Credentialate Data Security and Privacy
Credentialate is built on a modern cloud infrastructure designed to ensure the safety of your data, and we use proven third-party cloud providers.
Ensuring the safety and privacy of your data is fundamental to our mission, and underlies one of our core values – Build Trust. We take regular data backups and test recovery, run penetration testing, encrypt all data at rest and in transit, conduct static code analysis and third party vulnerability scanning, sanitise our logs, secure individual customers at the database level, and many other cloud security techniques.
You own your data, and can take it with you should you ever leave. You may choose to make learner achievement data publically available on the internet as evidence to validate any digital credential earned by a Learner. Learners who receive digital credential can control the visibility of this data via the relevant Badge provider’s platform. We will never sell your data. We generate anonymised and aggregated statistical and analytical data to support analytics, benchmarking and comparative features, research and development and other purposes, but such analytical data will never identify either customers or learners.
Security features
Product security
Feature
Details
Single sign-on (SSO)
Credentialate supports a range of SSO schemes. We recommend SSO to streamline user management and eliminate the management of local users and passwords.
Secure passwords
Credentialate enforces a password complexity standard. Credentials are encrypted at rest in accordance with industry standards. All requests are encrypted in transit through TLS.
Permissions
Users are allocated roles allowing access to varying levels of administrative function. Further, users can be allocated access at a course level.
High availability
We ensure high availability across the platform through the employment of industry best-practices in our cloud infrastructure, including continuous automatic monitoring and alerts, fast continuous deployments, multi-node load balancing and automatic scaling.
Testing
Credentialate builds are rigorously tested through a combination of thorough automated tests as well as stringent manual testing.
Network and application security
Feature
Details
Hosting and storage
Credentialate services and data are hosted in Amazon Web Services (AWS) facilities and follow recommendations from AWS Well Architected Reviews for security and reliability. Databases are securely isolated using Amazon Virtual Private Cloud (VPC).
Data integrity and security
Customer segregation and access to all data is achieved and enforced through the separation of customer data into separate database instances. With each customer receiving their own database, there is no chance of data or access pollution between customers.
Encryption at rest
All data is encrypted at rest via AWS RDS and S3 using AWS recommended encryption standards.
High availability
We ensure high availability across the platform through the employment of industry best-practices in our cloud infrastructure, including continuous automatic monitoring and alerts, fast continuous deployments, multi-node load balancing and automatic scaling.
Encryption in transit
Data is encrypted in transit (both with the browser as well as system integrations) while moving between us and the browser with Transport Level Security (TLS). All certificates are issued and managed through AWS, and we enable HTTP Strict Transport Security (HSTS) to ensure all traffic goes across HTTPS. We score an ‘A’ rating on Qualys SSL Labs‘ tests.
Vulnerability scanning
Edalex uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. Automated OWASP dependency checking is built into the build process to detect and alert for new and known vulnerabilities.
Penetration testing
A two stage independent third-party penetration testing is undertaken on a regular basis. Any issues identified are addressed before a secondary verification and certification.
Brute force prevention
We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout.
Backups & monitoring
All client databases are backed up, with a retention policy of 7 years on a rotation schedule. All backup snapshots and disks are encrypted by AWS KMS service. Application logs for all activities are stored in AWS and retained for at least 30 days.
Incident response
Our team has a 24 / 7 on-call rotation and escalation policy, with production alerts captured and automatically escalated.
Security policies
Feature
Details
Confidentiality
All employee and contractor agreements include a confidentiality clause.
Policies
Our internal security policies cover a range of topics, and are updated frequently and shared with all employees and contractors.
Compliance
Feature
Details
AWS Well-Architected Review
Periodically undertaken, the review is designed to build secure, high-performing, resilient, and efficient infrastructure for applications.