Accudemia – Security Assurance Documentation
Information Security Report
- Frequently Asked Questions
- Availability
- Encryption
- Physical Security & Environmental Security
- Server Backups
- Application Security
- Secure Socket Layer Deployment
- Network Security
- Routine Server Updates
- PCI Compliance
- Data Breach and Incident Reporting
- Disaster Recovery
- Customer Data Privacy Policy
- Certifications and Accreditations
Since our Accudemia software is hosted on the AWS (Amazon Web Services) Cloud we would also like to include a link to the Amazon Cloud Security Documentation (PDF):
Frequently Asked Questions
Where is the student database stored?
The database is hosted in the Amazon Cloud.
Is your data stored only in the USA?
Yes. The database is stored in a US server in the Amazon cloud.
What is your data backup procedure?
The data is backed up every 30 minutes and moved off site instantly.
What is your security policies for data in transit
Login screens are always encrypted using an industry-standard SSL certificate as well as any other information in transit using SSL encryption.
Do we (the client) retain sole-ownership of our data?
Yes. You can download the information at anytime you want. We will never sell or share your student information.
What is the amount of time we have to retrieve data after the service is terminated?
Access to data is available for as long as your subscription to the service is active. Once the service becomes inactive (e.g. as a result of not renewing it when it expires) then access to the database stops upon expiration.
Do you have disaster recovery processes/procedures?
We have a manual to use in case of disaster. Also, we have a server image hosted on Amazon that allows us to restore the server and the backups in less than one hour. Please note that we can decide to use another procedure in case of disaster depending on the reason why the servers went down.
Is the data encrypted at rest?
Yes. Data is always encrypted at rest in all accounts using SSL-encryption.
How can we pull all data from the system if needed?
You can pull the data from the system at anytime using the Export feature available in Accudemia. This feature is only available to administrators.
Have you had any data breaches and how long have you offered the cloud option?
No- we never had a data breach that we are aware of. We have been offering Accudemia as a service for 10 years, and it has been hosted in the Amazon cloud for the past 4 years. We offer the cloud solution to some of the TOP 15 biggest U.S. universities.
Availability
Amazon has many years of experience in designing, constructing, and operating large-scale data centers. You can check their current uptime here:
https://health.aws.amazon.com/health/status
Amazon EC2 offers a highly reliable environment where replacement instances can be rapidly and predictably commissioned. The service runs within Amazon’s proven network infrastructure and data centers. The Amazon EC2 Service Level Agreement commitment is 99.99% availability for each Amazon EC2 Region.
Encryption
In-Transit Data such as login screens are always encrypted using an industry-standard SSL certificate as well as any other information in transit using SSL encryption.
Data at Rest is always encrypted in all Accudemia accounts using SSL-encryption.
Physical & Environmental Security
Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
Server Backups
Data stored in Amazon S3, Amazon SimpleDB, or Amazon Elastic Block Store is redundantly stored in multiple physical locations as a normal part of those services.
Secure Socket Layer Deployment
SSL is used to encrypt and protect the information while being sent on the Internet - from our server to your local computer. The database and its backups however, never leave the Amazon Cloud; they are stored internally in the Amazon backup servers. Passwords are the exception though; they are always encrypted using the best industry-standards.
API Calls to launch and terminate instances, change firewall parameters, and perform other functions are all signed by an X.509 certificate or the customer's Amazon Secret Access Key. Without access to the customer's Secret Access Key or X.509 certificate, Amazon EC2 API calls cannot be made on their behalf. In addition, API calls can be encrypted in transit with SSL to maintain confidentiality. Amazon recommends always using SSL-protected API endpoints.
Network Security
The AWS network provides significant protection against traditional network security issues and the customer can implement further protection. The following are a few examples:
- IP Spoofing: Amazon EC2 instances cannot send spoofed traffic. The Amazon -controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
- Port Scanning: Port scans by Amazon EC2 customers are a violation of the Amazon EC2 Acceptable Use Policy (AUP). Violations of the AUP are taken seriously, and every reported violation is investigated. When Port scanning is detected it is stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed.
The customer's strict management of security groups can further mitigate the threat of port scans. If the customer configures the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. In these cases, the customer must use appropriate security measures to protect listening services that may be essential to their application from being discovered by an unauthorized port scan. For example, a web server must clearly have port 80 (HTTP) open to the world, and the administrator of this server is responsible for ensuring the security of the HTTP server software, such as Apache.
- Packet sniffing by other tenants: It is not possible for a virtual instance running in promiscuous mode to receive or "sniff" traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. This includes two virtual instances that are owned by the same customer, even if they are located on the same physical host. Attacks such as ARP cache poisoning do not work within EC2. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another's data, as a standard practice customers should encrypt sensitive traffic.
Certifications and Accreditations
AWS is working with a public accounting firm to ensure continued Sarbanes Oxley (SOX) compliance and attain certifications such as recurring Statement on Auditing Standards No. 70: Service Organizations, Type II (SAS70 Type II) certification. These certifications provide outside affirmation that AWS has established adequate internal controls and that those controls are operating efficiently. AWS will continue efforts to obtain the strictest of industry certifications in order to verify its commitment to provide a secure, world-class cloud computing environment.
Updates to Accudemia
Routine, emergency, and configuration changes to existing AWS infrastructure are authorized, logged, tested, approved, and documented in accordance with industry norms for similar systems. Updates to AWS’s infrastructure are done to minimize any impact on the customer and their use of the services. Accudemia Team will communicate with customers, either via email, or through the Engineerica Service Health Dashboard when service use is likely to be adversely affected.
PCI Compliance
Accudemia does not store or receives any credit card information. All payments are processed via the third-party service PayPal and we only process the payment confirmation to renew the service. The Accudemia software itself does not, at any moment, process, transmit or handles any information that could potentially be subject of PCI compliance analysis.
Data Breach and Incident Reporting
Without limiting your obligations under the user agreement, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.
Customer Data Privacy Policy
You can download the information at anytime you want. We will never sell or share your student information. Access to data is available for as long as your subscription to the service is active. Once the service becomes inactive (e.g. as a result of not renewing it when it expires) then access to the database stops upon expiration.
Engineerica understands that student data and records are subject to the Family Educational Rights and Privacy Act ("FERPA"), 10 U.S.C. Section 1232g (collectively, the "FERPA Records"). As a result, Engineerica holds these records in strict confidence. Engineerica safeguards the FERPA Records according to commercially reasonable administrative, physical, and technical standards that are no less rigorous than the standards by which Engineerica protects its own confidential information.
Disaster Recovery
We have a manual to use in case of disaster. Also, we have a server image hosted on Amazon that allows us to restore the server and the backups in less than one hour. Please note that we can decide to use another procedure in case of disaster depending on the reason why the servers went down.
Application Security
Please refer to Accudemia documentation website articles pertaining to User Management and Group Role Templates.
For more information on setting up Single Sign-on process and Security Keys/Tokens.