Security
Last Updated: July 29, 2024
Data security and customer trust are paramount to us here at Skilljar. We are committed to providing a reliable and highly available service, complete with enterprise-grade security.
SOC 2 Certified
Skilljar is committed to maintaining the security of its customers’ information. Annually, Skilljar completes a Service Organization Controls 2 Type II (SOC 2 Type II) audit with an independent 3rd-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization’s controls.
More information on SOC 2 reports can be found here.
CSA Trusted Cloud Provider
Skilljar has earned the Trusted Cloud Provider trustmark from the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Built upon existing CSA programs, the Trusted Cloud Provider trustmark assists consumers in identifying cloud providers that demonstrate their commitment to holistic security and are aligned with their individual security requirements.
Salesforce.com Security Review
Skilljar has successfully completed the Salesforce.com Security Review and is now listed on the Salesforce AppExchange.
Hosting and Physical Security
Skilljar servers are hosted on Amazon Web Services (AWS). As such, Skilljar inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
You can read further about AWS security and certifications here:
Isolation of Services
Skilljar servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.
Network Security
Skilljar services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected (TLS 1.2 and higher) from interception by unauthorized third parties. Skilljar uses only strong encryption algorithms with a key length of at least 128 bits.
All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Skilljar servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Skilljar, based on role and business need.
Access to databases used in the Skilljar service is over an encrypted link (TLS).
Authentication
Clients login to Skilljar using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
When clients enable end users to connect to Skilljar using user-supplied credentials (Single Sign On), this is done using security tokens, OAuth, or SAML 2.0, and in those cases, no credentials need to be stored in the Skilljar system.
Development Process
Skilljar developers have been trained in secure coding practices. Skilljar application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Skilljar application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.
Employee Screening and Policies
As a condition of employment all Skilljar employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies. Employees also undergo annual security and phishing training.
Data Privacy
Skilljar has a privacy policy, which details the steps we take to protect users’’ information. You can view the privacy policy here: https://www.skilljar.com/privacy
List of Sub-processors
Skilljar uses the following sub-processors:
GDPR
Skilljar stores a minimum of personal data, and only as instructed by our Subscriber for the purposes of delivering the Skilljar Services. Our Subscribers act as the data controller and determine what data is sent to Skilljar for processing. Per the GDPR principles, Subscribers should avoid sharing unnecessary personal data with Skilljar beyond basic information (name and email address).
GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. As such, you may need to update your privacy policy to reflect your use of Skilljar as a data processor for the purposes of delivering your training program. Skilljar also provides tools that Subscribers may use to provide such notice. For example, you may utilize Skilljar’s Pop-Up Modal to provide notice at the time of user registration.
If your legal counsel determines you also need to obtain user consent before using Skilljar, make sure you update your Skilljar configuration to only send data from those who provided the required consent or have otherwise consented to it.
Skilljar follows the policies below that are relevant to GDPR:
- Privacy Policy: Skilljar’s privacy policy has been updated to align with GDPR: https://www.skilljar.com/privacy/
- Model Clauses & Data Processing Agreement (DPA): Skilljar includes a DPA as part of our default contract. Skilljar’s DPA has been updated to incorporate the new Standard Contractual Clauses (“SCCs”) and UK addendum for the SCCs. If you are, or represent, one of our Subscribers that has signed a separate GDPR-compliant data processing agreement or addendum with us, the terms of your existing data processing addendum or agreement will continue to apply and you do not need to take any other steps.
- Basis for processing: Skilljar collects and processes data to fulfill performance of our contract with our Subscriber. Each Subscriber, as the data controller, is responsible for determining the lawful basis for processing data and documenting EU data subject consent, if consent is the lawful basis for processing.
- Data Storage: Skilljar only processes data in the United States. All data is stored securely via Amazon Web Services. Skilljar has completed a transfer impact assessment, which is available to Subscribers upon request.
- Data Deletion, Correction, Editing, or Extraction: Skilljar will export, correct, or delete student data upon request by the Subscriber, if the functionality is not already available self-service (Skilljar provides Subscriber administrators with the ability to respond to routine access and export requests in the Skilljar Dashboard).
- Consent: Skilljar is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Skilljar provides product functionality that assists the Subscriber in obtaining and documenting consent.
- Marketing: Skilljar does not market to, nor sell, any Contact Data collected on behalf of the Subscriber.
Data Inventory
It is important to note that GDPR does not have an accredited certification method, thus, there is no GDPR-approved way to demonstrate compliance.
Reporting Security Issues
Skilljar takes its security responsibilities seriously on behalf of our Subscribers, their customers, and ourselves. We also view the role of security researchers as critical in the improvement of controls and products that we offer. We believe the ethical and safe processes that can be used to discover vulnerabilities should have a proper channel to advise Skilljar. Please review below for our standards regarding our Vulnerability Disclosure Program.
Notification
For issues found with Skilljar products, send these concerns to sec_reporting@skilljar.com.
Non-Skilljar Issues
Any issues found that are not directly the intellectual property of Skilljar that come from external sources will be advanced to that party. These issues would be outside of our program and while appreciative, these will not be handled in the same manner.
Disclosure Process
Skilljar will take all reported issues seriously and review the details. If any vulnerabilities are confirmed, Skilljar will immediately work to rectify the finding. In order to protect Skilljar from chaos testing, any researcher who wishes to engage in our program needs to comply with our process. We will not take legal action against any legitimate, non- disruptive testing used to reveal an issue. Skilljar will need a reasonable timeframe to review, recreate and address any potential findings.
Please note Skilljar does not operate a bug bounty program and we make no offer of reward or compensation for sharing potential security vulnerabilities. Skilljar Subscribers or their customers are not eligible for this program and should refrain from any testing attempts.
Disclosure Guidelines
- First and foremost, no data loss or interruption of service should be incurred
- Specific details of the perceived vulnerability and steps to reproduce should be provided
- Privacy of any data should not be violated
- Data and systems should not be modified