// Trust & Security Report

    Promethean (formerly Explain Everything sp. z o.o.) logo

    Promethean (formerly Explain Everything sp. z o.o.)

    Explain Everything (online whiteboard platform for education)

    Certifications held

    7

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    You own your data and have control over it. We make collection, storage, transfer or use of your data transparent. Even if you're not a EU citizen.

    Verify on explaineverything.com
    CCPA / CPRA
    HELD

    GDPR & CCPA-compliant

    Verify on explaineverything.com
    PCI DSS Level 1 (payment processor)
    HELD

    Your payment details are safe with a validated Level 1 PCI DSS compliant service provider. [via Braintree payment processor — not a first-party Explain Everything certification]

    Verify on explaineverything.com
    FERPA
    HELD

    If your school complies with FERPA and uses Explain Everything Services, you can be reassured it works entirely in accordance with FERPA regulations. We don't collect nor store any personally-identifiable or directory information without consents and permissions.

    Verify on explaineverything.com
    COPPA
    HELD

    We make sure that pupils, especially those who are under 13, are protected when using Explain Everything. We won't collect even limited Children's Personal Information unless it's been contracted with a school, district and/or teacher.

    Verify on explaineverything.com
    SOPPA
    HELD

    As an operator of online services designed also for school purposes, we are SOPPA-compliant and we ensure our Illinois-based partners that we will fulfill all needed requirements.

    Verify on explaineverything.com
    Security Metrics certification
    HELD

    We're certified by Security Metrics in maintaining rigorous data security standards.

    Verify on explaineverything.com
    > Show 3 unconfirmed / not-held certifications
    SOC 2 (own report)
    NOT CONFIRMED

    The security page cites AWS data center SOC2 certification, not an Explain Everything/Promethean first-party SOC 2 report. Quote: 'We store data in AWS data centers and their standards are confirmed by security certificates such as SOC1, SOC2, SOC3, ISO 27018, ISO 27017, ISO 27001, among others.' This is the AWS provider's certification, not the vendor's own audit.

    source: explaineverything.com
    ISO 27001 (own certification)
    NOT CONFIRMED

    ISO 27001 cited belongs to AWS infrastructure, not to Promethean/Explain Everything directly. No first-party ISO 27001 certificate found for the vendor.

    source: explaineverything.com
    HIPAA
    NOT CONFIRMED

    We are not compliant with HIPAA and probably we never will be.

    source: explaineverything.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    United States (AWS, North Virginia). International transfers may occur to Promethean entities in UK and Poland.

    No explicit policy on AI model training found in privacy policy or terms. Terms permit use of 'anonymized data derived from Customer Data for our own purposes, provided that such data will be de-identified and/or aggregated.' AI assessment functionality (powered by Augment Me, Inc.) 'promptly destroys any video' after processing with no data retention. No evidence found that raw user content is used to train AI models. Subprocessors list includes Augment Me, Inc. as the AI provider for learning assessment features.

    // Security controls

    Encryption in transit

    TLS 1.2

    explaineverything.com

    Data hosting

    AWS (North Virginia) - SOC2 certified data center

    explaineverything.com

    Audit logging

    AWS CloudTrail logs all access and changes inside infrastructure

    explaineverything.com

    External security audits

    Regular audits by Test Army (independent auditor) and automated monitoring via Security Scorecard

    explaineverything.com

    SSL rating

    A+ on Qualys SSL Labs SSL Server test

    explaineverything.com

    Patch management

    All web services monitored for updates and security patches using Security Scorecard Audit and AWS tools including Amazon Inspector

    explaineverything.com

    Bug bounty program

    None identified. No HackerOne, Bugcrowd, or public vulnerability disclosure program found.

    explaineverything.com

    Penetration testing

    Periodic independent audits via Test Army, but no formal annual pen-test cadence publicly stated

    explaineverything.com

    Access control

    Only trained employees who signed GDPR declaration can access personal data; all employees sign NDAs and complete GDPR training as part of onboarding

    explaineverything.com

    Payment security

    PCI DSS Level 1 via Braintree; Explain Everything does not store payment card data

    explaineverything.com

    // Products & data scope

    Explain Everything (platform)Online whiteboard / EdTech SaaS

    data: Collects account info (name, email, user type), usage data, user-generated content (whiteboards, videos, assignments). Student data collected only under school/district contracts. Data stored in AWS North Virginia.

    Main product. GDPR, FERPA, COPPA, SOPPA compliant. Not HIPAA compliant. AI assessment feature powered by Augment Me (video analysis, data deleted post-processing). DPA available upon request. Serves 24M+ teachers and students. Now under Promethean brand (acquired, now joining Promethean parent).

    Explain Everything Basics (iOS app)Offline mobile whiteboard app

    data: No personal data collected or transmitted. Only anonymized usage analytics shared. All user content stays on device unless user explicitly exports to third-party services (YouTube, Dropbox, Google Drive).

    Completely offline by default. 'Explain Everything Basics never sends any personal data or created content anywhere.' Separate privacy policy at /privacy-policy-explain-everything-basics/. Very low data risk.

    One.Promethean.ComEnterprise/institutional product

    data: Collects email, name, organization name, login/IP/device data. Same Promethean privacy policy applies.

    Enterprise account management and institutional licensing product. Same data region (US). Details thin in public documentation.

    // What to watch

    • SOC 2 and ISO 27001 listed on the security page belong to the AWS infrastructure provider, NOT to Explain Everything/Promethean as first-party certifications. The vendor presents these correctly under a 'Secure Infrastructure with AWS' heading and attributes them to AWS, so this is transparent rather than misleading; buyers should simply not read them as the vendor's own audited certifications.
    • No bug bounty program or public vulnerability disclosure policy found.
    • No explicit AI model training prohibition in privacy policy; only 'anonymized/aggregated' data use permitted under terms.
    • DPA available only on request, not publicly downloadable.
    • No EU/EEA data residency option found; all data stored in US (AWS North Virginia).
    • HIPAA explicitly not supported — unsuitable for healthcare use cases.
    • Explain Everything is now part of Promethean, which is itself owned by an investor group. Privacy and security policies may evolve post-acquisition. Footer already reads 'Promethean' not 'Explain Everything'.
    • No own SOC 2 Type II report found for Promethean/Explain Everything as a company.

    // At a glance

    Pricing model

    Freemium (free tier available, paid upgrades). Institutional/school pricing via sales contact.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Promethean (formerly Explain Everything sp. z o.o.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    explaineverything.com

    > Browse all vendor trust reports