How Commonlit Balances Student Security and Employee Privacy
CommonLit is a nonprofit education technology company whose mission is to âunlock the potential of every child through reading.â Since the company was founded in 2014, over 1 million teachers and 35 million students have used CommonLitâs free and low-cost curriculums and assessments.
But CommonLitâs growth has required them to grapple with all the security and regulatory challenges that come with handling childrenâs data.
As Geoff Harcourt, CommonLitâs CTO, explains, âThereâs a whole constellation of laws and regulations around student data. Itâs not quite the level of healthcare or credit card data, but itâs close enough that I think theyâre comparable.â
Getting SOC 2 Certified in Under Three Months
In 2023, Geoff and CommonLit faced an urgent security challenge. Several states passed new legislation that meant CommonLit needed to get SOC 2 certified in order to keep operating there. âWe decided this summer that we needed to be SOC 2 compliant before the school year started in the fall,â Geoff says.
Thatâs a tight deadline to get a 120-person, distributed company on board with a strict and complex compliance standard, especially since they lacked a dedicated IT team to help with the rollout.
Geoff had a lot on his plate. âGetting SOC2 compliance became nearly a full-time job for meâŚa lot of growth has happened since weâve become a distributed organization. So pushing out IT stuff, especially to laptops that have already been distributed to team members, is quite complicated.â In particular, showing auditors that CommonLitâs employee and contractor devices were compliant proved to be a challenge.
âThe things that came up in our SOC2 audit were: provably verifying that we had hard drive encryption, and that we had antivirus, anti-malware installed.â CommonLit couldnât prove this with its existing tools, so they started looking for vendors, but they struggled to find a solution that could check device posture without saddling them with unneeded features. âSome of the alternatives that we looked at were telling us that we would have to install antivirus software in our Macs. MacOS has built-in stuff, so we didnât want to install extra stuff. A package that could let us prove in a programmatic way that the anti-malware software on the Mac was online and working and enabled was really useful.â
Posture checks aside, CommonLit had another core requirement for an endpoint security tool: it had to ensure device posture without crossing the line into bossware.
I think of myself as a computer privacy hawk, so I take that stuff really seriously. The idea of aggressive surveillance of team membersâ laptops was not very appealing.
CommonLit has a deep obligation to protect student data, but they wanted to balance it with the obligation to protect the privacy of their employees and contractors.
Finding a vendor that met all CommonLitâs requirements and could be rolled out in time for the audit was starting to feel impossible, until Geoff found Kolide in the integrations catalog of their audit platform.
How Kolide Secured CommonLitâs Fleet While Protecting Privacy
âKolide was the only solution we could find that had the right balance of security and user privacy,â says Geoff.
When CommonLit rolled out Kolide, they took care to explain to their team why they needed Kolide, and how they would be using it to get compliant while still respecting privacy.
We gave an all staff presentation where we explained what we were doing. I distributed the Honest Security Manifesto to everyone. In our new employee handout that you get when you get your company laptop, there is a link to the Privacy Center. And we say, âHey, Kolideâs going to be on your computer. This is why weâve chosen Kolide. This is what it does. These are the promises weâre making as an organization around it.â
Aside from employees, CommonLit has also rolled out Kolide on some contractor devices. âThe line weâve drawn is if you interact with student data or our curriculum IP, you have to have Kolide,â Geoff says.
By adopting Kolide, CommonLit were able to earn their SOC 2 certification while preserving the privacy and trust of their team. âIt was not a controversial thing at CommonLit to add it to employee machines,â Geoff says.
And despite the tight deadline, the Kolide rollout hasnât added to Geoffâs stress level. âItâs been pretty seamless. I really enjoy itâŚweâve basically had no issues,â he says. We donât have an IT team. I want as little distraction or burden from our vendors as possible, and this has allowed us to get the thing that we want without having to invest a ton of time in it, so itâs good.â
Commonlit Hopes Kolide Will Help Them Help More Schools
Now that CommonLit has gotten their SOC 2 Type I certification, theyâre working toward SOC 2 Type II. In the meantime, Geoff is expanding CommonLitâs use of Kolide by adding more Checks, and is even hoping to create some custom Checks during the quieter winter season.
Looking to the future, CommonLit plans to keep expanding its services to more teachers and students, while navigating the ever-changing child privacy laws across different districts.
"Iâm looking forward to seeing CommonLit continue to be used in more school districts,â Geoff says. âAs far as how Kolide fits into that, we need to be secure and compliant so that we can protect student data and so that we can fulfill the regulatory requirements we have in the various places that we want to serve students.â
Kolide just reduces the burden for us to do that in a way that also allows us to show how deeply we respect employee privacy.