What personal data is collected by edu.digitaltheatreplus.com and how long is it kept for?

This article describes the personal data that is collected and how long it's retained for when accessing the Digital Theatre+ product


  1. The Digital Theatre+ service requires an identifier in the format of an email address, which is used for the purpose of authentication only, and is only accessible by customer service and technical staff responsible for the operation of the service.
  2. Users may optionally provide First name and Last name to be associated with their accounts, however this is not required.

For SAML Single Sign On users

In order to use SAML SSO, the Digital Theatre+ identity platform requires a unique, persistent identifier that has the structure of an email address to be sent in the SAML response.

User accounts are created on-demand, using Just-In-Time provisioning.  When a user is authenticated by your Identity Provider (IdP) our system creates and stores a matching user account using the data you've provided.

This identifier does not have to be an email address that is attached to a mailbox. 

Optionally, customers may choose to send a first name and last name, which can also be collected and displayed in the interface to provide the user with confirmation they have logged in.

Example of the user profile dialogue displaying user email address and organisation name

Data retention

  1. SAML Single Sign On user accounts are created on demand, we do not require that you pre-load or add user accounts before your users can log in.
  2. 12 months after the last login, an email will be sent to the email address  warning that the account will be deleted.  If there's no mailbox associated with the login, it will not be delivered to anyone.
  3. 12 months and 30 days after the last login, a further email is sent.
  4. 12 months and 60 days after the last login, the account will be deleted.

Data storage

Digital Theatre+ uses Okta as our identity platform, which stores data in the United States.
  1. Okta’s data protection meets the highest industry standards, complying with FedRAMP and NIST 800-53, HIPAA, and ISO 27001 requirements.
  2. Data in transit - Okta encrypts the communication between its service and users using HTTPS with strong encryption algorithms such as TLSv1.2 and keys (2048-bit RSA).
  3. Data exchange - Okta uses asymmetric encryption to sign and encrypt SAML Single Sign-On assertions and to sign OpenID Connect and OAuth API tokens. The keys used on SSO and API authorization are 2048-bit RSA and exclusive to Digital Theatre+.
  4. Data at rest - Okta encrypts the tenant's confidential data in the database. The encryption is performed using symmetric encryption 256-bit AES with exclusive keys to Digital Theatre+.
  5. Okta implements controls at the application level during runtime to mitigate the risk of application attacks such as cross-site scripting (XSS), cross-site request forgery (XSRF), and injection attacks. Controls include, for example, cross-origin resource sharing (CORS) validation, trusted origin validation, and session context validation.

Digital Theatre+ also uses the following platforms:

  • Cirrus Bridge - to provide federated SAML Single Sign On, which stores technical data, such as IP addresses, for service monitoring and troubleshooting in the United States.
  • Contentful - to provide content management, which stores technical data, such as IP addresses, for service monitoring and troubleshooting in the United States. 
  • CastLabs DRMToday - to provide content protection, which stores technical data, such as IP addresses, for service monitoring and troubleshooting in Germany. 
  • AWS - to provide application and storage of non-personally identifiable information, and technica data, such as IP addresses, for service provision, monitoring and troubleshooting in the United States.

EU/UK GDPR compliance

Digital Theatre is fully compliant with the requirements of the EU/UK GDPR regarding the transfer of data outside of the EU/UK.

We only transfer data outside of the EU/UK in limited circumstances, when necessary, and where appropriate data protection safeguards are in place to protect the data to the same standard required by the EU/UK GDPR.

All transfers will only take place on the basis of EU/UK GDPR approved transfer mechanisms, such as "Standard Contractual Clauses" or "Commission Decisions on Adequacy".

This is standard practice for digital service providers who operate on an international basis and use third parties in other countries to help perform certain functions relating to their service.

For the avoidance of doubt, a subscription to DT+ does not breach any of the EU/UK GDPR rules regarding the transfer of data outside the EU/UK to third countries (like the US).

Further information

Please refer to our Privacy Policy for more information.