Privacy, Security & Compliance

Here's an overview of our secured infrastructure:

1. Protection from cyber attacks: We deploy leading next-generation antivirus (NGAV) capabilities that include the ability to identify known malware, machine learning for unknown malware, exploit blocking, and exclusive indicator of attack (IOA) behavioral techniques.
2. Keeping everything fresh & updated: We use a cross-platform patch management solution that works across Windows, macOS, and Linux operating systems and provides full patching and configuration control.
3. Penetration tests: We are routinely testing our platform for vulnerabilities by an independent agency.
4. Separate staging environment: We use a staging environment that is completely separated from our production environment. Production user data is never used in our staging environment during testing.
5. Business continuity and disaster recovery: We have a formal BCP/DR plan to ensure the business is operational, and all data access and IT infrastructure is restored after a disaster.

We employ extensive security measures to protect both data-at-rest & data-in-motion:

1. Encryption-in-transit: Data transmitted is secured using TLS 1.2 or higher and encrypted using industry-standard encryption. The signature algorithm is SHA256 with RSA.
2. HTTP Strict Transport Security (HSTS): This policy enforcement protects our site from downgrade attacks, SSL stripping, and cookie hijacking.
3. Encryption-at-rest: We use industry-leading compliant cloud managed database servers for keeping our data-at-rest encrypted at all times.
4. Physical security: We are a cloud SaaS with no physical data centers of our own. Physical security for the data centers are handled by Microsoft Azure.
5. Backups: Backups for our database & virtual machines are enabled at all times.

1. We strictly monitor access to customer data and only permit it on an as-needed basis.
2. When developers connect to the remote servers, all their access purpose & activity is logged. The developer is always authenticated using their corporate login identity first.
3. Access to internal and external systems is granted to our employees using role based access control. We have formal onboarding and offboarding procedures to ensure that employees are only given the access they need based on business justification.
4. Whenever possible, we provision individual accounts for all users. Shared accounts are only used in situations in which provisioning individual accounts are not possible.

Internal Controls

1. Passwords must only be stored using a company approved password manager.
2. We do not hard code passwords or embed credentials in static code.
3. Unique accounts and passwords are required for all users. Passwords are kept confidential and not shared with multiple users. Where possible, all user and system accounts are to have a minimum of eight characters including alpha (upper and lower case) and one numeric character. All accounts must use unique passwords not used elsewhere.
4. In addition, passwords are only placed in shared team vaults in the event that individual accounts cannot be provisioned for a certain service or database.
5. Wherever possible, multi-factor authentication (MFA) is used to protect access to internal and external applications.

External Controls

1. On the alumni portal, access is made secure & accessible through password-less login, such as Google, Apple, Facebook & LinkedIn 
2. For password-based login, there are password policy applied which mandates lowercase, uppercase, special characters, expiry & account lock-out after maximum number of failed attempts

1. > 99.9% uptime: Our availability is consistently above 99.9%. Customer data is 100% backed up using geographical redundancy with additional snapshots.
2. Continuous monitoring: Our product and operations team uses proprietary and industry-recognized solutions to monitor application, software, and infrastructure behavior.
   
3. Disaster recovery: We have robust controls to recover data and application code in the shortest time. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are tested and implemented.

A quick look at our security scores from third-party assessors:

1. SSL Report: A+ (Qualys SSL Labs)
2. Email Blacklist Report: Not Blacklisted (MX Toolbox)
   
3. Site Malware Report: No Malware (Google Safe Browsing Report)