Skilljar Security Overview
Skilljar is committed to providing a secure, reliable and highly available service. This document provides an overview of our security policies and technology. We are happy to discuss any of these points in more details with concerned customers.
Last Updated: October 17, 2016
SOC 2 Audited
Skilljar is committed to maintaining the security of its customers’ information. Skilljar has completed a Service Organization Controls 2 (SOC 2) audit with a 3rd-party evaluator (Grant Thornton) certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization’s controls.
More information on SOC 2 reports can be found here.
Skilljar has been awarded the Skyhigh CloudTrust™ rating of Enterprise-Ready. Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
Salesforce.com Security Review
Skilljar has successfully completed the Salesforce.com Security Review and is now listed on the Salesforce AppExchange.
Hosting and Physical Security
Skilljar servers are hosted on Heroku, an application platform that in turn uses services provided by Amazon Web Services (AWS). As such, Skilljar inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
You can read further about AWS and Heroku security and certifications here:
Isolation of Services
Skilljar servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.
Skilljar services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Skilljar uses only strong encryption algorithms with a key length of at least 128 bits.
All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Skilljar servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Skilljar, based on role and business need.
Access to databases used in the Skilljar service is over an encrypted link (TLS).
Clients login to Skilljar using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
When clients enable end users to connect to Skilljar using user-supplied credentials (Single Sign On), this is done using security tokens, OAuth, or SAML 2.0, and in those cases, no credentials need to be stored in the Skilljar system.
Skilljar developers have been trained in secure coding practices. Skilljar application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Skilljar application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.
Employee Screening and Policies
As a condition of employment all Skilljar employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.
Reporting Security Issues
At Skilljar, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. We have implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. Please contact us at firstname.lastname@example.org.