Customer trust and data security are critical to everything we do
Eduflow operates with different levels of permissions inside the app. Institutions have owners with access to billing and high level settings. Additionally institutions have admins that can do most of the things that owners can do. Most users will be added either as instructors with limited access to data and settings or learners with access limited to just their own work and courses.
Password and Credential Storage
Eduflow enforces a password complexity standard and credentials are stored using Argon2.
We have uptime of 99.9% or higher for both our website and our app. This is monitored using Uptime Robot.
Network & application security
Data Hosting and Storage
The Eduflow service is hosted on Heroku (www.heroku.com) which is owned and run by Salesforce (www.salesforce.com). Their security documents are here: www.trust.salesforce.com/en/.
Our application and application database is located in Ireland, inside the EU to comply with GDPR. Additionally parts of our data (for example backups and submission files) are stored on Amazon S3 (www.aws.amazon.com/s3/) in Ireland.
All data sent to or from Eduflow is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Eduflow implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem.
Back Ups and Monitoring
We use Logentries, Sentry and our own internal logging system to log every interaction between users and our application.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. Eduflow is served 100% over https. There are no corporate resources or additional privileges from being on Eduflow’s network. We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS and Intercom to ensure access to cloud services are protected.
Pentests, Vulnerability Scanning and Bug Bounty Program
Eduflow uses third party security tools to continuously scan for vulnerabilities. Our security team responds to issues raised. Yearly we engage third-party security experts to perform detailed penetration tests on the Eduflow application and infrastructure.
If you think you may have found a security vulnerability, please contact firstname.lastname@example.org.
Additional security features
Eduflow has a data security policy covering a range of topics. This policy is updated frequently and signed by all employees on their first day.
All employee contracts include a confidentiality agreement.
All payments made to Eduflow go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.