// Trust & Security Report
Promethean (formerly Explain Everything sp. z o.o.)
Explain Everything (online whiteboard platform for education)
Certifications held
7
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on explaineverything.com“You own your data and have control over it. We make collection, storage, transfer or use of your data transparent. Even if you're not a EU citizen.”
Verify on explaineverything.com“Your payment details are safe with a validated Level 1 PCI DSS compliant service provider. [via Braintree payment processor — not a first-party Explain Everything certification]”
Verify on explaineverything.com“If your school complies with FERPA and uses Explain Everything Services, you can be reassured it works entirely in accordance with FERPA regulations. We don't collect nor store any personally-identifiable or directory information without consents and permissions.”
Verify on explaineverything.com“We make sure that pupils, especially those who are under 13, are protected when using Explain Everything. We won't collect even limited Children's Personal Information unless it's been contracted with a school, district and/or teacher.”
Verify on explaineverything.com“As an operator of online services designed also for school purposes, we are SOPPA-compliant and we ensure our Illinois-based partners that we will fulfill all needed requirements.”
Verify on explaineverything.com“We're certified by Security Metrics in maintaining rigorous data security standards.”
> Show 3 unconfirmed / not-held certifications
source: explaineverything.comThe security page cites AWS data center SOC2 certification, not an Explain Everything/Promethean first-party SOC 2 report. Quote: 'We store data in AWS data centers and their standards are confirmed by security certificates such as SOC1, SOC2, SOC3, ISO 27018, ISO 27017, ISO 27001, among others.' This is the AWS provider's certification, not the vendor's own audit.
source: explaineverything.comISO 27001 cited belongs to AWS infrastructure, not to Promethean/Explain Everything directly. No first-party ISO 27001 certificate found for the vendor.
source: explaineverything.comWe are not compliant with HIPAA and probably we never will be.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
United States (AWS, North Virginia). International transfers may occur to Promethean entities in UK and Poland.
No explicit policy on AI model training found in privacy policy or terms. Terms permit use of 'anonymized data derived from Customer Data for our own purposes, provided that such data will be de-identified and/or aggregated.' AI assessment functionality (powered by Augment Me, Inc.) 'promptly destroys any video' after processing with no data retention. No evidence found that raw user content is used to train AI models. Subprocessors list includes Augment Me, Inc. as the AI provider for learning assessment features.
// Security controls
External security audits
Regular audits by Test Army (independent auditor) and automated monitoring via Security Scorecard
explaineverything.comPatch management
All web services monitored for updates and security patches using Security Scorecard Audit and AWS tools including Amazon Inspector
explaineverything.comBug bounty program
None identified. No HackerOne, Bugcrowd, or public vulnerability disclosure program found.
explaineverything.comPenetration testing
Periodic independent audits via Test Army, but no formal annual pen-test cadence publicly stated
explaineverything.comAccess control
Only trained employees who signed GDPR declaration can access personal data; all employees sign NDAs and complete GDPR training as part of onboarding
explaineverything.comPayment security
PCI DSS Level 1 via Braintree; Explain Everything does not store payment card data
explaineverything.com// Products & data scope
data: Collects account info (name, email, user type), usage data, user-generated content (whiteboards, videos, assignments). Student data collected only under school/district contracts. Data stored in AWS North Virginia.
Main product. GDPR, FERPA, COPPA, SOPPA compliant. Not HIPAA compliant. AI assessment feature powered by Augment Me (video analysis, data deleted post-processing). DPA available upon request. Serves 24M+ teachers and students. Now under Promethean brand (acquired, now joining Promethean parent).
data: No personal data collected or transmitted. Only anonymized usage analytics shared. All user content stays on device unless user explicitly exports to third-party services (YouTube, Dropbox, Google Drive).
Completely offline by default. 'Explain Everything Basics never sends any personal data or created content anywhere.' Separate privacy policy at /privacy-policy-explain-everything-basics/. Very low data risk.
data: Collects email, name, organization name, login/IP/device data. Same Promethean privacy policy applies.
Enterprise account management and institutional licensing product. Same data region (US). Details thin in public documentation.
// What to watch
- SOC 2 and ISO 27001 listed on the security page belong to the AWS infrastructure provider, NOT to Explain Everything/Promethean as first-party certifications. The vendor presents these correctly under a 'Secure Infrastructure with AWS' heading and attributes them to AWS, so this is transparent rather than misleading; buyers should simply not read them as the vendor's own audited certifications.
- No bug bounty program or public vulnerability disclosure policy found.
- No explicit AI model training prohibition in privacy policy; only 'anonymized/aggregated' data use permitted under terms.
- DPA available only on request, not publicly downloadable.
- No EU/EEA data residency option found; all data stored in US (AWS North Virginia).
- HIPAA explicitly not supported — unsuitable for healthcare use cases.
- Explain Everything is now part of Promethean, which is itself owned by an investor group. Privacy and security policies may evolve post-acquisition. Footer already reads 'Promethean' not 'Explain Everything'.
- No own SOC 2 Type II report found for Promethean/Explain Everything as a company.
// At a glance
Pricing model
Freemium (free tier available, paid upgrades). Institutional/school pricing via sales contact.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Promethean (formerly Explain Everything sp. z o.o.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
explaineverything.com