FUTURELEARN LIMITED

Education

Jointly owned by The Open University and SEEK, FutureLearn is a leading social learning platform transforming access to education. FutureLearn partners with over a quarter of the world’s top universities, private and public sector organisations providing globally accessible online learning solutions through short courses, microcredentials, ExpertTracks, undergraduate and postgraduate degrees.

Features

  • Course Creator Tool
  • Lead Generation Tool
  • Learning Manager
  • Learner Data and Analytics
  • LTI Integrations
  • SSO functionality (SAML 2.0)
  • Hosted on AWS

Benefits

  • Revenue generation and sharing
  • Expand global reach
  • Access to FutureLearns existing partner network
  • Unlock digital innovation
  • CPD courses for staff
  • Create short courses and credit bearing courses
  • Courses can be taken by our millions of learners

Pricing

£12,000 a licence a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at harminder.matharu@futurelearn.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

8 3 9 4 8 2 9 0 5 5 9 8 9 7 9

Contact

FUTURELEARN LIMITED Partnerships and Development
Telephone: +44 7540887877
Email: harminder.matharu@futurelearn.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
Users of the platform create FutureLearn accounts that are their own, and they are able to sign up for courses that belong to other organisations than the one that originally invited them onto a short-course. We do not disclose what courses learners take outside of their organisation.
System requirements
  • There are no application files installed on the client-side device.
  • Our browser requirements can be found here: https://www.futurelearn.com/info/browser-support

User support

Email or online ticketing support
Email or online ticketing
Support response times
9.00am - 5.00pm on business days (Monday - Friday).
Response time 1-2 business days

No service on weekends or UK bank holidays.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
No
Support levels
There are 3 main sources of support for partners while working with FutureLearn:

Partners site - a help centre where you can find guidance on building and running courses.

Partnership Manager - Assigned to a standard partner. FutureLearn will set up a regular call between your Partnership Manager and the Project Lead at your institution / organisation.

Partner support email (partnersupport@futurelearn.com) where all partners can receive support on subjects like Course Creator functionality, account permissions, technical issues and course notices.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
1. Induction
a. Access to the Partner Website;
b. Access to the FutureLearn Course, “How to make a great FutureLearn Course”;
c. Induction workshop covering an introduction to FutureLearn, course design and the course delivery process.

2. Dedicated FutureLearn partnership manager who will provide the following:
a. Reasonable access to advice on course selection and scheduling;
b. Reasonable access to advice on best practice to ensure successful learning outcomes;
c. Quality Assurance of the Courses to ensure they comply with the Course Criteria;
d. Sharing case studies and other insights from the wider FutureLearn partnership; and
e. Provision of updates on the Platform and other strategic developments.

3. Partner support service
a. Access to the FutureLearn support service via an email “ticketing” system for any support queries.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Partners who create and run courses always have enrollment data available to them to export when needed. Course content can be exported by our technical support team. Because a learner’s FutureLearn account belongs to the learner and not the partner, we do not extract or remove learner accounts once the partner’s contract ends.
End-of-contract process
FutureLearn has automated processes for exporting and/or deleting learner data.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
FutureLearn is fully mobile optimised and available across any device. FutureLearn will ensure that the platform is configured for all major devices and is kept up to date with new developments.
Service interface
No
API
No
Customisation available
No

Scaling

Independence of resources
FutureLearn platform has been architected to respond to load presented by learner and partner access to the platform. CloudWatch collects metrics from all the other AWS services, and lets us graph and monitor them. These metrics include things like how much disk/IOPS/CPU a server is using and other important measures.

CloudWatch lets you set actions to perform if the metric is over some threshold for a set time period. For metrics we want to be alerted about, we send notifications to the #ops channel in Slack, and direct to PagerDuty for urgent alerts.

Analytics

Service usage metrics
Yes
Metrics types
Datasets are generated nightly by the platform from course start up until two weeks after it ends, covering activity up until the end of the day. The ‘enrolments’ dataset is generated nightly as soon as the course opens for enrolments, and continues to be generated indefinitely. These datasets available securely on the course dashboard for download.

Datasets take the form of CSV.

Course run measures include - number of enrolments on users courses. Revenue generate. Course Retention rate.

Datasets also include learner demographics like age, gender, and geographic location.
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Learners can request their data from the support team.
Learners can delete their own accounts, which will remove all non-anonymised data from our systems within 48 hours
Data export formats
CSV
Data import formats
Other

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
While we do not include a level of availability in our contracts, FutureLearn’s availability on average is >99%
Partners are notified in advance of any planned activities that could impact availability.
Approach to resilience
Critical systems implement high-availability features including multi-availability zone tenancy, redundancy where possible, and live failover systems for key datastores.

We use Cloudflare to mitigate the risk of DDoS attacks.

Our servers are inside a VPC which is only accessible via our VPN, server security patches are automatically applied nightly and we use AWS GuardDuty to monitor access and usage of our systems.

FutureLearn provides incident management support during business hours (9 am to 5 pm) Monday to Friday.

FutureLearn has documented Business Continuity Plans and Disaster Recovery procedures, which are tested quarterly. Our Recovery time objective (RTO) is 24 hours from the invocation of the plans.
Outage reporting
We have a public status page (https://status.futurelearn.com/), where it’s also possible to subscribe to email alerts.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication
We require strong passwords for anyone with elevated access, and two-factor authentication for anyone with admin access.
Access restrictions in management interfaces and support channels
We have varying levels of authentication requirements for different permission levels. Admin accounts require a strong password and multi-factor authentication. Partner accounts with elevated permissions (e.g. course content authors) require a strong password.
Access to third party services is via accounts assigned to named individuals, with multi-factor authentication enforced when appropriate, and with access levels minimised according to user need.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Accredited by the BSI Group
ISO/IEC 27001 accreditation date
Accreditation date: 11/01/2022 Certificate no IS752207
What the ISO/IEC 27001 doesn’t cover
Everything is covered by our ISO27001 certification. Our information security management system (ISMS) covers the whole of FutureLearn and all 114 controls are applicable.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Self-Assessed
PCI DSS accreditation date
Jan 2020
What the PCI DSS doesn’t cover
FutureLearn outsources its payment processes to PCI DSS certified payment providers; we complete SAQ-A.
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials Certified
  • Cyber Essentials Plus (IASME-CEP-005400)

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
FutureLearn has developed an ISMS aligned with the requirements of ISO27001.

We have a dedicated InfoSec team who is responsible for the development, implementation and continual improvement of the ISMS.

All 114 controls from Annex A are considered applicable.
Information security policies and processes
FutureLearn’s ISMS is documented and aligned with the documentation requirements of ISO27001.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
FutureLearn follows the DevOps process using an Agile methodology. Proposed work is reviewed by product leadership at the design and implementation phase. New feature work, security and data protection requirements are accounted for when determining acceptance criteria, and checked at code review and QA time as part of our standard development process. FutureLearn is built on Rails, which provides secure defaults using a framework covering OWASP Top Ten. Formal systems of code review ensures that such vulnerabilities are not inadvertently introduced. We automatically deploy to AWS from a centralised CI instance to which access is locked to our internal network.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our endpoints are scanned regularly using Qualys VMDR. Patches are applied in line with the requirements of Cyber Essentials.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use AWS Guardduty to monitor access and usage of our systems.
Incident management type
Supplier-defined controls
Incident management approach
We have a documented incident management process which provides detailed instructions on how to identify the seriousness of an incident, who to involve and how to report it both internally and externally.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£12,000 a licence a year
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at harminder.matharu@futurelearn.com. Tell them what format you need. It will help if you say what assistive technology you use.