Shield icon
SECURITY

Customer trust and data security are critical to everything we do

Compliance

We’re compliant with General Data Protection Regulation (GDPR) and Privacy Shield.
GDPR logo
General Data Protection Regulation
Standard Contractual Clauses logo
Standard Contractual Clauses
Lock icon

Product security

Permissions

Eduflow operates with different levels of permissions inside the app. Institutions have owners with access to billing and high level settings. Additionally institutions have admins that can do most of the things that owners can do. Most users will be added either as instructors with limited access to data and settings or students with access limited to just their own work and courses.

Password and Credential Storage

Eduflow enforces a password complexity standard and credentials are stored using Argon2.

Uptime

We have uptime of 99.9% or higher for both our website and our app. This is monitored using Uptime Robot.

Network icon

Network & application security

Data Hosting and Storage

The Eduflow service is hosted on Heroku (www.heroku.com) which is owned and run by Salesforce (www.salesforce.com). Their security documents are here: www.trust.salesforce.com/en/.

Our application and application database is located in Ireland, inside the EU to comply with GDPR. Additionally parts of our data (for example backups and submission files) are stored on Amazon S3 (www.aws.amazon.com/s3/) in Ireland.

Encryption

All data sent to or from Eduflow is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Incident Response

Eduflow implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem.

Back Ups and Monitoring

We use Logentries, Sentry and our own internal logging system to log every interaction between users and our application.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job. Eduflow is served 100% over https. There are no corporate resources or additional privileges from being on Eduflow’s network. We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS and Intercom to ensure access to cloud services are protected.

Pentests, Vulnerability Scanning and Bug Bounty Program

Eduflow uses third party security tools to continuously scan for vulnerabilities. Our security team responds to issues raised. Yearly we engage third-party security experts to perform detailed penetration tests on the Eduflow application and infrastructure.

Checkmark icon

Additional security features

Policies

Eduflow has a data security policy covering a range of topics. This policy is updated frequently and signed by all employees on their first day.

Confidentiality

All employee contracts include a confidentiality agreement.

PCI Obligations

All payments made to Eduflow go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.