Security

Data security and customer trust are paramount to us here at Skilljar. We are committed to providing a reliable and highly available service, complete with enterprise-grade security.

Table of Contents
SOC 2 Certified

Skilljar is committed to maintaining the security of its customers’ information. Annually, Skilljar completes a Service Organization Controls 2 Type II (SOC 2 Type II) audit with an independent 3rd-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization’s controls.

SOC 2 Certified

More information on SOC 2 reports can be found here.

Salesforce.com Security Review

Skilljar has successfully completed the Salesforce.com Security Review and is now listed on the Salesforce AppExchange.

Hosting and Physical Security

Skilljar servers are hosted on Heroku, an application platform that in turn uses services provided by Amazon Web Services (AWS). As such, Skilljar inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.

You can read further about AWS and Heroku security and certifications here:

Isolation of Services

Skilljar servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.

Network Security

Skilljar services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected (TLS 1.2 and higher) from interception by unauthorized third parties. Skilljar uses only strong encryption algorithms with a key length of at least 128 bits.
All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.

Skilljar servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Skilljar, based on role and business need.

Access to databases used in the Skilljar service is over an encrypted link (TLS).

Authentication

Clients login to Skilljar using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.

When clients enable end users to connect to Skilljar using user-supplied credentials (Single Sign On), this is done using security tokens, OAuth, or SAML 2.0, and in those cases, no credentials need to be stored in the Skilljar system.

Development Process

Skilljar developers have been trained in secure coding practices. Skilljar application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Skilljar application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.

Employee Screening and Policies

As a condition of employment all Skilljar employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.

Data Privacy

Skilljar has a privacy policy, which details the steps we take to protect clients’ information. You can view the privacy policy here: https://www.skilljar.com/privacy

GDPR

Skilljar stores a minimum of Personally Identifiable Information (PII), and only as instructed by our Subscriber for the purposes of delivering the Skilljar Services. Our Subscribers act as the Data Controller and determine what data is sent to Skilljar for processing. Per the GDPR principles, Subscribers should avoid sharing unnecessary personal data with Skilljar beyond basic information (name and email address).

GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. As such, you may need to update your privacy policy to reflect your use of Skilljar as a data processor for the purposes of delivering your training program. Skilljar also provides tools that Subscribers may use to provide such notice. For example, you may utilize Skilljar’s Pop-Up Modal to provide notice at the time of user registration.

If your legal counsel determines you also need to obtain user consent before using Skilljar, make sure you update your Skilljar configuration to only send data from those who provided the required consent or have otherwise consented to it.

Skilljar follows the policies below that are relevant to GDPR:

  • Privacy Policy: Skilljar’s privacy policy has been updated to align with GDPR: https://www.skilljar.com/privacy/
  • Model Clauses & Data Processing Agreement (DPA): Skilljar includes a DPA as part of our default contract. If you are, or represent, one of our Subscribers that has signed a separate GDPR-compliant data processing agreement or addendum with us, the terms of your existing data processing addendum or agreement will continue to apply and you do not need to take any other steps.
  • Basis for processing: Skilljar collects and processes data to fulfill performance of our contract with our Subscriber. Each Subscriber, as the data controller, is responsible for determining the lawful basis for processing data and documenting EU data subject consent, if consent is the lawful basis for processing.
  • Data Storage: All data is stored securely in the United States via Amazon Web Services.
  • Data Deletion, Correction, Editing, or Extraction: Skilljar will export, correct, or delete student data upon request by the Subscriber, if the functionality is not already available self-service (Skilljar provides Subscriber administrators with the ability to respond to routine access and export requests in the Skilljar Dashboard).
  • Consent: Skilljar is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Skilljar provides product functionality that assists the Subscriber in obtaining and documenting consent.
  • Marketing: Skilljar does not market to, nor resell, any Contact Data collected on behalf of the Subscriber.
Data Inventory
Data Type Basis for Collection Notes
Email address Required This is the minimum required for Skilljar to deliver the Services.
Other End User demographic information (name, job title, company, etc.) As directed by Subscriber We rely on our Subscribers to share only the data that is necessary to meet our obligations.
Training analytics (course progress, course titles, etc.) As directed by Subscriber Subscriber has purchased Skilljar to report on individual’s training analytics.
Web browser analytics (IP address, session time, etc.) As consented to by End Users The current e-Privacy Proposal recognizes that consent can be obtained via browser settings and by creating an exemption from the consent requirement for third party analytics. In addition, the Proposal requires browser providers to allow individuals, during the initial setup, to configure their browser to prevent the use of cookies and similar technologies.

It is important to note that GDPR does not have an accredited certification method, thus, there is no GDPR-approved way to demonstrate compliance.

Reporting Security Issues

Skilljar takes its security responsibilities seriously on behalf of our clients, their customers, and ourselves.  We also view the role of security researchers as critical in the improvement of controls and products that we offer.  We believe the ethical and safe processes that can be used to discover vulnerabilities should have a proper channel to advise Skilljar.  Please review below for our standards regarding our Vulnerability Disclosure Program.

Notification

For issues found with Skilljar products, send these concerns to sec_reporting@skilljar.com.

Non-Skilljar Issues

Any issues found that are not directly the intellectual property of Skilljar that come from external sources will be advanced to that party.  These issues would be outside of our program and while appreciative, these will not be handled in the same manner.

Disclosure Process

Skilljar will take all reported issues seriously and review the details.  If any vulnerabilities are confirmed, Skilljar will immediately work to rectify the finding.  In order to protect Skilljar from chaos testing, any researcher who wishes to engage in our program needs to comply with our process.  We will not take legal action against any legitimate, non-disruptive testing used to reveal an issue.  Skilljar will need a reasonable timeframe to review, recreate and address any potential findings.

Please note Skilljar does not operate a bug bounty program and we make no offer of reward or compensation for sharing potential security vulnerabilities.  Skilljar clients or their customers are not eligible for this program and should refrain from any testing attempts.

Disclosure Guidelines
  • First and foremost, no data loss or interruption of service should be incurred
  • Specific details of the perceived vulnerability and steps to reproduce should be provided
  • Privacy of any data should not be violated
  • Data and systems should not be modified

 

Last Updated: May 12, 2021