Lightspeed Systems® is your trusted partner

Lightspeed Trust

Information security and data protection is an integral part of our core beliefs.  We have dedicated security and compliance teams, who are committed to keeping your information safe and secure. Lightspeed Systems employs strict policies and procedures to ensure availability, integrity, and confidentiality of customer data.

System Status

We know you rely on Lightspeed Systems solutions to do amazing things, so we continuously monitor our services internally and through 3rd-party services. Find interruptions in services, updates, and maintenance announcements here.


Lightspeed Systems understands the need to safeguard the personal and confidential data of our customers, employees, and partners. Privacy and security is our responsibility, and we provide innovative solutions that enhance, rather than compromise, data privacy and security.


Since 1999, Lightspeed Systems has been partnering with schools around the world to protect students and make learning adaptable to the ever-changing technological landscape. The nature of our business mandates us to be compliant with the various student data privacy laws, to ensure student data is safeguarded.

Lightspeed Systems Service Status

Service Level Agreement (SLA)

Lightspeed Systems provides hosted services including mobile device management, web filtering, app analytics, and classroom management for schools. Our services are available at least 99.9% of the time, with servers being continuously monitored for performance and availability.

screenshots on desktop and mobile devices for distance learning software

Lightspeed security

Administrative Safeguards

Employee background checks

All Lightspeed Systems employees undergo background checks and sign a non-disclosure agreement before hire.

Incident Management

We have a written Incident Response Plan which details the processes for detecting, reporting, identifying, analyzing, and responding to Security Incidents impacting Lightspeed Systems networks and Customer Data.

Data Breach Notification

If we learn of a data breach, we will follow our Incident Response Plan and notify our customers without undue delay. 

Employee Privacy & Security Awareness training

Upon hire and on an ongoing basis, all employees are required to undertake privacy and security training, which covers privacy practices and the principles that apply to employee handling of personal information, including the need to place limitations on using, accessing, sharing and retaining personal information.

We provide training on specific aspects of security that they require based on their roles. For example, the product development team undergoes privacy by design and secure software development training. Employees are also subjected to regular phishing emails.

Vendor Selection & Risk Management

Lightspeed Systems may use sub-processors to perform services and are only entitled to access customer data only as needed to perform the Services and shall be bound by written agreements that require them to provide strict levels of data protection required by Lightspeed and applicable regulations. Here is a list of our subprocessors.

Pre-engagement and ongoing vendor assessments are conducted to ensure proper data privacy and security practices are in place throughout the vendor relationship.

  • Changes to vendor services provided or changes to existing contracts require a security risk assessment to confirm that the changes do not present additional or undue risk.

Policy and procedure documents align with the NIST Privacy/Security Frameworks

Lightspeed Systems reviews its systems against the CIS Controls and NIST Frameworks, and any identified risks or gaps are addressed accordingly.

We have a designated Data Governance team that holds periodic meetings to ensure data integrity.

We have implemented various policy documents across the Organization for data protection, such as, but not limited to: Incident Response Plan, Security Policy, Vulnerability Remediation Policy, IT Standards Policy and Data Deletion Policy.

Lightspeed security

Technical Safeguards

Data encryption

Data is encrypted in transit and at rest.


Data Retention & Deletion

Lightspeed Systems has implemented a Data Retention Policy. Where appropriate, our solutions utilize automated rules to purge data according to policy.


Data Backup

We perform regular backups of data and systems. Backup intervals are dependent on the type of data and range from minutes to once per day.

Vulnerability Remediation

Lightspeed Systems has a Vulnerability Remediation policy to identify and remediate vulnerabilities according to the risk they present. We utilize patch management software to monitor systems and ensure patches are implemented.


Malware Protection

Lightspeed Systems has in place anti-malware and anti-spam solutions to protect servers and workstations.


Logging & Monitoring

Lightspeed Systems has deployed logging and monitoring solutions to identify and investigate possible security events.

identity & access control

Access to personal information is limited through login credentials to those employees who require it to perform their job functions. In addition, Lightspeed Systems utilizes access controls such as Multi-Factor Authentication, Single Sign-On, least privilege and access on an as-needed basis, strong password controls, and restricted access to administrative accounts.

Our solutions allow customers to create ‘Admin’ roles that provide only the rights needed to perform the required functions.

Lightspeed security

Physical Safeguards

workplace security

Lightspeed Systems maintains the following controls designed to prevent unauthorized access to our offices:

  • Facility access is limited to authorized individuals by use of keys/key fobs or access badges.
  • Lightspeed offices have fire suppression and fire detection systems or devices as well as emergency exits and evacuation routes.

data center security

All data centers where data is processed and stored are located in the United States and hold SOC 2, HIPPA, PCI DSS and ISO 27001 certifications. Lightspeed has a process in place to log, monitor, and respond to events and anomalies in its systems and solutions.  Data backup and recovery solutions are also in place.

Secure Design Principles

Lightspeed Systems practices security by design. We utilize a Secure Software Development Lifecycle based on the OWASP methodologies.

  • Our systems and processes take into account the core pillars of information security: Confidentiality, Integrity and Availability.

Contact us if you suspect a security vulnerability within Lightspeed Systems

Contact us if you suspect a security vulnerability within Lightspeed Systems


Children's Online Privacy Protection Act (COPPA)

COPPA applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age. Parental consent is required for the collection or use of any personal information of the users.

  • Lightspeed Systems complies with the Children’s Online Privacy Protection Act (COPPA, to ensure the online safety of children. Student accounts are provided only through a verified educator, school, or educational organization. Educators agree to obtain parental permission before issuing accounts to students. 

We meet the following COPPA guidelines listed below and agree to:

  • NOT collect online contact information without the consent of either a parent or a qualified educator or educational institution.
  • NOT collect personally identifiable offline contact information.
  • NOT distribute to third parties any personally identifiable information without prior parental consent.
  • NOT entice by the prospect of a special game, prize, or other activity or to divulge more information than is needed to participate in the activity.
  • NOT use or disclose student information for behavioral targeting of advertisements to students.
  • NOT build a personal profile of a student other than for supporting authorized educational/school purposes.


Family Educational Rights & Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

  • Although FERPA applies to schools and not companies, Lightspeed Systems may be designated as a ‘School Official’ and as such, we are compliant with FERPA requirements and have committed to protecting the privacy of students’ information, which is entrusted to us by the School Districts. The School Districts are in control of all student data and we proceed under their direction. Under FERPA, parents or eligible students have the right to access, inspect, review and rectify student records and Lightspeed complies with these rights when we get a verified written request from  the School District.
  • Please note that Lightspeed Systems has no direct contact with students or parents.


New York Education Law 2-D

Education Law § 2-d went into effect in April 2014.  The focus of the statute was to foster privacy and security of personally identifiable information (PII) of students and certain PII related to classroom teachers and principals.

Lightspeed Systems complies with the NY ED Law 2-D and the Parents Bill of Rights, which requires the following:

  • A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose;
  • The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency;
  • Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred;
  • To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs;
  • Parents have  the  right  to  have  complaints  about  possible  breaches  of  student  data addressed;
  • Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII;
  • Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.


Student Privacy Pledge

The Student Privacy Pledge is a public and legally enforceable statement by ed tech companies to safeguard student privacy, built around  commitments regarding the collection, maintenance, and use of student personal information.

  • Lightspeed Systems has signed the Student Privacy Pledge to carry out responsible stewardship and appropriate use of student personal information.
student privacy pledge signatory badge


Student Data Privacy Consortium (SDPC) and National Data Processing Agreement (NDPA)

The SDPC is a unique collaboration of schools, districts, regional, territories and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns.
  • The SDPC released the first National Data Privacy Agreement (NDPA) to streamline application contracting and set common expectations between schools/districts and marketplace providers.
  • Lightspeed is working with school districts in all the participating States to ensure we have Data Processing Agreements in place.
  • School districts who would like to sign the SDPC and NDPA with us are encouraged to email [email protected]


California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.

  • Lightspeed Systems is committed to meeting the requirements of the CCPA and protecting your data.
  • Our Privacy Policy provides detailed information on how Lightspeed Systems collects and processes your personal information.

California consumers may make a request pursuant to their rights under the CCPA by contacting us at [email protected]


California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) amends and expands on the California Consumer Privacy Act (CCPA). CPRA goes into effect on Jan 1, 2023. CCPA was amended to protect the personal data of California employees (B2E) and business-to-business (B2B) contacts and requires all organizations collecting California resident data to apply more extensive protections, such as privacy risk assessments, data minimization and retention policies.

The CPRA now focuses data rights on b2b relationships and employees – from transparent data disclosure to more vigorous enforcement and higher awareness of privacy risks related to data collection and processing — and accounting for any data tied to California employees, businesses, and residents.

Who does the California Privacy Rights Act protect?

Any individual who is a California resident employee and a service provider/vendor, contractor, consultant, applicant, freelancer, and remote worker can reasonably be identified.

Employee & B2B Data Rights
  • Right to know: Employees, contractors, and service providers have the right to know what data is being collected and managed with the right to access copies of “specific pieces of personal information.”
  • Right to access: Similar to consumers, employees will be able to submit a data subject access request (DSAR) to their employer for access to their information, with some exceptions.
  • Right to use and disclose: The right to request that a business limit or stop the use and disclosure of sensitive personal information.
  • Right to correct: The right to request that the business correct inaccurate information.
  • Right to opt-out: The right to opt-out of having personal information sold or shared.
  • Right to Leniency: The right to not be retaliated against for exercising any data rights.
Lightspeed Systems has the following procedures in place to ensure CCPA & CPRA compliance:
  • Data Subject Access Requests: Data subjects may exercise their rights by emailing our Privacy Team ([email protected])
  • Data Mapping: Mapping, inventory and classification of all data
  • Data Minimization: We only process data which is adequate, relevant, and limited to what is necessary to the purposes of the data being used.
  • Data Retention Policies: We have implemented Data Retention Policies across all our products and processes. Data is not kept for longer than reasonably necessary to fulfill the processing activity
  • Privacy Impact Assessments: We conduct risk assessments of all our products and processes, to ensure privacy and security by design.


General Data Protection Regulation (GDPR)

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

  • Lightspeed Systems is committed to meeting the data protection requirements of the GDPR.
  • We have implemented the following processes to ensure GDPR compliance:
    • Data minimization – We only collect data necessary for a specific purpose and use is limited to the stated purpose.
    • Data mapping and classification – We maintain a detailed inventory of personal data, and then classify that data. This is a continuous process, which we constantly work on improving.
    • Data retention – We keep data only for as long as it’s needed to fulfil the stated purpose and to meet our contractual obligationsWe have implemented the following processes to ensure GDPR compliance:
    • Data anonymization
GDPR compliance badge
    • We have a DPA with Standard Contractual Clauses, approved by the European Commission, to protect the transfer of personal data outside of the EU/UK.
    • Please reach out to [email protected] to execute the DPA with us.
    • We have implemented appropriate technical and organizational measures to secure personal data.


Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

 On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

  • Lightspeed Systems continues to maintain our Privacy Shield certification, which binds us to strict data protection principles.
  • We have incorporated the EU Standard Contractual Clauses into our DPA, to account for cross boarder data transfers. In some cases, we rely on the GDPR Article 49 derogation, where the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.


Office of Foreign Assets Control (OFAC)

The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United​ States.

  • Lightspeed Systems, its subsidiary companies and affiliates are committed to full compliance with all international sanctions including but not limited to those imposed by the United States, the European Union, and the United Kingdom.
  • International sanctions are the laws, regulations, executive orders, council determinations and other government actions which prohibit a broad range of commercial and financial transactions. It is the policy of Lightspeed Systems to comply with all applicable international sanctions.
  • Lightspeed Systems considers an effective compliance program addressing export controls with policies and procedures to be an important, vital part of our business operations and ethical code of conduct.
  • We screen all international orders against various lists of sanctioned and prohibited persons and destinations prior to acceptance. Any order received, directly or indirectly, from a sanctioned person or intended for ultimate end use by sanctioned person or in a sanctioned destination, will be rejected.

Lightspeed Systems employees receive annual OFAC awareness training to ensure compliance.

For more detailed information on how we handle personal data and the details of our Services, please refer to our
Privacy Policy and Terms of Use.

Lightspeed Systems Subprocessor List

screenshots on desktop and mobile devices for distance learning software

Here's a demo, on us

Still doing your research?
Let us help! Schedule a free demo with one of our product experts to get all of your questions answered quickly.

man sitting at desk on laptop looking at Lightspeed Filter dashboard

Welcome back!

Looking for pricing information for our solutions?
Let us know about your district’s requirements and we’ll be happy to build a custom quote.

Reimagine the inspired and interactive classroom for remote, hybrid, and in-person learning. Lightspeed Classroom Management™ gives teachers real-time visibility and control of their students’ digital workspaces and online activity.

  • Ensure all students interact with only the right online curriculum — precisely when they’re supposed to use it.
  • Push out vetted curriculum links to all students at the same time.
  • Block inappropriate or distracting web sites and apps.

Ensure scalable & efficient learning device management. The Lightspeed Mobile Device Management™ system ensures safe and secure management of student learning resources with real-time visibility and reporting essential for effective distance learning.

  • A centralized, cloud-based solution for infinitely scalable device, application, and policy controls
  • Self-Service App Library, where teachers and students
    can access and install approved curriculum and learning tools
  • Remotely deploy, change, and revoke hundreds of policies and educational applications, while reducing typical downtime and costs

Prevent suicides, cyberbullying, and schoolviolence. Lightspeed Alert™ supports district administrators and selected personnel with advanced AI to detect and report potential threats before it’s too late.

  • Human review
  • Real-time alerts that flag signs of a potential threat
  • Intervene quickly before an incident occurs.
  • Activity logs provide visibility into online activity before and after a flagged event

Protect students from harmful online content. Lightspeed Filter™ is the best-in-class solution that acts as a solid barrier to inappropriate or illicit online content to ensure students’ online safety 24/7.

  • Powered by the most comprehensive database in the industry built through 20 years of web indexing and machine learning.
  • Ensure CIPA compliance
  • Block millions of inappropriate, harmful, and unknown sites, images, and video including YouTube
  • Keep parents informed with the Lightspeed Parent Portal™

Gain complete visibility into students’ online learning. Lightspeed Analytics™ gives districts robust data on the effectiveness of any tools they implement so they can take a strategic approach to their technology stack and streamline reporting.

  • Track education technology adoption and usage trends, eliminate redundancy, and drive ROI
  • Monitor app and content consumption to facilitate early adoption and effective utilization
  • Assess risk with visibility into student data privacy and security compliance