For Schools, Districts & Procurement

We provide verifiable controls, audited processes, and standard documentation for districts and organizations.

Data Protection Agreements (DPAs)

  • Kahoot!’s standard DPA is available here
  • Pre‑existing US State DPAs are listed here
  • Sub‑processors are listed here. Any updates to the sub-processor list will be sent to the email registered to the owner of an organization account.

Certifications & Validations

  • ISO/IEC 27001:2022 – a summary report is available upon request, reach out to your sales rep or support.
  • AICPA SOC 2 type 2 report – a summary report is available upon request after signing an NDA, reach out to your sales rep or support.
  • 1EdTech Certified – certified for both LTI Advantage and Data Privacy.
  • Common Sense Privacy Seal – independent privacy rating. Read more about the verification process here.
  • Privacy regulation – Our products are designed to align with COPPA, FERPA and GDPR. We continue to actively monitor developments in this area. You can read more about our privacy practices in our Privacy Notice.

Security

  • Security at Kahoot! – To ensure data is secure we at Kahoot! have implemented a set of safeguards and processes covering all parts of the data journey. Read more about security at Kahoot! here.
  • Key Security Measures
    • Encryption in transit/at rest: We always use end-to-end encryption in transit using industry standard encryption. This includes traffic to end users, as well as internally between data centers and internal / external services. Our public certificates are obtained from an acknowledged certification authority, and we support TLS 1.2 or higher. Additionally, data is encrypted at rest. For datastores, we use a combination of full partition encryption based on LUKS and supplier-provided full disk encryption (AES-256). Backups are also encrypted.
    • RBAC: We implement the principle of least privilege. Different roles are assigned different access rights under management (or system owner) approval necessary to perform their job responsibilities.
    • Vulnerability mgmt: For security monitoring, our main sources of information are Prisma Cloud and Cortex XDR. Our partner NetSecurity helps us with the monitoring and triage of events. Additionally, we work with Intigriti to conduct continuous penetration testing on the Kahoot platform via a Bug Bounty program.
    • Business continuity/DR: We maintain comprehensive Business Continuity and Disaster Recovery plans across all business areas. Our plans address potential disaster scenarios with defined Recovery Time Objectives and Recovery Point Objectives, clear escalation procedures and coordination with our infrastructure providers and sub-processors.
    • Incident response: We have a documented incident management policy. The policy is periodically reviewed and updated. We have procedures for notifications to go out to relevant authorities and customers.

Control your data and user access

  • User controladminister the account and designate roles for teachers and other users to ensure they have the correct accesses and restrictions.
  • Toggle features — if the features are available on your plan, you can choose whether teachers and other users have access to AI, Player ID, reports and open ended questions in the classroom.
  • SSO — use SSO and SCIM to allow users to log in effortlessly and securely, ensuring accuracy and reducing manual processes. Use domain claim to protect your organization and prevent unauthorized use.
  • Deletion — upon termination of a subscription, the deletion process for all organization data, including organization content and game reports, begins automatically within 90 days, as described in our DPA. The owner of the organization will automatically receive an email informing of the deletion process before it occurs.

Legal & compliance

Contacts