Security at Wooclap

Introduction

Wooclap's security approach is a long-term project developed in collaboration with universities and businesses.

At Wooclap, we require and have developed the highest level of security for your data. This approach is continuously evolving with a dedicated security team working to increase our security level. You can find details of our security measures in our Security Policy, as well as on this page, which aims to share information on the main security topics.

The information provided here is valid for both Wooclap and Wooflash. These products are built on the same technical base and developed by the same team. Therefore, Wooclap's security guarantees also apply to our product Wooflash.

Data hosting

All data collected by Wooclap uses or in forms are processed on our servers hosted on Amazon Web Services (AWS). The servers are located in a country of the European Union ("eu-west-3" region in Paris, France), and are therefore subject to the GDPR.

Why AWS? We chose to work with Amazon because they are industry leaders in terms of quality of services, security features and technologies and are fully compliant with GDPR. These criteria are essential for us, for AWS, but also for all the partners we are working with.

Our infrastructure is built on AWS and based on the AWS Well-Architected Framework which includes the highest security configuration standards and data protection pillars.

Data encryption

All Wooclap data are encrypted At-rest and In-transit. Privacy and data protection are important topics for Wooclap. To achieve these goals, we use data encryption measures wherever possible.

At-rest encryption: Wooclap uses Amazon Key Management Service (KMS) with AES 256-bit keys to encrypt data stored by Wooclap. This data encryption scheme has been validated as FIPS 197 by the NIST. Regarding the key storage, AWS uses specific equipment called Hardware Security Module (HSM) — this device guarantees that no technical access is possible to the keys for AWS, Wooclap or anyone else.

In-transit encryption: Only TLS 1.2 or higher is used at Wooclap. This asymmetric cryptographic algorithm allows Wooclap to encrypt and prevent attacks on communications between Wooclap services and the users' browsers.

An AWS video explains the specific encryption mechanisms and AWS services that protect Wooclap data.

Identity and Access

At Wooclap, we prioritise enhanced authentication methods such as Single Sign-On (SSO), although basic authentication is still possible.

There is only one type of account at Wooclap, whether they are participants, teachers, presenters, etc., but different types of rights are possible:

Normal rights, which allow creating content, events, etc.
Administrator rights as "pedagogical engineer", which provides access to their organisation(s).
Administrator rights as "moderator", which provides access to their organisation(s) and the ability to add or remove users from it.
Wooclap administrator rights, which provide access to "pedagogical engineer" and "moderator" privileges, as well as configuration options for SSO and detailed access to organisations.

Wooclap users can access their accounts through various authentication methods:

Email and password authentication
Social media authentication
Enhanced Single Sign-On (SSO) authentication, where a technical connection with Wooclap will be required with your professional email (which will redirect to your company or institution's SSO page)

Wooclap supports various authentication protocols, particularly those related to the education sector:

RENATER (Le Réseau National de Télécommunications pour la technologie, l'Enseignement et la Recherche)
The International EduGAIN service
The GÉANT Data Protection Code of Conduct
RedIRIS

But also more common or region-specific protocols: Azure AD, SAML, CAS, Shibboleth, Apereo, Canarie.

Please do not hesitate to contact us directly to find out if your authentication protocol is available.

Wooclap is also compatible with most Learning Management Systems (LMS): Moodle, Canvas, Blackboard, Brightspace D2L, Claroline, Dokeos, itslearning, Sakai, etc.

LMS authentication can be done using Learning Tools Interoperability (LTI) protocols:

LTI 1.1 for symmetric encryption (obsolete since late 2021)
LTI 1.3 for asymmetric encryption with OpenID Connect - OAuth 2.0

Authentication with the Moodle plugin is also possible.

Regarding access to Wooclap data for Wooclap employees, access is strictly limited, and only Tech team members can access user data for specific purposes (such as bug investigation and resolution).

Wooclap employees' accesses with administrator rights are protected by Single Sign-On (SSO) and also require Multi-Factor Authentication (MFA).

AWS prohibits and has systems designed to prevent access by AWS personnel to data stored on AWS for any purpose, including service maintenance. Individual access to maintenance must be specifically granted by a Wooclap employee with the right level of rights. Those accesses are covered by extra security measures such as Identity Access Management (IAM) Policies to grant access to only authorised Wooclap accounts.

Availability

Wooclap chose AWS infrastructure to ensure the highest level of service for users and customers. A Service Level Agreement (SLA) document is available and attached to your Wooclap contract, which highlights the platform's SLAs with details on availability rates, support, and critical situations or incident answers.

Wooclap has an incident management procedure and an action checklist to follow, which is shared by the company's management and board. It is an internal document that describes roles, actions to be taken, and priorities in the event of an incident. The post-remediation phase is also described so that actions can be taken to prevent the incident from recurring (if possible).

Protection against Distributed Denial of Service (DDoS) attacks is mitigated by AWS mechanisms. This continuous network monitoring blocks malicious traffic using packet filtering and traffic shaping based on priorities at Layers 3 (IPv4/IPv6) and 4 (TCP/UDP) of the OSI model.

Wooclap has dedicated insurance for security incidents.

We will always be transparent and communicate if any consequences affect the use of the Wooclap platforms or user data. We see communication as a duty and it's also mentioned in the contract that binds both parties.

Backup

Wooclap uses two methods to ensure that there is no data loss for users:

Daily backups that are encrypted (AES-256) and stored for 30 days
Snapshots (copies of the entire disk file system at a given point in time)

Both methods allow Wooclap to revert to a previous healthy state in case of accidental or malicious alteration or destruction of data.

Security by design

Secure development best practices (security by design) are implemented at Wooclap and are part of our platform's development cycle. More details are available in our Security Policy (linked to your contract).

Wooclap implemented monitoring and alerting measures based on AWS technologies but also dedicated tech team tools.

Logging measures are used continuously by the development teams. Application logs are kept 6 months following the ANSSI and CNIL recommendations.

Audits

Wooclap performs an annual security audit on its infrastructure to detect new vulnerabilities and implements every necessary remediation following this audit.

Audits might be a technical penetration test on the Wooclap applications and websites or on a wide scope with compliancy or organisational layer.

Wooclap partners and clients with an organisational Wooclap license can also request a specific audit on our infrastructure (limited to one audit per year and funded by their organisation).

Audit summaries can be shared with clients upon request.

Governance

Wooclap has a security governance team with the Chief Information Security Officer (CISO) and the CTO of Wooclap. This team is known by all Wooclap employees, with frequent communication.

Wooclap has an annual security roadmap to anticipate and plan upcoming security and data privacy improvements. More specific goals are also linked to this roadmap to track progress and continuous alignment with the company's targets.

The Wooclap Security team is also responsible for the security relationships with university partners and other Wooclap clients. We respond to security forms, answer to legal aspects and sign contracts. This relationship is maintained throughout the contract lifecycle.

Wooclap has a Security Policy as well as other documents related to security and data privacy. These documents are included as annexes to the contract.

Awareness

Awareness actions are carried out throughout the year at Wooclap and gathered through an annual program. Security training is mandatory during the onboarding process of each new Wooclap employee.

FAQ

Frequently Asked Questions

Do you still have questions? You can find most of the answers here!

The Wooclap infrastructure is hosted on Amazon Web Services (AWS) in the eu-west-3 data center in Paris, France. Data stored on Wooclap includes the content you've created (events, questions, answers to questions, …), as well as files uploaded to the platform (images, PowerPoint presentations, …).
Our infrastructure was built around AWS architecture best practices called AWS Well-Architected Framework. AWS allows Wooclap to ensure high quality of service and high availability rates. AWS provides important security guarantees for data protection such as full data encryption (both at rest and in transit), compliance with multiple certifications (see AWS Compliance Programs), and compliance with the most stringent security standards and data sovereignty laws. AWS also provides clear responses to the CLOUD Act, Schrems II, GDPR, prohibition of data transfers outside the EU, etc.
For self-served accounts, the Data Retention Policy takes effect following 3 years of continuous account inactivity, after which all associated data will be deleted. Users could initiate deletion at any time prior via their account settings.
Organisations have the option of a customisable data retention period from their organisation admin dashboard. Personal data from inactive accounts will be deleted after the defined period.
Data subject to deletion due to inactivity will trigger email notifications sent progressively at 30 and 3 day(s) before the scheduled date.
Application logs are kept 6 months following the ANSSI and CNIL recommendations and backups are kept 30 days.
However, we may be required to retain some of your data for a longer period if we have a legal obligation (for example, an obligation to retain your data as part of a criminal investigation or for tax purposes).
Which data is deleted or anonymised?
Upon a request for data deletion (either by you or from our data retention policy), we will anonymise or delete your data and associated content as follows:
ANONYMISED:
Email, userID, username, firstName, and lastName — all are replaced by anonymous data (which is impossible to recover) to maintain database integrity and prevent reporting errors.
DELETED:
Sensitive billing data
Profile picture
All authentication accounts (the user can no longer log in to the platform)
All files, presentations and images imported in your account
All content within questionnaires, questions, attendances, events, templates, etc.
All invitations where you invite others to join the platform
Shared Wooclap events created by users targeted by the data retention policy will no longer be available for collaborators of these events
Wooclap obtained ISO 27001:2022 certification in May 2024, which was renewed in 2025 and again in 2026✨
This certification confirms our security level and formalises the continuous improvement process that has already been in place at Wooclap. Customers can request the certificate upon demand to the Wooclap Security team at security@wooclap.com.
The Wooclap data hosting provided by AWS is certified ISO 27001 - 27017 - 27019 - 27701 - 22301 - 9001, SOC 1, 2, 3, PCI-DSS level 1, CISPE code, HDS (France), C5 (Germany), FINMA ISAE 3000 Type 2 (Switzerland), etc. More information on AWS Compliance Programs.
The Wooclap Security Team appreciates the valuable contributions of the security community towards enhancing our platform's security. While Wooclap does not currently have a bug bounty program offering financial rewards, we are always open to responsible vulnerability disclosures at security@wooclap.com and encourage security researchers to share any potential vulnerabilities with us directly.
The Wooclap Security Team is committed to reviewing and addressing reported vulnerabilities to maintain a secure environment, and your vigilance is important to these ongoing efforts.
Moreover, we follow the disclosure of vulnerabilities guidelines established by the Centre for Cyber Security Belgium (CCB). In accordance with Belgian law, any such activity must be reported to the CCB to ensure the proper and legal handling of vulnerabilities (link here).

GDPR at Wooclap
As part of our approach, Wooclap aims to ensure the long-term security of your data. We provide the appropriate level of protection to maintain the confidentiality of user data in compliance with the GDPR, and we will carefully monitor any changes in relevant legislation.
Discover
AI at Wooclap
Our AI features assist with many use cases across Wooclap, Wooflash and Quiz Wizard. We are expanding these capabilities to meet user demands while maintaining strict security and privacy controls.
Discover

Need additional information?

Our teams are directly available to answer your questions.

Introduction

Data hosting

Data encryption

Identity and Access

Availability

Backup

Security by design

Audits

Governance

Awareness

Frequently Asked Questions

Where is my data stored and processed?

How long does Wooclap keep my data?

How does the Wooclap Data Retention Policy work?

Does Wooclap have Security certifications?

Do you have a vulnerability disclosure / bug bounty program?

Security, AI policy and Privacy at Wooclap

GDPR at Wooclap

AI at Wooclap

Need additional information?