Sometimes teachers and parents want to know a little more about our security and technology, above and beyond our privacy policy and terms of use.
We do everything we can to ensure the security and privacy of Storypark, complying with international best practice and are audited annually as part of due diligence to our customers.
Where is your information stored?
Our production servers are all hosted with Amazon's Web Services in their Sydney region. We have selected Amazon for both their location of services, as well as their dedication to security and reliability in offering hosting and infrastructure for cloud platforms. Amazon is tried and trusted by all manner of internet companies, many of which operate with confidence at much larger profile and scale than Storypark.
What protections do you have in place?
SSL
End users are protected by end-to-end SSL encryption, which is currently tested with an A+ rating using SSL Labs’ Server Test. This ensures that the data between you and us is encrypted, and protected from the outside world. Our connection between our application servers and the database server is treated in the same way. These servers are behind firewalls and run only the Storypark website (are not on shared hosting).
Database security
Our database systems are encrypted at rest, ensuring the backups are only accessible by someone with decryption keys. We are using AWS RDS Postgresql as our primary database store, and are currently using postgresql 15. We keep daily snapshots for the last four weeks and are able to restore to a point in time (if needed for disaster recovery) to within 5 minutes, if notified within a 4 week timeframe.
Redundancy
Our entire platform is spread across multiple data centres in Sydney, meaning if one data centre were to experience an outage, the platform will still operate from another data centre that's still functioning, thereby ensuring continuous operation. This improves the reliability and resilience of the platform, reducing the risk of downtime and ensuring that users can access the service at all times.
Passwords
Storypark follows industry standards of one-way encrypted (‘hashed’) passwords using bcrypt with a per-password salt. We never ask for passwords and never store them in cleartext. We ask for very few personal details and do not store credit cards.
If a user fails to log in after ten tries, we will lock their account to protect their Storypark profile.
Software protections
All media links are served to end-users as signed URLs, ensuring that they are time-restricted and limiting the impact if they’re shared.
While Storypark is a multi-tenanted system, we have extensive automated testing in place to ensure that any code change does not affect the authorisation or permission code.
The site is written in Ruby on Rails, and is continually upgraded to the latest version of the framework for performance and security reasons.
Images
Images within Storypark are subject to both technical protections and access restrictions. Only the owner of the account can download images to their own local drive:
Centre admins are able to download images from any and all stories created at their service.
Parents are able to download images where their child has been tagged in a story.
What if I want to remove my data?
We keep a temporary history of most deletions, in case the deletion was an accident (which we can rectify though support requests). Outside of that grace period, if you decide to remove your content from our system, all images and video are permanently removed. We strongly believe this content is yours, and we’re simply storing it for you. You own it, so if you request to have it removed, it is removed from the internet.
Are there busy times when we should avoid using Storypark?
No! We have varying load during the period of a day, but our architecture will auto-scale to accommodate the amount of users on Storypark at any time. We are not aware of any capacity bottlenecks with our system, and don’t believe you’ll even notice when we’re busy compared to not busy.
Our commitment to confidentiality and privacy
A child profile may contain information that is sensitive, personal and or confidential to a child and their authorised viewers. Storypark will treat personal information as confidential and comply with the Privacy Act 2020 (New Zealand), the Privacy Act 1988 (Cth, Australia), the Personal Information Protection and Electronic Documents Act, SC 2000, c5 (federal, Canada), the Personal Information Protection Act (Alberta, Canada), the Personal Information Protection Act (British Columbia, Canada) and Storypark’s privacy policy. We will not knowingly breach any privacy laws in other jurisdictions.
All users must agree to not share another user's personal information without that user's explicit permission or to share a child’s personal information without the permission of that child's parent or guardian.
We do not sell your data. You will see reference to the fact that some personal information may be provided to companies located in the USA who offer software as a service products that process content for inclusion within Storypark (for example, conversion of images and videos to make them suitable for viewing online/through a web browser). Those third parties do not control, and are not permitted to (and are contractually obligated not to) access or use the personal information provided except for those limited purposes. We only choose reputable service providers and have agreements with such third parties that prevent them from using or disclosing to others the personal information we share with them, other than as is necessary to assist us.
For further information on when information would be disclosed, please see sections 11 to 13 of Storypark's terms of use.