What personal data is collected by edu.digitaltheatreplus.com and how long is it kept for?

This article describes the personal data that is collected and how long it's retained for when accessing the Digital Theatre+ product

Summary

  1. The Digital Theatre+ service requires an email address, which is used for the purpose of authentication only, and is only accessible by customer service and technical staff responsible for the operation of the service.
  2. Users may optionally provide First name and Last name to be associated with their accounts, however this is not required.

For SAML Single Sign On users

In order to use SAML SSO, the Digital Theatre+ identity platform requires a unique, persistent identifier that has the structure of an email address to be sent in the SAML response.

User accounts are created on-demand, using Just-In-Time provisioning.  When a user is authenticated by your Identity Provider (IdP) our system creates and stores a matching user account using the data you've provided.

This identifier does not have to be an email address that is attached to a mailbox. 

Optionally, customers may choose to send a first name and last name, which can also be collected and displayed in the interface to provide the user with confirmation they have logged in.

Example of the user profile dialogue displaying user email address and organisation name

Data retention

  1. SAML Single Sign On user accounts are created on demand, we do not require that you pre-load or add user accounts before your users can log in.
  2. 12 months after the last login, an email will be sent to the email address  warning that the account will be de-activated and deleted.  If there's no mailbox associated with the login, it will not be delivered to anyone.
  3. 12 months and 30 days after the last login, the account will be de-activated.
  4. 12 months and 60 days after the last login, the account will be deleted.

Data storage

Digital Theatre+ uses Okta as our identity platform, which stores data in the United States.
  1. Okta’s data protection meets the highest industry standards, complying with FedRAMP and NIST 800-53, HIPAA, and ISO 27001 requirements.
  2. Data in transit - Okta encrypts the communication between its service and users using HTTPS with strong encryption algorithms such as TLSv1.2 and keys (2048-bit RSA).
  3. Data exchange - Okta uses asymmetric encryption to sign and encrypt SAML Single Sign-On assertions and to sign OpenID Connect and OAuth API tokens. The keys used on SSO and API authorization are 2048-bit RSA and exclusive to Digital Theatre+.
  4. Data at rest - Okta encrypts the tenant's confidential data in the database. The encryption is performed using symmetric encryption 256-bit AES with exclusive keys to Digital Theatre+.
  5. Okta implements controls at the application level during runtime to mitigate the risk of application attacks such as cross-site scripting (XSS), cross-site request forgery (XSRF), and injection attacks. Controls include, for example, cross-origin resource sharing (CORS) validation, trusted origin validation, and session context validation.

Further information

Please refer to our Privacy Policy for more information.