Security

Skilljar is committed to providing a secure, reliable and highly available service. This document provides an overview of our security policies and technology. We are happy to discuss any of these points in more details with concerned customers.

SOC 2 Audited

Skilljar is committed to maintaining the security of its customers’ information. Skilljar has completed a Service Organization Controls 2 Type II (SOC 2 Type II) audit with a 3rd-party evaluator (Grant Thornton) certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization’s controls.

More information on SOC 2 reports can be found here.

Skyhigh CloudTrust™

Skilljar has been awarded the Skyhigh CloudTrust™ rating of Enterprise-Ready. Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.

Salesforce.com Security Review

Skilljar has successfully completed the Salesforce.com Security Review and is now listed on the Salesforce AppExchange.

Hosting and Physical Security

Skilljar servers are hosted on Heroku, an application platform that in turn uses services provided by Amazon Web Services (AWS). As such, Skilljar inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.

You can read further about AWS and Heroku security and certifications here:

Isolation of Services

Skilljar servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.

Network Security

Skilljar services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Skilljar uses only strong encryption algorithms with a key length of at least 128 bits.

All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.

Skilljar servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Skilljar, based on role and business need.
Access to databases used in the Skilljar service is over an encrypted link (TLS).

Authentication

Clients login to Skilljar using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a "salting" method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.

When clients enable end users to connect to Skilljar using user-supplied credentials (Single Sign On), this is done using security tokens, OAuth, or SAML 2.0, and in those cases, no credentials need to be stored in the Skilljar system.

Development Process

Skilljar developers have been trained in secure coding practices. Skilljar application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Skilljar application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.

Employee Screening and Policies

As a condition of employment all Skilljar employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.

Data Privacy

Skilljar has a privacy policy, which details the steps we take to protect clients’ information. You can view the privacy policy here: https://www.skilljar.com/privacy

GDPR

Skilljar stores a minimum of Personally Identifiable Information (PII), and only as instructed by our Subscriber for the purposes of delivering the Skilljar Services. Our Subscribers act as the Data Controller and determine what data is sent to Skilljar for processing. Per the GDPR principles, Subscribers should avoid sharing unnecessary personal data with Skilljar beyond basic information (name and email address).

GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. As such, you may need to update your privacy policy to reflect your use of Skilljar as a data processor for the purposes of delivering your training program. Skilljar also provides tools that Subscribers may use to provide such notice. For example, you may utilize Skilljar’s Pop-Up Modal to provide notice at the time of user registration.

If your legal counsel determines you also need to obtain user consent before using Skilljar, make sure you update your Skilljar configuration to only send data from those who provided the required consent or have otherwise consented to it.

Skilljar follows the policies below that are relevant to GDPR:

  • Privacy Policy: Skilljar's privacy policy has been updated to align with GDPR: https://www.skilljar.com/privacy/
  • Model Clauses & Data Processing Agreement (DPA): Skilljar includes a DPA as part of our default contract. If you are, or represent, one of our Subscribers that has signed a separate GDPR-compliant data processing agreement or addendum with us, the terms of your existing data processing addendum or agreement will continue to apply and you do not need to take any other steps.
  • Basis for processing: Skilljar collects and processes data to fulfill performance of our contract with our Subscriber. Each Subscriber, as the data controller, is responsible for determining the lawful basis for processing data and documenting EU data subject consent, if consent is the lawful basis for processing.
  • Data Storage: All data is stored securely in the United States via Amazon Web Services.
  • Data Deletion, Correction, Editing, or Extraction: Skilljar will export, correct, or delete student data upon request by the Subscriber, if the functionality is not already available self-service (Skilljar provides Subscriber administrators with the ability to respond to routine access and export requests in the Skilljar Dashboard.) Delete requests must be submitted to support@skilljar.com and will be processed within 10 days of submission. All data storage & back-end infrastructure is designed to allow these requests. Skilljar manages this process with an internal ticket and then confirmation is provided to the requesting parties.
  • Consent: Skilljar is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Skilljar provides product functionality that assists the Subscriber in obtaining and documenting consent.
  • Marketing: Skilljar does not market to, nor resell, any Contact Data collected on behalf of the Subscriber.

Data Inventory

Data Type Basis for Collection Notes
Email address Required This is the minimum required for Skilljar to deliver the Services.
Other End User demographic information (name, job title, company, etc.) As directed by Subscriber We rely on our Subscribers to share only the data that is necessary to meet our obligations.
Training analytics (course progress, course titles, etc.) As directed by Subscriber Subscriber has purchased Skilljar to report on individual’s training analytics.
Web browser analytics (IP address, session time, etc.) As consented to by End Users The current e-Privacy Proposal recognizes that consent can be obtained via browser settings and by creating an exemption from the consent requirement for arty analytics. In addition, the Proposal requires browser providers to allow individuals, during the initial setup, to configure their browser to prevent the use of cookies and similar technologies.

It is important to note that GDPR does not have an accredited certification method, thus, there is no GDPR-approved way to demonstrate compliance.

Reporting Security Issues

At Skilljar, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. We have implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. Please contact us at security@skilljar.com.

Last Updated: May 15, 2018