Engineerica • AccuClass – Online Attendance Tracking System • AccuClass Security Documentation

AccuClass Security Documentation

Information Security Report

Since our AccuClass software is hosted on the AWS (Amazon Web Services) Cloud we would also like to include a link to the Amazon Cloud Security Documentation (PDF):


Frequently Asked Questions


Where is the student database stored?

The database is hosted in the Amazon Cloud.


Is your data stored only in the USA?

Yes.  The database is stored in a US server in the Amazon cloud.


What is your data backup procedure?

The data is backed up every 30 minutes and moved off-site instantly.


Do we (the client) retain sole ownership of our data?

Yes.  You can download the information at any time you want. We will never sell or share your student information.


What is the amount of time we have to retrieve data after the service is terminated?

Access to data is available for as long as your subscription to the service is active. Once the service becomes inactive (e.g. as a result of not renewing it when it expires) then access to the database stops upon expiration.


Do you have disaster recovery processes/procedures?

We have a manual to use in case of disaster. Also, we have a server image hosted on Amazon that allows us to restore the server and the backups in less than one hour. Please note that we can decide to use another procedure in case of disaster depending on the reason why the servers went down.


Is the data encrypted at rest?

Yes.  Data is always encrypted at rest in all accounts using SSL encryption.


How can we pull all data from the system if needed?

You can pull the data from the system at any time using the Export feature available in AccuClass. This feature is only available to administrators.


Have you had any data breaches and how long have you offered the cloud option?

No- we never had a data breach. We have been offering AccuClass as a service for 13 years and it has always been hosted in the Amazon.  We offer the cloud solution to some of the TOP 15 biggest U.S. universities.

-Back to Top-


Physical & Environmental Security

Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military-grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

-Back to Top-


Firewall Security

The firewall can be configured in groups permitting different classes of instances to have different rules, for example the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and port 443 (HTTPS) open to the world. The group for the application servers would have port 8000 (application-specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this expressive mechanism.

The firewall is controlled not by the host/instance itself, but requires the customer’s X.509 certificate and key to authorize changes, thus adding an extra layer of security. Within EC2, the host administrator and cloud administrator can be separate people, permitting two-man rule security policies to be enforced. In addition, AWS encourages customers to apply additional per-instance filters with host-based firewalls such as IPtables. This can restrict both inbound and outbound traffic in each instance.

-Back to Top-


Server Backups

Data stored in Amazon S3, Amazon SimpleDB, or Amazon Elastic Block Store is redundantly stored in multiple physical locations as a normal part of those services.

-Back to Top-


Secure Socket Layer (SSL) Deployment

The database and its backups never leave the Amazon Cloud.  They are stored internally in the Amazon backup servers.  Passwords are the exception though; they are always encrypted using the best industry standards.

-Back to Top-


Network Security

The AWS network provides significant protection against traditional network security issues and the customer can implement further protection. The following are a few examples:

  • IP Spoofing: Amazon EC2 instances cannot send spoofed traffic. The Amazon-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
  • Port Scanning: Port scans by Amazon EC2 customers are a violation of the Amazon EC2 Acceptable Use Policy (AUP). Violations of the AUP are taken seriously, and every reported violation is investigated. When Port scanning is detected it is stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed.

The customer’s strict management of security groups can further mitigate the threat of port scans. If the customer configures the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. In these cases, the customer must use appropriate security measures to protect listening services that may be essential to their application from being discovered by an unauthorized port scan. For example, a web server must have port 80 (HTTP) open to the world, and the administrator of this server is responsible for ensuring the security of the HTTP server software, such as Apache.

  • Packet sniffing by other tenants: It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. This includes two virtual instances that are owned by the same customer, even if they are located on the same physical host. Attacks such as ARP cache poisoning do not work within EC2. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic.

-Back to Top-


Certifications and Accreditations

AWS is working with a public accounting firm to ensure continued Sarbanes Oxley (SOX) compliance and attain certifications such as recurring Statement on Auditing Standards No. 70: Service Organizations, Type II (SAS70 Type II) certification. These certifications provide outside affirmation that AWS has established adequate internal controls and that those controls are operating efficiently. AWS will continue efforts to obtain the strictest of industry certifications to verify its commitment to providing a secure, world-class cloud computing environment.

-Back to Top-


Updates to AccuClass

Routine, emergency, and configuration changes to existing AWS infrastructure are authorized, logged, tested, approved, and documented per industry norms for similar systems.  Updates to AWS’s infrastructure are done to minimize any impact on the customer and their use of the services. AccuClass Team will communicate with customers, either via email or through the Engineerica Service Health Dashboard (https://www.engineerica.com/status/) when service use is likely to be adversely affected.

-Back to Top-


PCI Compliance

AccuClass does not store or receive any credit card information. All payments are processed via the third-party service PayPal and we only process the payment confirmation to renew the service. The AccuClass software itself does not, at any moment, process, transmit, or handle any information that could potentially be subject to PCI compliance analysis.

-Back to Top-


Data Breach and Incident Reporting

Without limiting your obligations under the user agreement, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access, or disclosure. Engineerica Systems, Inc. will communicate with the affected users and customers regarding any data breach within a reasonable time frame after it knows about the incident.

-Back to Top-


Customer Data & Privacy Policy

You can download the information at any time you want. We will never sell or share your student information.  Access to data is available for as long as your subscription to the service is active. Once the service becomes inactive (e.g. as a result of not renewing it when it expires) then access to the database stops upon expiration.

Engineerica understands that student data and records are subject to the Family Educational Rights and Privacy Act (“FERPA”), 10 U.S.C. Section 1232g (collectively, the “FERPA Records”).  As a result, Engineerica holds these records in strict confidence. Engineerica safeguards the FERPA Records according to commercially reasonable administrative, physical, and technical standards that are no less rigorous than the standards by which Engineerica protects its confidential information.

Customer Data is destroyed from our primary database 30-45 days after the account expires if the customer doesn’t express written intentions of renewing.  Data may remain in external backups for an additional period during our backup retention period until it’s fully destroyed.  This process is no more than 60 days after the service is canceled.

-Back to Top-


Disaster Recovery

We have a manual to use in case of disaster.  Also, we have a server image hosted on Amazon that allows us to restore the server and the backups in less than one hour.  Please note that we can decide to use another procedure in case of disaster depending on the reason why the servers went down.

 

-Back to Top-


Application Security

Please refer to AccuClass documentation website articles about  User Management .

-Back to Top-


API and SSO Capabilities

Please refer to the AccuClass documentation website articles about the AccuClass API.  Currently, there are not any SSO (Single Sign-On) Integrations available for this product but can be developed for a cost if needed.  This includes LDAP / Active Directory, Shibboleth, SAML Authentication, or any other custom connectors that integrate with your Student Information Systems (SIS) such as Blackboard, PeopleSoft, Colleague, etc.

-Back to Top-

Driving Excellence Across Education, Events, and Enterprise
Unlock new possibilities and streamline your operations with our cutting-edge technology.
Let's Connect