Security Overview
Implementing AI responsibly, safely and securely is very important to us. This page provides a security overview of our product.
- Compliant with FERPA, GDPR, and Australian Privacy Principles (APP).
- AES-256 encryption at rest, TLS in transit.
- Independently penetration tested by CyberCX. CIS Benchmarks and HECVAT completed.
- Institutional data is never used for model training. Institutions retain full ownership over course materials and student data.
- SSO, MFA, and flexible data residency across regions. LLM-agnostic, with support for locally-hosted open-source models.
Compliance with data protection laws
We comply with key data protection laws and regulations across multiple regions, including:
🇺🇸 United States
🇪🇺 European Union & UK
🇦🇺 Australia
We provide a Data Processing Agreement (DPA) for institutional customers covering FERPA, COPPA, GDPR, and student data privacy.
Security features
Institutional data excluded from training
Data from paid institutional accounts is never used for model training. De-identified data from free accounts may be used to improve Bloom by default, and users can opt out at any time.
Institution-owned IP
Institutions retain full ownership over their course materials and student data. No other institution has access to or can make use of their proprietary content.
Data encrypted in transit and at rest
Data at rest is encrypted using industry-standard AES-256 encryption. Data in transit is secured using TLS (Transport Layer Security) to protect communications between users and our platform.
Data regions
We offer flexible data residency options to ensure compliance with local data protection laws. Clients can choose from multiple regions for data storage.
Single Sign On and Multi-Factor Authentication
We integrate into your organisation's Single Sign On (SSO). We also offer multi-factor authentication (MFA) to add an extra layer of protection to user accounts.
Regular security audits and penetration testing
CyberCX performed a manual penetration test of our platform. The overall security posture was found to be strong with no high or critical issues identified, and all medium issues resolved.
User control over data
We support access requests, deletion requests, and data portability where applicable.
Use any large language model (LLM)
We are LLM-agnostic, allowing integration with any large language model, including open-source options hosted locally for greater control over AI infrastructure.
Security questionnaires
We complete security questionnaires including HECVAT and are happy to provide detailed information about our security measures.