside the usual hosting location only takes place in accordance with applicable data privacy laws & regulations and our contractual permissions and commitments.
Protecting your transferred data
To ensure that client/student data receives a high level of protection when it is accessed from and processed outside the hosting locations, we use the EU Commission 2021 Processor-to-Processor Standard Contractual Clauses (P2P SCCs) that are incorporated within Anthology’s group of companies through intra-group data transfer agreements. We are also EU-U.S. Data Privacy Framework certified. Through our internal policies, Anthology also applies a GDPR-level of standards globally to all of its departments and teams to ensure that client data receives the same high level of (EU) protection worldwide.
Further measures to protect transferred personal information:
- When data is transferred via the internet, it is encrypted in transit
- Encryption at rest is available for all key products
- Employees only have access to the personal information they need for the performance of their role (least-privilege principle)
- Employees must use multi-factor authentication for remote access to the IT infrastructure
- A select number of products are ISO 27001, 27017, 27018 and ISO 27701 certified
- Detailed contractual commitments regarding the level of security controls
- Contractual protection for personal data of our clients in the case of any requests by foreign authorities
Additional measures for EU/EEA/UK clients (“Schrems II”)
While no longer specifically required for the U.S. in light of the EU-U.S. Data Privacy Framework, Anthology has conducted a transfer impact assessment based on the ”Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” by the European Data Protection Board (”EDPB Recommendations”). Please contact [email protected] if you require further information.