Skip to content

Prakto listed on CSA STAR Level 1 — security and GDPR, transparent

12 Jun 2026

·

6 minute read

Yazan Ghayad avatar
Yazan GhayadVD & Grundare

OptiTech Sverige AB, the company behind the work-based learning platform Prakto, is, as of 9 June 2026, listed in the Cloud Security Alliance STAR Registry with a published CSA STAR Level 1 self-assessment (CAIQ v4.1.0). The full security and privacy posture is now documented openly for schools and companies that need to review us as a vendor.

CSA STAR Level 1 is a self-assessment in which the cloud vendor publicly discloses how it handles cloud, security and privacy controls under the Cloud Controls Matrix (CCM) framework. It is one of the most established transparency tools in the cloud industry and is used by buyers worldwide to compare SaaS providers.

Why this matters for Swedish schools and companies#

Prakto is an EdTech platform that processes student data — often data about minors. In that context, claiming to "take security seriously" is not enough. Schools procuring a digital tool, and companies hosting interns, need to see exactly how the vendor protects the data, where it is stored, and what rights the data subjects have.

CSA STAR Level 1 provides that visibility in a standardised format. For Prakto, the listing is a way to answer security questions before they are asked — instead of mailing different answers to different customers.

What our CAIQ documents#

The self-assessment covers the entire control surface of Cloud Controls Matrix v4.1. The most important points from a Swedish school and company perspective:

  • EU data residency — primary data is hosted in Frankfurt, inside the EU.
  • Encryption in transit and at rest — TLS with HSTS across the platform, encryption of data at rest.
  • Column-based multi-tenant isolation — each school and company has its own logical separation, with role-based access control (RBAC) enforced on the server, not the client.
  • GDPR-aligned processing — lawful basis per purpose, data minimisation, processes for data-subject rights, and a Data Processing Agreement (DPA) available to schools and companies.
  • PII redaction before any third-country AI processing — before any free-text field is sent to an AI service outside the EU/EEA, personal data is removed. This is our practical implementation of Schrems II.
  • Distributed rate limiting and audit logging — to prevent abuse and enable traceability.
  • PII-scrubbed error monitoring — Sentry error reports pass through an aggressive scrubber so personal data never lands in logs.

In short: what is the difference between STAR Level 1 and Level 2?#

CSA STAR Level 1 is a self-assessment. The vendor fills in the CAIQ and publishes the answers publicly. It is voluntary, transparent and free to read.

CSA STAR Level 2 is an independent certification where a third party reviews and confirms the answers, often combined with ISO/IEC 27001 or SOC 2.

Our current listing is Level 1. This is a deliberate first step: we publish our posture openly now so schools and companies can review us directly, while we continue to mature the controls toward Level 2.

How to use the listing in your procurement#

If you are a school, education provider or company evaluating Prakto as a vendor, you can:

  1. Download our CAIQ directly from the CSA STAR Registry.
  2. Use it to answer security and GDPR questions in your vendor assessment.
  3. Request our DPA to cover the legal layer.
  4. Reach out to us for any question that the CAIQ does not cover.

For many schools, CAIQ plus DPA is enough to complete the vendor review.

What this means for the Prakto roadmap#

The listing is not an endpoint. We treat security, privacy and responsible AI as core requirements in the product — not as a separate department. In practice, that means we:

  • run security and GDPR reviews continuously,
  • keep our CAIQ up to date as the platform evolves,
  • build new AI features with PII redaction by default, not as an option,
  • and evaluate the next steps toward STAR Level 2 and related frameworks.

Frequently asked questions#

Is Prakto GDPR-compliant?#

Yes. Prakto is built according to GDPR, with a lawful basis per processing purpose, data minimisation, processes for data-subject rights, and a DPA signed with schools and companies.

Where is the data in Prakto stored?#

Primary data is stored in Frankfurt, inside the EU.

Is student data sent to AI services outside the EU?#

Only after PII redaction. Personal data is removed from free text before anything is sent to an AI provider in a third country, in line with Schrems II.

What is CSA STAR Level 1?#

A self-assessment in which the cloud vendor publicly discloses its security and privacy controls under the Cloud Controls Matrix. It is published in the CSA STAR Registry and can be used by customers during procurement.

Where can I find Praktos CAIQ?#

In the CSA STAR Registry under OptiTech Sverige AB / Prakto. You can also request it directly from us.

Conclusion#

The CSA STAR Level 1 listing is a concrete step in how we want to run Prakto: open, reviewable, and with security as the default rather than a marketing line. For schools and companies choosing an internship platform, it means a large part of the vendor review is already published and ready to read.

Want to know more? Read our GDPR guide for schools and companies or how we think about AI and internship matching.

Sources#

Share this article
Contact Us

Want to Know More About Prakto?

Whether you represent a school, company, or are a student – we're happy to help you get started.

Fill out the form and we'll get back to you within 24 hours.

Send a Message