Regulatory Compliance
Lingoodle operates in full compliance with the General Data Protection Regulation (GDPR) and the Children's Online Privacy Protection Act (COPPA). As an Irish company serving enterprise clients globally, we adhere to the strictest applicable data protection standards.
Under the GDPR, Lingoodle acts as a data processor on behalf of enterprise clients (the data controllers). We process only the minimum personal data required to deliver our Mandarin immersion programme. Under COPPA, we apply additional safeguards when handling data related to children under 13, including verifiable parental consent requirements and strict limits on data collection.
Our data processing activities are governed by a Data Protection Impact Assessment (DPIA), and we maintain comprehensive records of processing activities as required under Article 30 of the GDPR.
EU Data Residency
Lingoodle's sub-processors each offer EU data residency options for our data. This applies to categories of personal data including student records, parent and guardian contact information, and payment metadata. Sessions are not recorded.
Our sub-processors are contractually bound by GDPR-compliant Data Processing Agreements.
Data Encryption
Lingoodle's sub-processors (Moodle, Zoom, Stripe) each maintain their own industry-standard encryption for data in transit and at rest, as part of their published security practices.
Sub-Processors
Lingoodle works with a carefully selected set of sub-processors, each bound by GDPR-compliant Data Processing Agreements (DPAs). The following table details our current sub-processors and their roles.
| Sub-Processor | Purpose | Notes |
|---|---|---|
| Moodle (Moodle Pty Ltd) | Learning management platform | EU-hosted on AWS (Ireland) with regular penetration testing. SOC 2 Type II certification is held by the Moodle US entity and available on request. |
| Zoom | Video delivery for 1-on-1 sessions | Used to deliver live Mandarin immersion sessions between tutors and students. |
| Stripe | Payment processing | Handles enterprise billing and payment transactions. PCI DSS Level 1 certified. |
All sub-processors are reviewed on a regular basis. Enterprise clients are notified in advance of any changes to this list, in accordance with their Data Processing Agreement.
Tutor Vetting Process
Every Lingoodle tutor undergoes a rigorous vetting process before being permitted to deliver sessions. Our commitment to child safety is reflected in the following requirements.
- Background checks: All tutors are subject to comprehensive background checks prior to engagement.
- Garda vetting: Tutors based in Ireland undergo Garda vetting through the National Vetting Bureau, in compliance with the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016.
- Reference verification: Professional and character references are obtained and verified for every tutor.
- Mandatory safeguarding training: All tutors complete mandatory child safeguarding training before delivering any sessions, with refresher training conducted on a regular basis.
- Ongoing performance monitoring: Tutors are subject to continuous performance monitoring, including session quality reviews and adherence to safeguarding protocols.
Parental Consent
Lingoodle obtains verifiable parental consent before any child's personal data is collected or any sessions begin. This consent process is designed to meet the requirements of both GDPR Article 8 and COPPA.
- Parents or legal guardians are presented with a clear, plain-language explanation of what data will be collected, how it will be used, and who will have access to it.
- Consent is obtained through a verified mechanism, ensuring the person providing consent is the child's parent or legal guardian.
- Parents can withdraw consent at any time. Upon withdrawal, the child's personal data will be deleted in accordance with our data retention policies, and sessions will cease.
Enterprise clients are responsible for facilitating the parental consent process within their organisations. Lingoodle provides the necessary materials and tools to support this.
Incident Response
Lingoodle maintains a documented incident response plan to address any security breaches or data protection incidents promptly and effectively.
- Security incidents involving personal data are reported to the relevant supervisory authority within 72 hours, as required under Article 33 of the GDPR.
- Affected data controllers (enterprise clients) are notified without undue delay, with full details of the nature of the breach, the categories of data affected, and the measures taken to address the incident.
- Where a breach is likely to result in a high risk to the rights and freedoms of individuals, affected data subjects are notified directly.
Our incident response procedures are tested and reviewed regularly to ensure they remain effective and aligned with current best practices.
Security Contact
If you have any questions about our security practices, wish to report a vulnerability, or need to discuss data protection matters, please contact our security team.
Security enquiries: hello@lingoodle.com
Data protection enquiries: hello@lingoodle.com
For requests related to sub-processor security certifications, including those held by Moodle, please contact us at hello@lingoodle.com. This documentation is available under NDA upon request.