CommonLit is a nonprofit education technology company whose mission is to “unlock the potential of every child through reading.” Since the company was founded in 2014, over 1 million teachers and 35 million students have used CommonLit’s free and low-cost curriculums and assessments.
But CommonLit’s growth has required them to grapple with all the security and regulatory challenges that come with handling children’s data.
As Geoff Harcourt, CommonLit’s CTO, explains, “There’s a whole constellation of laws and regulations around student data. It’s not quite the level of healthcare or credit card data, but it’s close enough that I think they’re comparable.”
In 2023, Geoff and CommonLit faced an urgent security challenge. Several states passed new legislation that meant CommonLit needed to get SOC 2 certified in order to keep operating there. “We decided this summer that we needed to be SOC 2 compliant before the school year started in the fall,” Geoff says.
That’s a tight deadline to get a 120-person, distributed company on board with a strict and complex compliance standard, especially since they lacked a dedicated IT team to help with the rollout.
Geoff had a lot on his plate. “Getting SOC2 compliance became nearly a full-time job for me…a lot of growth has happened since we’ve become a distributed organization. So pushing out IT stuff, especially to laptops that have already been distributed to team members, is quite complicated.” In particular, showing auditors that CommonLit’s employee and contractor devices were compliant proved to be a challenge.
“The things that came up in our SOC2 audit were: provably verifying that we had hard drive encryption, and that we had antivirus, anti-malware installed.” CommonLit couldn’t prove this with its existing tools, so they started looking for vendors, but they struggled to find a solution that could check device posture without saddling them with unneeded features. “Some of the alternatives that we looked at were telling us that we would have to install antivirus software in our Macs. MacOS has built-in stuff, so we didn’t want to install extra stuff. A package that could let us prove in a programmatic way that the anti-malware software on the Mac was online and working and enabled was really useful.”
Posture checks aside, CommonLit had another core requirement for an endpoint security tool: it had to ensure device posture without crossing the line into bossware.
I think of myself as a computer privacy hawk, so I take that stuff really seriously. The idea of aggressive surveillance of team members’ laptops was not very appealing.
CommonLit has a deep obligation to protect student data, but they wanted to balance it with the obligation to protect the privacy of their employees and contractors.
Finding a vendor that met all CommonLit’s requirements and could be rolled out in time for the audit was starting to feel impossible, until Geoff found Kolide in the integrations catalog of their audit platform.
“Kolide was the only solution we could find that had the right balance of security and user privacy,” says Geoff.
When CommonLit rolled out Kolide, they took care to explain to their team why they needed Kolide, and how they would be using it to get compliant while still respecting privacy.
We gave an all staff presentation where we explained what we were doing. I distributed the Honest Security Manifesto to everyone. In our new employee handout that you get when you get your company laptop, there is a link to the Privacy Center. And we say, ‘Hey, Kolide’s going to be on your computer. This is why we’ve chosen Kolide. This is what it does. These are the promises we’re making as an organization around it.’
Aside from employees, CommonLit has also rolled out Kolide on some contractor devices. “The line we’ve drawn is if you interact with student data or our curriculum IP, you have to have Kolide,” Geoff says.
By adopting Kolide, CommonLit were able to earn their SOC 2 certification while preserving the privacy and trust of their team. “It was not a controversial thing at CommonLit to add it to employee machines,” Geoff says.
And despite the tight deadline, the Kolide rollout hasn’t added to Geoff’s stress level. “It’s been pretty seamless. I really enjoy it…we’ve basically had no issues,” he says. We don’t have an IT team. I want as little distraction or burden from our vendors as possible, and this has allowed us to get the thing that we want without having to invest a ton of time in it, so it’s good.“
Now that CommonLit has gotten their SOC 2 Type I certification, they’re working toward SOC 2 Type II. In the meantime, Geoff is expanding CommonLit’s use of Kolide by adding more Checks, and is even hoping to create some custom Checks during the quieter winter season.
Looking to the future, CommonLit plans to keep expanding its services to more teachers and students, while navigating the ever-changing child privacy laws across different districts.
"I’m looking forward to seeing CommonLit continue to be used in more school districts,” Geoff says. “As far as how Kolide fits into that, we need to be secure and compliant so that we can protect student data and so that we can fulfill the regulatory requirements we have in the various places that we want to serve students.”
Kolide just reduces the burden for us to do that in a way that also allows us to show how deeply we respect employee privacy.