What are Khan Academy's security practices?
Security Practices
Khan Academy is committed to creating a safe and secure online environment for you. We take all matters of privacy and security seriously, and we want you to be confident in how we secure and protect the information that you share with us. Below is a summary of our Security Practices. If you have questions, please contact us at privacy@khanacademy.org, and we’ll be happy to address them.
Khan Academy regularly tests and evaluates its security program and conducts SOC2 Type 2 security audits annually. We update our program and these Security Practices in response to these evaluations, as well as changing industry trends, in order to improve the protections they provide.
What Information Does Khan Academy Collect?
Khan Academy collects contact and profile information, account and authentication information, location information, browser or device information, donor and applicant information, and other non-personal information which may be linked to accounts. For more detail on these categories and examples of what they include, please see our privacy policy at https://www.khanacademy.org/about/privacy-policy#what-information-do-we-collect
As further detailed in our privacy policy, we do not sell your information to third parties or display advertising on Khan Academy, which we further affirm as a signatory of the Student Privacy Pledge (https://studentprivacypledge.org/faqs/). Our mission is education, not profit.
Data and Server Hosting
The Khan Academy website and mobile application are hosted in the US on Google AppEngine as a part of Google Cloud Platform (GCP). We have selected this provider due to their best-practice security standards, and we rely on them for server and data center security and stability. All data on GCP is encrypted at rest in accordance with Google’s security practices which you can read about at: https://cloud.google.com/security/.
We add an additional layer of encryption to any user personal data stored on GCP so that the data can be viewed only by personnel with appropriate permissions. Access to Khan Academy servers on AppEngine is restricted to specific personnel for necessary troubleshooting. Security-related logs are similarly restricted to the appropriate personnel for use in incident response.
In addition to our use of GCP, we use Fastly’s content delivery network, which further contributes to Khan Academy’s performance and reliability.
Data In Transit
Khan Academy supports and encourages the use of the latest cryptographic protocols for all network traffic, including TLS 1.3, AES256 encryption, and SHA256 signatures.
Incident Response
In the event of a data security incident (or when investigating a possible incident), we apply our incident response plan which includes processes for initial detection and reporting, communication to affected parties, isolation, resolution, and post-mortem lessons learned. This incident response plan is exercised at least annually to ensure we are ready to handle the unexpected.
Vulnerability Management
Khan Academy uses a variety of tools, practices and procedures to monitor and protect our data and systems. Our security team reviews industry bulletins to help assess the impact of emerging technologies and vulnerabilities on our production systems. We also maintain a confidential vulnerability disclosure program that fields reports from security researchers, and reports are promptly triaged, prioritized and addressed according to their severity.
Software Development Lifecycle (SDLC)
Khan Academy employs industry best practices in the development of our product, to include manual code review, engineer testing, quality engineer testing, and automated testing for every commit and code change that becomes part of our service. We follow NIST, OWASP, and similar globally-recognized security best practices and recommendations in the course of our product development. Access to production secrets is restricted to need-to-know personnel.
Personnel Practices
All Khan Academy employees are screened with background checks prior to their employment with us (subject to applicable law). We conduct security and privacy training with each employee upon hire and annually thereafter. Company-issued laptops are managed by our IT staff with on-device threat detection and reporting capabilities.
Data Access Control
Khan Academy employees occasionally have a need to access user data in the course of their standard duties. For example, support personnel may need access to profile information in order to address that person’s help request. Access to user data is controlled via a least-privilege policy and must be affirmatively granted to each employee, and that access is then audited and undergoes quarterly review. All employees must use multi-factor authentication to access Khan Academy resources. In addition, we outline our practices to keep your data safe in a written security policy which all employees affirm.
Third Parties
In order to provide our service to you, we engage with several vendors to provide our services, including server and data hosting, customer service, and internal productivity and communication tools. We also partner with organizations that we believe are in the best interest of serving our goal of providing a world-class education to you. We have agreements in place with these third parties that follow our data security standards in order to protect your data. Our critical vendors undergo screening and vetting by security staff before we entrust the vendor with your data, and each such vendor is reviewed annually thereafter.
Assessment and testing
Khan Academy performs regular security compliance assessments and undergoes an annual external penetration test and annual SOC2 Type2 audits.