Our commitment to
security and compliance

SOC 2 Type 2 is an information security framework that assesses how a company manages customer data based on Trust Services Criteria with annual audits. It focuses on cybersecurity controls for customer data over time.

ISO 27001 is a security standard that outlines requirements for an information security management system. It lists best practices and security controls related to information risk management.

360Learning is SOC 2 Type II and ISO 27001 compliant. The company participates in annual independent audits to maintain compliance.

360Learning is using Microsoft Azure as our cloud service provider. Its infrastructure, including all client data, is housed securely in their data centers, in locations non subject to the Patriot Act.

Microsoft Azure has been certified with ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3, and CSA. Their facilities have extensive measures of protection, including 24/7 surveillance, access control, and protection for environmental hazards. Our data is fully backed up once per day in a separate facility to ensure business continuity and disaster recovery.

Our infrastructure is protected and under surveillance at all levels, 24/7. Access is controlled via port scanning and IP filtering, data transfer is secured via forced HTTPs and encryption (AES-256). Our fleet is protected with EDR / XDR to identify and block malicious activity.
We also commission an external security audit twice a year and permit our clients to audit our platform.

360Learning’s internal security team brings several decades of security expertise. All 360Learning employees complete regular security training to detect phishing and other malicious activities.

Our Orca infrastructure security score exceeds the average by 15%. 

Our Ethics, Social and Environmental Responsibility Charter describes how 360Learning and all 360Learners conduct business, and outlines the fundamental values we share as a group, wherever we operate in the world. Find our CSR charter here.

Our Supplier Code of Conduct establishes the mandatory requirements for all partners, ensuring strict adherence to human rights, labor standards, environmental protection, and anti-corruption measures. Supporting these requirements is our 360Learning Procurement Policy, which defines the overarching principles we use to drive ethical sourcing, minimize environmental impact, and promote fair labor practices across our entire value chain.

At 360Learning, our commitment to privacy and security extends directly to the development of our artificial intelligence functionalities. We believe AI must be developed responsibly, with a strong focus on transparency, security, and ethics. To ensure this, we have verified our alignment with the EU AI Act. Our features are designed to enhance learning without infringing on fundamental rights.

Our AI Policy Framework, relies on three key policies:

- Our Commitments to Responsible AI. This is our customer-facing document published on our website complementing our IA FAQ successfully used by our customers. It defines our philosophy: we develop and implement AI in a way that is responsible, ethical, and in respect with global regulations.

- Our Internal AI Charter. This Charter, defines the 7 rules and best practices concerning the use of AI in our daily work; and

- AI Squad Guidelines. This document to the attention of the relevant squad defines the "Golden Rules” to abide when developing AI features to ensure that our qualification of 360Learning’ IA System as “Limited Risk” under the EU AI Act remains relevant and valid.

You can find more information on the implementation of AI Features in our products here.

Our organization and our platform regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards.

In line with our commitment to transparency and the EU Data Act, we ensure that our customers maintain full sovereignty over their data. We provide data portability and clear access to generated data, ensuring you remain in control of your information at all times.

Our personal data compliance program, both as a data controller and as a personal data subprocessor, is built around the pillars of compliance, established by reference to the General Data Protection Regulation (GDPR) and the recommendations of the European authorities.

Customers are invited to review our privacy documentation and can reach our Data Protection Officer (DPO) for further questions at data-protection@360learning.com.

Any concerns? Speak up! 360Learning has set up an Ethics hotline to report any conduct or situation that does not comply with the Charter or with applicable laws and regulations.

The procedure is available to anyone who wishes to make an alert.

Please keep reading for our local compliance specifics.

Under the European Digital Services Act of October 19, 2022 (“DSA”), 360Learning, qualifies as a service intermediary offering hosting services.

360Learning implements the necessary measures to comply with its obligations under the DSA. The rules governing the use of the 360Learning platform, the procedure for handling reports of illegal content and the platform's moderation policy are available in the Technical Documentation.

In accordance with its obligations under the DSA, 360Learning has designated data-protection@360learning.com as its single point of contact for all communications relating to DSA compliance.

For customers registered in Germany, we have compiled a dedicated section of Frequently Asked Questions (FAQ) to address specific regional inquiries. This resource provides detailed information regarding local account management, compliance standards, and service features tailored to our German users. We encourage you to review these details to ensure a seamless experience with our platform.

We operate in accordance with all US federal and state regulations. We believe in doing business the right way, ensuring that the services we deliver are provided ethically and in full compliance with applicable law. This includes the the CCPA/CPRA. We do not sell your personal information, and we provide clear transparency and control over how your data is used.

Integrity and transparency are at the heart of our operations. In compliance with statutory requirements, we have published our 2024 Modern Slavery Act Statement, detailing the steps we take to prevent forced labor in our global supply chain.

We are fully compliant with the UK GDPR and the Data Protection Act 2018. For international data transfers, we utilize the ICO International Data Transfer Addendum in conjunction with the EU Standard Contractual Clauses (SCCs). This ensures that all data transferred from the UK to third countries is subject to the same standards of protection.