Trust Centre
Project-Specific Security, Access and Privacy Considerations
Project-Specific Security, Access and Privacy Considerations.
Learn how we handle access, files, credentials, client information and third-party platforms during an engagement.
Discuss Security RequirementsSecurity and Access Control
ACCESS
- minimum necessary access
- named accounts where practical
- role-appropriate permissions
- removal of access after handover where appropriate
- avoidance of shared credentials where practical
CREDENTIALS
- do not place credentials in public documents
- use approved secure sharing methods
- do not commit secrets to repositories
- change or revoke credentials when required
FILES AND CONTENT
- use approved storage or sharing locations
- separate client content where practical
- confirm who may access project files
- avoid unnecessary local copies
PLATFORMS AND VENDORS
- recognize third-party dependencies
- follow platform access rules
- review integration requirements separately
- do not imply control over vendor outages or security
HANDOVER
- document relevant assets
- confirm access ownership
- transfer agreed files
- remove access where appropriate
- confirm retention or deletion expectations
Privacy and Data Handling
During engagement scoping, we clarify data handling responsibilities to ensure alignment with client requirements:
- what information is required
- who controls it
- who may access it
- which platform stores it
- whether personal data is necessary
- how long working files are needed
- whether deletion or return is required
- whether external tools are approved
- whether regional requirements apply
Important Legal and Privacy Notes
- • Project-specific legal responsibilities should be agreed upon in the contract.
- • TheEduAssist does not provide legal advice; clients should obtain appropriate legal and privacy guidance.
- • Published information does not replace contractual terms.
- • Data-protection requirements (such as GDPR obligations) depend on the specific engagement, tools used, and jurisdictions involved.
Security Concerns and Incident Reporting
Potential security or privacy concerns related to an active engagement should be raised through the agreed project contact so they can be reviewed and handled according to the circumstances and applicable contractual requirements.
Frequently Asked Questions
How is project access determined?
Access is determined based on the principle of minimum necessary access, granting only the permissions required to complete the agreed work.
Should passwords be sent by email?
No. Passwords and credentials should be shared using approved secure sharing methods, not plain-text email.
Can TheEduAssist work within a client platform?
Yes. We frequently work within client-provided platforms (like an LMS or authoring tool) using named accounts provisioned by the client's IT team.
How are third-party tools handled?
Third-party tools are assessed during project scoping. We rely on the vendor's security controls and follow platform access rules, but we do not control third-party infrastructure.
Can security questionnaires be reviewed?
Yes. We can review appropriate security questionnaires during the procurement phase for enterprise engagements to clarify our project-specific practices.
Does TheEduAssist guarantee GDPR compliance?
No. GDPR compliance depends on the specific data processed, the platforms used, and the roles defined (Data Controller vs. Processor). These details must be defined in project contracts, and clients remain responsible for their overall compliance.
What happens to access after handover?
Access to client systems should typically be revoked by the client upon project completion and handover, unless ongoing maintenance is agreed upon.
Can project-specific retention requirements be discussed?
Yes. Expectations regarding data retention, deletion, or return of working files can be defined and agreed upon in the Statement of Work.
Does TheEduAssist hold SOC 2 or ISO certification?
No. We focus on implementing practical, project-specific security controls and do not currently hold formal SOC 2 or ISO certifications.