Where is the student database stored?
The database is hosted in the Amazon Cloud.
Is your data stored only in the USA?
Yes. The database is stored in a US server in the Amazon cloud.
What is your data backup procedure?
The data is backed up every 30 minutes and moved off-site instantly.
What are your security policies for data in transit
We use industry-standard SSL certificate to encrypt data moving between your browser and the Accudemia web server. To verify that Accudemia is encrypted and secure, check that it uses https:// (not http://) in its URLs, and that there is a padlock icon in the browser’s address bar. Clicking the padlock icon allows you to verify the SSL certificate’s validity.
Do we (the client) retain sole ownership of our data?
Yes. Your data is yours, and you can download the information at any time you want – while your account is active. We will never sell or share your data.
What is the amount of time we have to retrieve data after the service is terminated?
Access to your account and its data is available for as long as your subscription to the service is active. Once the service becomes inactive (e.g. as a result of not renewing it when it expires) then access to the database stops upon expiration.
Do you have disaster recovery processes/procedures?
We have a disaster recovery plan in case of disaster. Also, we have a server image hosted on Amazon that allows us to restore the server in a few minutes. We also create frequent backups that can be restored when needed. The total restoration process time depends on what we are restoring. For example, restoring the server can be done in minutes, while restoring database from the latest backups could take a few hours. Please note that we can decide to use another procedure in case of disaster depending on the reason why the servers went down.
Is the data encrypted at rest?
Yes. The Accudemia database is encrypted at rest using AWS features.
How can we pull all data from the system if needed?
As an Accudemia system admin, you can pull the data from the system at any time using the Reports or the Export feature available within Accudemia.
Have you had any data breaches and how long have you offered the cloud option?
No- we never had a data breach that we are aware of. We have been offering Accudemia as a software service since 2008. We have been hosted in the Amazon cloud since 2012. During this time, Accudemia has been used by some of the largest U.S. colleges and universities.
Data Center Availability
Amazon has many years of experience in designing, constructing, and operating large-scale data centers. You can check their current uptime here.
Data Center Physical & Environmental Security
Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military-grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
Data Center Backups
Data stored in Amazon S3, Amazon SimpleDB, or Amazon Elastic Block Store is redundantly stored in multiple physical locations as a normal part of those services.
Secure Socket Layer Deployment
SSL is used to encrypt and protect the information while being sent on the Internet – from our server to your local computer. The database and its backups are both hosted on the Amazon Cloud – they are stored internally in the Amazon backup servers.
API Calls to launch and terminate instances, change firewall parameters, and perform other functions are all signed by an X.509 certificate or the customer’s Amazon Secret Access Key. Without access to the customer’s Secret Access Key or X.509 certificate, Amazon EC2 API calls cannot be made on their behalf. In addition, API calls can be encrypted in transit with SSL to maintain confidentiality. Amazon recommends always using SSL-protected API endpoints.
Network Security
The AWS network provides significant protection against traditional network security issues and the customer can implement further protection. The following are a few examples:
- IP Spoofing: Amazon EC2 instances cannot send spoofed traffic. The Amazon-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
- Port Scanning: Port scans by Amazon EC2 customers are a violation of the Amazon EC2 Acceptable Use Policy (AUP). Violations of the AUP are taken seriously, and every reported violation is investigated. When Port scanning is detected it is stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed.
- Packet sniffing by other tenants: It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. This includes two virtual instances that are owned by the same customer, even if they are located on the same physical host. Attacks such as ARP cache poisoning do not work within EC2. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic.
Certifications and Accreditations
AWS is working with a public accounting firm to ensure continued Sarbanes Oxley (SOX) compliance and attain certifications such as recurring Statement on Auditing Standards No. 70: Service Organizations, Type II (SAS70 Type II) certification. These certifications provide outside affirmation that AWS has established adequate internal controls and that those controls are operating efficiently. AWS will continue efforts to obtain the strictest of industry certifications to verify its commitment to providing a secure, world-class cloud computing environment.
Updates to Accudemia
Routine, emergency, and configuration changes to existing AWS infrastructure are authorized, logged, tested, approved, and documented following industry norms for similar systems. Updates to AWS’s infrastructure are done to minimize any impact on the customer and their use of the services. The Accudemia Team will communicate with customers, either via email or via the announcements section in the Accudemia software, when service use is likely to be adversely affected by planned updates.
PCI Compliance
Accudemia does not store or receive any credit card information. All software subscription credit card payments are processed via a third-party service like Stripe or PayPal, and we only process the payment confirmation to renew the service. The Accudemia software itself does not, at any moment, process, transmit, or handle any information that could potentially be the subject of PCI compliance analysis.
Data Breach and Incident Reporting
Without limiting your obligations under the user agreement, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access, or disclosure.
Customer Data Privacy Policy
You can download your data at any time you want. We will never sell or share your student information. Access to your data is available for as long as your subscription to the service is active. Once the service becomes inactive (e.g. as a result of not renewing it when it expires) then access to the database stops upon expiration.
Engineerica understands that student data and records are subject to the Family Educational Rights and Privacy Act (“FERPA”), 10 U.S.C. Section 1232g (collectively, the “FERPA Records”). As a result, Engineerica holds these records in strict confidence. Engineerica safeguards the FERPA Records according to commercially reasonable administrative, physical, and technical standards that are no less rigorous than the standards by which Engineerica protects its confidential information.
Data Retention
Your data will remain on our servers while your Accudemia subscription is active. If your Accudemia account expires, we will delete your data within 30 days of the account’s expiration. Backups of your data will also be deleted within 30 days of the account’s deletion. This deletion is permanent and we will not be able to restore your deleted data.
Application Security
Please refer to Accudemia documentation website articles about Role Permissions.
For more information on Accudemia’s SSO implementation, check Single Sign-on process and Security Keys/Tokens.
