Compliance Certifications & Audits

Acorn PLMS is built to help your organisation meet the stringent requirements of sector-specific regulatory frameworks. Whether you operate in education, healthcare, or other regulated industries, Acorn's architecture and operational practices support your compliance obligations.

Different sectors face distinct compliance challenges. Education institutions must adhere to the Family Educational Rights and Privacy Act (FERPA), while healthcare organisations navigate the Health Insurance Portability and Accountability Act (HIPAA) and associated Business Associate Agreements (BAAs). Other industries have their own regulatory frameworks requiring careful data handling, security controls, and audit capabilities.

Acorn PLMS is engineered to accommodate these varied requirements through a combination of robust infrastructure, continuous monitoring, and scalable resource management that supports your compliance posture over time.

Continuous System Monitoring and Capacity Planning

Compliance isn't a one-time configuration—it's an ongoing responsibility. Your organisation needs confidence that your learning management system can reliably support your operations year after year.

Acorn conducts annual reviews of system resources to ensure adequate capacity is maintained at all times. Beyond these scheduled reviews, Acorn's systems are monitored 24/7 to detect and address capacity concerns before they impact your users or create compliance risks. This proactive approach means you can focus on your core mission while Acorn's infrastructure team continuously ensures your system remains performant and reliable.

Regular capacity-planning reviews facilitate close alignment with your organisation's growth trajectories, so your LMS scales appropriately as your user base and data volumes increase.

Scalability Without Compromise

Regulatory compliance requires that your system maintains consistent performance and security posture as your organisation grows. Acorn is built upon a foundation of scalability and performance that accommodates up to a 100% increase in data size without any degradation in system usability or response time.

This scalability is achieved through several key architectural components:

Distributed Architecture
Acorn spreads your data load across multiple servers and nodes, preventing any single point of failure and ensuring resources are used efficiently as your organisation expands.

Load Balancing
Intelligent distribution of user requests across available resources ensures consistent performance regardless of demand spikes. This is implemented at every layer of the platform.

Optimized Database Management
Acorn's database systems are designed to manage double your current data capacity while maintaining rapid query responses, critical for compliance audits and reporting requirements.

Elastic Cloud Integration
Hosted on AWS, Acorn's infrastructure scales resources up or down automatically based on demand. Your organisation pays for what you use, and the system expands seamlessly as you grow.

Advanced Caching
Layered caching mechanisms with fast-access memory caches reduce latency and database load, maintaining system responsiveness even under heavy usage.

Regular Performance Tuning
Ongoing performance audits and fine-tuning exercises ensure your system operates at peak efficiency. This proactive optimization helps maintain compliance requirements around system reliability and audit trail accuracy.

Cloud-Native Architecture for Reliability

Acorn's cloud-native, microservices-based architecture dynamically adjusts resources to meet fluctuating demand. Built-in redundancy and automated failover mechanisms preserve continuous uptime—essential when regulatory audits and reporting deadlines require uninterrupted access to your system.

Ongoing monitoring and observability tools enable proactive optimisation, allowing Acorn's team to identify and address potential issues before they affect your organisation.

Supporting Your Audit and Compliance Obligations

Your organisation likely faces regular compliance audits and regulatory reviews. Acorn's scalable infrastructure and continuous monitoring provide a stable foundation for these compliance activities. With AWS-hosted infrastructure serving hundreds of thousands of users across hundreds of tenancies and cohorts, the architecture and scalability of Acorn is not a compliance concern.

This means your compliance team can focus on regulatory requirements specific to your sector, knowing that the underlying platform infrastructure is secure, scalable, and continuously monitored to support your compliance obligations.

Planning for Long-Term Growth

Compliance frameworks often extend planning horizons to multiple years. Your LMS must not only meet current regulatory requirements but also support your organisation's anticipated growth over the next two to five years without requiring major infrastructure changes that could introduce compliance risks.

Acorn's annual capacity reviews, combined with continuous 24/7 monitoring, ensure adequate resources are maintained at all times. This approach means your organisation can confidently plan growth initiatives knowing your learning management system will scale appropriately while maintaining the security, performance, and audit capabilities required by your regulatory framework.

Next Steps

If you have specific compliance requirements related to FERPA, HIPAA, or other industry regulations, contact Acorn's compliance team to discuss your organisation's needs and how Acorn can support your regulatory obligations.

GDPR & International Privacy GDPR & International Privacy Compliance

Your organization's compliance with EU data protection regulations and international privacy standards is central to Acorn PLMS's infrastructure design. This article outlines how Acorn handles data protection, backup strategies, and recovery procedures to support your GDPR obligations and broader regulatory requirements.

Data Protection Through Comprehensive Backup Strategy

Acorn maintains a documented and multi-layered backup and restoration strategy designed to protect your learning data while meeting stringent compliance standards. Rather than relying on a single backup method, Acorn uses a tiered approach that categorizes data by criticality and recovery requirements.

Your data is protected across multiple layers: core data (stored in AWS Relational Database Service), file storage (managed through AWS Elastic File System), configuration settings, event logs, and codebase components. Each component is backed up according to its importance and your organization's recovery needs.

Tiered Backup Schedule

Acorn performs backups on a carefully balanced schedule to ensure both rapid recovery capabilities and long-term data preservation:

• Core data and file storage are backed up twice daily, with additional daily and monthly snapshots retained for extended periods
• Event logs are backed up every 12 hours and daily, with monthly archiving to support audit trails and compliance investigations
• Configuration and codebase components are included in the comprehensive backup coverage to ensure complete system restoration when needed

This tiered approach ensures you have short-term recovery options for immediate incidents, medium-term disaster protection for regional outages, and long-term compliance with data retention policies required by GDPR and other regulations.

Long-Term Data Retention for Regulatory Compliance

Acorn PLMS maintains long-term data backups for up to 7 years, supporting both your organization's internal data governance policies and external regulatory requirements. These extended retention periods are essential for meeting GDPR data subject access requests, regulatory audits, and historical compliance verification.

Backups are retained in accessible formats to ensure they can be restored quickly when required for audit purposes or data recovery scenarios. Your organization retains full control over how this historical data is accessed and used, with backups designated solely for auditing and data recovery purposes.

Secure Offsite Storage and Geographic Redundancy

Understanding that data localization and geographic redundancy are critical to international privacy compliance, Acorn stores backups not only in your primary AWS region but also copies them to a secondary AWS region within the same country or jurisdiction. This approach protects your data against regional infrastructure failures while respecting data residency requirements that may apply to your organization.

By leveraging AWS's infrastructure, Acorn ensures that your backup data is:

• Stored securely in multiple geographic locations
• Protected by AWS's encryption and access controls
• Subject to the same security standards as your primary data
• Compliant with data localization requirements in your jurisdiction

This geographic redundancy means your organization can maintain service continuity and data integrity even in the event of a significant regional incident.

Automated Backup and Restore Capabilities

Acorn automates backup creation and monitoring processes to eliminate manual errors and ensure consistent data protection. Automated processes work continuously to capture your data according to the tiered schedule, with backups securely stored using AWS services optimized for different retention periods:

• Short-term backups are stored in AWS RDS snapshots and S3 for rapid recovery
• Medium-term backups are maintained for disaster recovery scenarios
• Long-term backups are archived in AWS Glacier for cost-effective 7-year retention

When data recovery is needed, your organization can choose between automated and manual restoration processes. Automated recovery enables quick restoration of recent data, while manual processes support selective data recovery—allowing you to restore specific components, date ranges, or user records as needed for audit or compliance purposes.

Regular review and monitoring of backup operations ensure the system continues to meet your organization's recovery objectives and compliance requirements.

Supporting Your GDPR Obligations

Acorn's backup and recovery infrastructure directly supports your organization's GDPR compliance obligations:

• Data Subject Access Requests (DSARs): Long-term retention and selective recovery capabilities enable you to quickly locate and provide user data when requested
• Audit Trails: Event log backups maintained every 12 hours ensure complete audit trails for compliance investigations
• Data Integrity: Regular automated backups protect against accidental deletion or corruption, supporting your accountability obligations
• Business Continuity: Redundant offsite storage and automated recovery ensure your learning platform remains available to serve your users

Implementation and Management

Your organization does not need to manage backup infrastructure directly. Acorn handles all backup creation, monitoring, and storage through its documented procedures and AWS infrastructure. However, you should:

• Understand your organization's specific data retention requirements and align them with Acorn's 7-year retention policy
• Document your data recovery procedures and test them periodically to ensure they meet your recovery time objectives
• Maintain records of backup and restoration activities for audit purposes
• Coordinate with Acorn if you require backups for a specific compliance investigation or data subject request

For detailed technical specifications regarding backup infrastructure and disaster recovery procedures, please refer to the Acorn Backup Plan documentation.

Conclusion

Acorn PLMS's comprehensive backup strategy, long-term retention policies, and geographic redundancy provide your organization with the data protection infrastructure needed to meet GDPR and international privacy requirements. By combining automated backup processes with secure offsite storage and multi-region geographic distribution, Acorn ensures your learning data remains protected, recoverable, and compliant with regulatory obligations.

ISO 27001 & IRAP: Compliance Certifications & Audits ISO 27001 & IRAP Compliance Overview

If your organisation is pursuing ISO 27001 certification or undergoing Australian government IRAP (Information Security Registered Assessors Program) assessment, you need a Learning Management System vendor that demonstrates robust security controls, operational resilience, and transparent governance.

Acorn PLMS has been designed with compliance requirements in mind. This article outlines how Acorn's infrastructure, uptime commitments, monitoring systems, and incident response protocols support your compliance objectives.

Service Level Agreements & Uptime Guarantees

Platform Availability Commitment

Acorn PLMS maintains a minimum 99.6% uptime as stated in the Service Level Agreement (SLA). This commitment excludes agreed maintenance windows and is actively monitored to ensure consistent performance. Your organisation can rely on Acorn's platform for critical learning and compliance activities without undue risk of service interruption.

Historically, Acorn has exceeded this target, consistently delivering 99.99% uptime. This level of availability demonstrates the platform's operational maturity and your vendor's commitment to service continuity.

For the complete SLA terms, response times, and support escalation procedures, refer to the official Service Level Agreement documentation.

Response Times Based on Incident Severity

Acorn's SLA framework includes guaranteed response times aligned to incident severity levels. Critical incidents trigger immediate notifications and prioritised recovery actions, ensuring swift resolution and minimal business disruption. This structured incident response workflow supports your compliance obligations and demonstrates vendor accountability to auditors and assessors.

High-Availability Infrastructure

Architecture for Resilience

Acorn PLMS operates on a multi-AZ, load-balanced architecture with health checks and automated failover capabilities. This design ensures that your organisation's data and platform access remain available even during primary system failures.

Key infrastructure components include:

• Database and file storage mirroring to prevent data loss and enable rapid recovery
• AWS auto-scaling and load balancing to distribute traffic and handle demand spikes
• Geographically redundant backups to protect against regional outages or disasters

This architecture aligns with Uptime Institute Tier Level standards, which many compliance frameworks reference when evaluating data centre infrastructure quality.

Business Continuity & Disaster Recovery

Acorn maintains a formal Business Continuity and Disaster Recovery (BCDR) Plan that addresses a broad variety of events that could impact platform availability. The plan includes documented protocols for handling security incidents and data breaches, ensuring that any problems are resolved promptly and effectively.

Your compliance assessors will appreciate Acorn's proactive approach to continuity planning—it demonstrates that your vendor has considered realistic scenarios and maintains readiness for crisis situations.

Proactive Monitoring & Alert Systems

End-to-End System Visibility

Acorn employs proactive, end-to-end monitoring to identify and address issues before they affect your users. The monitoring framework includes:

• Infrastructure metrics to track hardware, network, and resource utilisation
• Application and APM (Application Performance Monitoring) to detect performance degradation
• Logs and traces for detailed visibility into system behaviour and troubleshooting
• Synthetic checks to simulate user transactions and catch issues from an external perspective

This comprehensive monitoring strategy enables Acorn's operations team to identify potential problems early and take corrective action proactively.

Alerting & Escalation Policies

Monitoring data feeds into alerting systems with severity thresholds and escalation policies aligned to your availability and SLA targets. When thresholds are breached, alerts are automatically escalated according to defined runbooks, ensuring that the right people are notified at the right time.

For your compliance audit, this demonstrates that Acorn operates a mature incident detection and response process—not relying on users to report problems, but actively hunting for issues.

Compliance Documentation & Assessor Requirements

Data Centre Tier Level Documentation

During IRAP assessments and ISO 27001 audits, assessors often request evidence of data centre infrastructure quality via the Uptime Institute Tier Level classification. This standardised framework (Tier I through Tier IV) helps your organisation and auditors understand the resilience and redundancy characteristics of your vendor's hosting environment.

Acorn can provide this documentation as part of your compliance review process.

Security Incident & Data Breach Protocols

Acorn's commitment to functionality and uptime is paired with robust security incident and data breach protocols. When issues occur—whether operational or security-related—Acorn's procedures ensure:

• Rapid detection through continuous monitoring
• Swift response via escalation runbooks and incident commanders
• Effective resolution with documented recovery procedures
• Transparency in communicating status and timeline with customers

These protocols satisfy both the operational availability aspects of ISO 27001 and the security incident response requirements of IRAP.

Accessing Acorn's SLA & Security Documentation

To review the full details of Acorn's Service Level Agreement, uptime guarantees, and supporting security documentation, your organisation should consult the official SLA resource. This document contains specific response time targets, support channels, escalation procedures, and terms and conditions.

Next Steps

When preparing for ISO 27001 certification or IRAP assessment:

1. Request the SLA documentation and review uptime guarantees against your organisational requirements
2. Ask for data centre tier level certification and infrastructure redundancy details
3. Understand incident response workflows to confirm Acorn's protocols align with your compliance framework
4. Document Acorn's BCDR plan in your own risk and compliance registers
5. Include SLA commitments in your vendor management governance processes

Acorn's infrastructure, monitoring, and incident response capabilities are designed to support your compliance objectives. By partnering with a vendor that prioritises security, availability, and operational transparency, you strengthen your own compliance posture and reduce audit friction.

PCI DSS Compliance in Acorn PLMS PCI DSS Compliance Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory compliance framework established by major payment card brands including Visa, Mastercard, American Express, Discover, and JCB. If your organisation processes, stores, or transmits payment card data—whether through eCommerce transactions, subscription billing, or other payment processing activities—you are required to maintain PCI DSS compliance.

Failure to meet PCI DSS requirements can result in significant financial penalties, reputational damage, and legal liability. Understanding your compliance obligations and implementing appropriate safeguards is essential for protecting your organisation and your customers' sensitive payment information.

Understanding PCI DSS Requirements

PCI DSS comprises 12 core requirements organised across six foundational categories:

Network Security

Your organisation must establish and maintain a secure network architecture that protects cardholder data from unauthorised access. This includes implementing firewalls, segmenting networks, and maintaining secure configurations across all systems that store or process payment card information.

Data Protection

Payment card data must be protected both in transit and at rest through encryption and other security controls. Your systems should render cardholder data unreadable and unusable by unauthorised parties through appropriate cryptographic methods.

Vulnerability Management

Regular security assessments, vulnerability scanning, and penetration testing are required to identify and remediate security weaknesses. Your organisation must maintain up-to-date systems with the latest security patches and maintain an inventory of all systems that store or process cardholder data.

Access Control

Strict access controls must limit cardholder data access to authorised personnel only. Your organisation should implement role-based access controls, strong authentication mechanisms, and regular access reviews to ensure users only retain necessary permissions.

Monitoring and Testing

Continuous monitoring, logging, and regular testing of security systems are mandatory. Your organisation must maintain audit trails of all access to cardholder data and conduct regular security testing to verify the effectiveness of your security controls.

Security Policies

Your organisation must develop and maintain comprehensive security policies and procedures that address all PCI DSS requirements. These policies should be communicated to all staff, regularly reviewed, and updated to reflect changes in your environment or threat landscape.

Acorn PLMS and PCI DSS Compliance

Acorn PLMS is designed with security and compliance as foundational principles. If your organisation uses Acorn PLMS in an environment where payment card data may be processed or stored, you can rely on robust security infrastructure to support your compliance efforts.

AWS Well-Architected Review

Acorn PLMS infrastructure has undergone a comprehensive external AWS Well-Architected Review, conducted by an independent AWS auditor. This review evaluated the system against AWS's Well-Architected Framework, which assesses cloud infrastructure across five pillars: operational excellence, security, reliability, performance efficiency, and cost optimisation.

The review process identified recommended remediations to strengthen the platform's security posture and architectural resilience. Acorn has implemented all recommended remediation measures to ensure the platform maintains industry best practices for secure cloud infrastructure. This proactive approach demonstrates Acorn's commitment to maintaining the highest security and compliance standards.

Implementing PCI DSS with Acorn PLMS

When using Acorn PLMS within a payment processing environment, your organisation maintains responsibility for overall PCI DSS compliance. However, Acorn's secure infrastructure provides a foundation upon which you can build compliant systems.

Best Practices for Your Organisation

Conduct a Compliance Assessment: Determine your organisation's PCI DSS compliance level (Level 1, 2, 3, or 4) based on the volume of payment transactions you process. This assessment will define your specific compliance obligations and audit requirements.

Implement Network Segmentation: Isolate systems that store or process cardholder data from other systems within your network. This reduces the scope of systems requiring PCI DSS validation and limits the potential impact of a security breach.

Maintain Strong Access Controls: Implement role-based access control within Acorn PLMS to ensure users can only access payment-related data necessary for their job functions. Regularly audit user access and remove unnecessary permissions promptly.

Enable Monitoring and Logging: Ensure comprehensive logging is enabled for all access to sensitive data within Acorn PLMS. Regularly review logs for unusual activity and maintain appropriate retention periods as required by PCI DSS standards.

Conduct Regular Training: Ensure all staff members who interact with payment card data receive regular security awareness training specific to PCI DSS requirements and your organisation's security policies.

Document Security Controls: Maintain detailed documentation of all security controls implemented within your Acorn PLMS environment, including configuration details, access control matrices, and evidence of monitoring activities.

Compliance Responsibility

While Acorn PLMS provides secure infrastructure and supports compliance efforts, your organisation remains ultimately responsible for achieving and maintaining PCI DSS compliance. You should:

• Conduct appropriate risk assessments specific to your environment
• Document your compliance programme and security measures
• Engage qualified security assessors (QSAs) to validate compliance
• Maintain compliance through annual assessments and ongoing monitoring
• Respond promptly to any security incidents or compliance violations

Next Steps

If you are implementing payment processing through Acorn PLMS, consult with your compliance officer or a qualified security assessor to develop a comprehensive compliance programme tailored to your organisation's specific requirements and risk profile. For technical questions regarding Acorn PLMS security features, contact your system administrator or Acorn support.

SOC 2 Type II: Annual Independent Assessment of Security Controls and Operational Effectiveness Understanding SOC 2 Type II Certification

SOC 2 Type II is an independent audit certification that validates Acorn PLMS's security controls and operational effectiveness over an extended period. Unlike SOC 2 Type I, which assesses controls at a single point in time, Type II evaluates the design and operating effectiveness of your security systems throughout a full audit period—typically 12 months.

This certification is critical for organisations that handle sensitive data and need assurance that their cloud service providers maintain robust security practices. When you use Acorn PLMS, you benefit from this annual independent verification that security controls are not only documented but consistently implemented and effective.

Why SOC 2 Type II Matters for Your Organisation

SOC 2 Type II certification provides your organisation with third-party validation that Acorn PLMS maintains industry-standard security controls. This is particularly important if your compliance requirements or customer expectations demand proof of comprehensive security practices. The annual assessment ensures that controls remain effective year-round, giving you ongoing confidence in how Acorn protects your data.

Acorn's Cloud Infrastructure and Security Posture

Hosting Architecture

Acorn PLMS is hosted entirely in the cloud using Amazon Web Services (AWS). Your application and data are distributed across multiple geographic regions to align with your deployment requirements and data residency considerations. This multi-region approach enables Acorn to serve customers across diverse regulatory environments while maintaining high availability and performance.

Currently, Acorn maintains AWS data regions in: - Australia (Sydney) - East US (Northern Virginia) - Europe (London) - Canada (Central)

For customers based in the United States, your data is stored in the us-east-1 AWS region in Northern Virginia. This geographic flexibility allows your organisation to meet specific data residency requirements while leveraging AWS's global infrastructure.

Data Centre Security Standards

Acorn is housed in Tier 1 data centres managed by AWS, one of the world's leading cloud service providers. Tier 1 facilities represent the highest standard of data centre design, featuring redundant infrastructure, environmental controls, and physical security measures.

To ensure that hosting security aligns with your expectations, Acorn examines AWS's ISO 27001 scope and SOC 2 reports annually. This annual review process confirms that AWS's security procedures remain aligned with Acorn's internal protocols and industry best practices. By conducting this regular assessment, Acorn ensures that the foundational security of your infrastructure continues to meet certification requirements.

Data Protection and Backup Strategy

Backup and Recovery

Your data protection is built into Acorn's operational procedures. Backups are performed on a daily, weekly, and monthly schedule to ensure that your organisation can recover from potential data loss scenarios. All backup data is stored within Acorn's infrastructure on AWS, maintaining consistency with your primary data location.

Backup data is stored in a separate AWS account and region from your primary data, with encryption and access separation applied throughout. For critical datasets, Object Lock and immutability are enabled to prevent accidental or malicious deletion. Broader Write-Once-Read-Many (WORM) retention policies can be enabled to meet specific compliance requirements.

This multi-layered backup approach ensures business continuity while maintaining the security and integrity of your data across multiple physical locations.

Data Residency and Compliance

Acorn recognises that data residency is a key compliance concern for many organisations. Your data remains in the geographic region most relevant to your location and regulatory context. This approach allows Acorn to serve customers with varying compliance mandates—whether related to GDPR, local data protection laws, or internal governance requirements.

API and Integration Capabilities

Acorn PLMS uses widely adopted industry standards—HTTPS/JSON protocols through REST API and webhook frameworks—to enable seamless integration with major cloud platform components. This standards-based approach means your organisation can integrate Acorn with broader cloud ecosystems for workflows, automations, and data exchange without requiring custom protocols or bespoke development.

These integration capabilities support your broader cloud architecture while maintaining the security standards verified through SOC 2 Type II certification.

Transparency and Additional Resources

For detailed information about Acorn's compliance posture, deployment options, and hosting architecture, your organisation can access comprehensive compliance documentation. Acorn uses HECVAT version 4.0 for infrastructure responses, aligning with industry-standard questionnaire formats used by enterprises evaluating cloud services.

There are no hidden hosting costs associated with Acorn PLMS, ensuring that your budgeting and cost planning remain predictable and transparent.

Moving Forward with Confidence

SOC 2 Type II certification demonstrates Acorn's commitment to maintaining security controls that evolve with your organisation's needs. The annual independent assessment provides ongoing assurance that your data is protected by proven, tested security practices within a trusted cloud infrastructure.

When you deploy Acorn PLMS, you gain access to a learning management system backed by comprehensive security certification, multi-region cloud hosting, robust data protection protocols, and regular independent audits. This layered approach to security and compliance enables your organisation to focus on delivering learning outcomes with the confidence that your data and systems are protected by industry-leading standards.

WCAG & Accessibility Compliance WCAG & Accessibility Compliance in Acorn PLMS

Accessibility compliance is fundamental to delivering an inclusive learning management system. Acorn PLMS is designed to support your organisation's commitment to meeting Web Content Accessibility Guidelines (WCAG) 2.1/2.2 AA standards, Section 508 compliance, and other accessibility requirements. This article explains how Acorn's compliance framework supports accessibility auditing and certification.

Understanding Your Accessibility Obligations

When you deploy Acorn PLMS, your organisation must ensure that the platform meets established accessibility standards. These standards include:

• WCAG 2.1 and 2.2 AA Standards: The Web Content Accessibility Guidelines provide a framework for making digital content accessible to users with disabilities, including visual, auditory, motor, and cognitive impairments.
• Section 508: A U.S. federal requirement mandating that electronic and information technology be accessible to people with disabilities.
• Vendor Assessment Protocols (VPAT): Formal documentation your organisation can use to communicate accessibility features and compliance status to stakeholders and clients.

Acorn PLMS has undergone assessment through formal business continuity and compliance reviews, ensuring that underlying infrastructure and operational practices support accessibility requirements.

Acorn's Compliance and Audit Framework

Documented Policies and Procedures

Your organisation can rely on Acorn's documented compliance framework. Acorn maintains formal documentation covering:

• Disaster Recovery and Business Continuity Policies: Comprehensive policies that ensure service availability and data integrity—foundational elements of accessible service delivery.
• Incident Response Procedures: Formal processes for addressing security and operational incidents that could affect user access or data security.
• Backup and Recovery Plans: Detailed procedures for protecting critical system components, including codebase, core data, file storage, event logs, and configurations.

These policies are actively maintained and undergo formal review every 12 months, ensuring your compliance posture remains current.

Audit and Assessment Results

Acorn PLMS has completed internal and external audits relevant to security, privacy, and business continuity. Importantly, no audit findings have resulted in "Needs Improvement" or "Unsatisfactory" ratings for security, privacy, or disaster recovery capabilities that remain unaddressed. This clean audit status demonstrates Acorn's commitment to maintaining compliance standards.

When you conduct your own accessibility audits or vendor assessments, you can reference Acorn's audit history and remediation record as evidence of the vendor's reliability and commitment to continuous compliance improvement.

Business Impact Analysis and Critical System Components

Accessibility compliance depends on understanding which system components are critical to service delivery. Acorn has conducted a Business Impact Analysis that identifies and prioritises:

• Core Codebase: The foundational software ensuring accessibility features function as designed.
• Critical Data: User profiles, learning records, and configuration data essential for personalised, accessible learning experiences.
• File Storage: Systems supporting accessible document delivery and multimedia content.
• Event Logs and Configurations: Systems enabling audit trails and compliance tracking.

This analysis informs Acorn's backup and recovery strategies, which directly support your ability to maintain continuous, accessible service delivery during system failures or incidents.

Disaster Recovery and Service Resilience

Recovery Time and Point Objectives

Your organisation's accessibility obligations include ensuring timely service restoration. Acorn PLMS is built on a Multi-Site Deployment architecture using AWS infrastructure. The platform defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) contractually, with typical targets aligned to enterprise expectations. For specific RTO and RPO values applicable to your organisation, refer to Acorn_DisasterRecovery.pdf, page 4.

Acorn's infrastructure supports rapid service restoration:

• Automated Failover: Single service failures trigger automated failover procedures, minimizing downtime.
• Availability Zone Protection: Multi-availability zone deployment protects against regional outages.
• Rapid Recovery: Recovery within 15 minutes for standard failure scenarios, with manual restoration procedures documented for catastrophic events.

This resilience directly supports accessibility compliance by ensuring that accessibility features remain available to your users without interruption.

Testing and Verification

Accessibility compliance requires confidence that systems will remain available and functional. Acorn conducts regular, documented testing of disaster recovery protocols:

• Annual Testing Cycles: Simulations of single service failures, availability zone outages, and total system failures are performed every 12 months or following significant system changes.
• Failover Verification: Testing confirms that failover procedures execute correctly and that manual restoration steps function as documented.
• Continuous Staff Training: Technicians remain trained on recovery procedures to streamline response times during actual incidents.

Detailed testing procedures and results are documented in Acorn_DisasterRecovery.docx, providing evidence of operational readiness for compliance auditors.

Preparing for Accessibility Audits and VPAT Documentation

When your organisation undergoes accessibility audits or must complete Vendor Product Accessibility Template (VPAT) submissions, you can reference:

1. Acorn's Formal Documentation: Business Continuity Plans (Acorn_DisasterRecovery.pdf), Incident Response procedures (Acorn_IncidentResponse), and Backup Plans (Acorn_BackupPlan) demonstrate operational maturity.
2. Audit History: Clean audit results for security, privacy, and disaster recovery show vendor reliability.
3. Testing Records: Annual disaster recovery testing demonstrates continuous verification of critical system functions.
4. Contractual SLAs: Recovery objectives defined in service agreements show commitment to service availability, a key accessibility requirement.

Key Compliance Qualifications

Acorn PLMS meets two critical compliance qualification standards:

• QUAL-03 (Business Continuity Plans): Acorn maintains a well-documented, fully populated Business Continuity Plan that is tested annually.
• QUAL-04 (Disaster Recovery Plans): Acorn maintains a well-documented, fully populated Disaster Recovery Plan that is tested annually.

Both plans address the infrastructure and operational resilience necessary to support continuous, accessible service delivery.

Next Steps

To prepare your organisation's accessibility compliance documentation:

1. Request detailed RTO/RPO specifications and confirm alignment with your SLAs.
2. Review Acorn_DisasterRecovery.pdf to understand recovery capabilities specific to your deployment.
3. Document Acorn's audit results and testing schedule as evidence of vendor reliability.
4. Incorporate Acorn's compliance documentation into your VPAT submissions and accessibility audit responses.

By leveraging Acorn PLMS's documented compliance framework and tested resilience capabilities, your organisation can confidently meet WCAG, Section 508, and other accessibility standards while ensuring continuous, reliable service delivery to all users.