Security Overview
Implementing AI responsibly, safely and securely is very important to us. This page provides a security overview of our product.
Compliance with data protection laws
We comply with key data protection laws and regulations across multiple regions, including:
Family Educational Rights and Privacy Act
United States
Protects student education records and gives parents/students control over their educational information.
General Data Protection Regulation
European Union & UK
Comprehensive data protection law that gives individuals control over their personal data.
Australian Privacy Principles & Privacy Act 1988
Australia
Governs the handling of personal information by Australian government agencies and private sector organisations.
Core security principles
Institutional data excluded from training
Data from paid institutional accounts is never used for model training. De-identified data from free accounts may be used to improve Bloom by default, and users can opt out at any time.
Institution-owned IP
Institutions retain full ownership over their course materials and student data. No other institution has access to or can make use of their proprietary content.
Security features
Data regions
We offer flexible data residency options to ensure compliance with local data protection laws and regulations. Clients can choose from multiple regions for data storage, ensuring both security and compliance with jurisdiction-specific requirements.
User control over data
We support access requests, deletion requests, and data portability where applicable.
Use any large language model (LLM)
We are LLM-agnostic, allowing us to seamlessly integrate with any large language model, including open-source options hosted locally. This flexibility enables organisations to have greater control over their AI models and infrastructure.
Data encrypted in transit and at rest
Data at rest is encrypted using industry-standard AES-256 encryption. Data in transit is secured using TLS (Transport Layer Security) to protect communications between users and our platform.
Regular security audits and penetration testing
We engaged a well-known cybersecurity firm to perform a manual penetration test of our platform, and the overall security posture was found to be strong with no high or critical issues identified, and all medium issues resolved during the penetration testing period.
Single Sign On and Multi-Factor Authentication
We are able to integrate into your organisation's Single Sign On (SSO). Additionally, we offer multi-factor authentication (MFA) to add an extra layer of protection to user accounts.
Security questions
We offer the completion of security questionnaires and are happy to provide detailed information about our security measures to ensure confidence and compliance.