Security Practices at Skolarli

Data Security

1. Access Monitoring

   Skolarli has logging on all critical systems. Logs include failed/successful logins, application access, and system changes.

2. Data Backups

   Skolarli utilizes AWS's robust infrastructure for hosting and data storage, ensuring high durability and security. Our customer data is safeguarded using a mix of database technologies on AWS, known for its 99.999999999% (11 9's) object durability. Both live and backup data are encrypted with rigorous security measures, and continuous monitoring and alert systems are in place for enhanced protection.

3. Data Deletion

   Skolarli customers are owners and controllers of their data. Customers are responsible for the information they create, use, store, process, and delete. Skolarli customers have the ability to request data deletion or self-serve their own deletion, when data is not subject to regulatory or legal retention requirements.

4. Data Encryption at Rest

   Customer data is encrypted using the FIPS 140-2 validated cryptographic module for storage encryption of data at rest. Data, including backups and temporary files created while running queries, are also encrypted. The service uses the AES 256-bit cipher and the keys are managed via AWS Key Management Service (KMS). Any third-party credentials entered by the customer on the marketplace apps are also encrypted using AES-256 encryption and isolated per customer in our database.

5. Data Encryption in Transit

   Data in-transit is encrypted using TLS 1.2 or greater.

6. Physical Security

   Skolarli leverages Amazon Web Services (AWS) to host our application, and defers all data center physical security controls to AWS. Please refer to AWS's physical security controls here: https://aws.amazon.com/compliance/data-center/controls/

7. Data Isolation / Dual DB Strategy

   Skolarli employs a dual-database strategy for optimal data security. Learner's profile information is securely stored in a relational database management system (RDBMS) on MySQL, ensuring structured data integrity and efficient query processing. In contrast, Learner activities (Behavioural Analytics) are saved in Elasticsearch, which excels in managing large volumes of semi-structured and unstructured data, offering rapid search and analytics capabilities. This separation not only significantly enhances data security but also optimizes database performance for different types of data usage.

Application Security

1. Code Analysis

   Skolarli's security and development teams engage in rigorous threat modeling and secure design assessments for each new release and update. Post-development of major feature releases, we undertake comprehensive code audits and reviews, along with systematic security scans of our entire codebase.

2. Software Development Lifecycle (SDLC)

   Skolarli uses a defined SDLC to ensure that code is written securely. During the design phase, security threat modeling and secure design reviews are performed for new releases and updates. After code completion for significant feature launches, we perform code audits and conduct security scans for our codebase. We may work with vendor companies for threat modelling and driving internal penetration tests.

3. Credential Management

   Resources uploaded to S3 storage leverage AWS Key Management Service (KMS) for key management.

4. Video Content Hosting

   Skolarli uses Cloudflare Streams and Vimeo to host and stream video contents. We use TUS Protocol for video uploads, which means if there is an interruption of the upload process, the video upload can be resumed from the point where the upload was disrupted. The videos are locked to *.skolar.li by default; this can also be customized to a domain of customer's choice (depending on your account details). The videos are allowed to all geographies by default; this can also be customized based on customer requirements (depending on your account details).

5. Vulnerability & Patch Management

   Skolarli performs vulnerability scanning and package monitoring on all infrastructure related hosts, and the company product continuously. Externally and internally-facing services are patched on a regular schedule. Any issues that are discovered are triaged and resolved according to the severity within Skolarli's environment.

6. Web Application Firewall (WAF)

   All public endpoints leverage AWS WAF to deter attempts to exploit common vulnerabilities. Additionally, custom IP rate limiting and blocking is also implemented.

Security Profile

1. Data Access Level

   Internal (i.e., Skolarli employees will only ever access your data for the purposes of troubleshooting problems or recovering content on your behalf).

2. Hosting

   Skolarli is hosted on Amazon Web Services (AWS), one of the major cloud service providers. Our primary data center is located in Mumbai, India (ap-south-1 region).

3. Recovery Time Objective (RTO)

   Estimated at 2 hours.

4. Recovery Point Objective (RPO)

   Estimated at 24 hours.

Corporate Security

1. Employee Training

   Security training is required during the employee onboarding process, and annually thereafter. Employees also must read and acknowledge Skolarli's Code of Conduct and the Security Policy.

2. Internal Assessments

   Internal security audits are performed at least annually at Skolarli.

Access Control

1. Least Privilege Principle

   At Skolarli, we strictly adhere to the Least Privilege principle for access management. This means access rights are assigned strictly based on an individual's role and the necessity of their tasks. Regular audits are conducted to validate and adjust these privileges, ensuring that access to critical systems is always justified and current with business needs.

Infrastructure

1. Anti-DDoS

   Skolarli uses AWS Shield for application and REST APIs and Cloudflare DDoS protection for video and static assets.

2. Data Center

   Skolarli is hosted on AWS, which handles physical security to the data centers. Please refer to AWS's security documentation here: https://aws.amazon.com/compliance/data-center/controls/

3. Infrastructure Security

   Skolarli's infrastructure is hosted in a fully redundant, secured environment. Skolarli's customer data is hosted by AWS. AWS maintains a list of reports, certifications, and third-party assessments to ensure best security practices. For more information on AWS compliance, please see here: https://aws.amazon.com/compliance/
   
   AWS infrastructure is housed in Amazon controlled data centers throughout the world, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. More information on AWS data centers and their security controls can be found here: https://aws.amazon.com/compliance/data-center/controls/

4. Separate Production Environment

   Customer data is never stored in non-production servers. Customer data is logically separated in our production servers, completely separated from development and staging environments with strict access control mechanisms in place.

Network Security

1. Security Information and Event Management (SIEM)

   Skolarli utilizes AWS CloudWatch and AWS Security Hub for incident and event management. Event notifications are communicated to our staff in real-time.

Product Security Features

1. Domain Management

   By default, the application is accessed via a subdomain on skolarli. This can also be customized to have your branded subdomain pointed to our application (e.g., subdomain.sample.com can be pointed to sample.skolar.li). The applications are locked to the subdomain, and each tenant's information is segregated by the domain name. Duplicate and reserved subdomains are not available. Our subdomains are managed on Cloudflare, which provides DDoS protection.

2. Permissions Controls

   Skolarli has predefined permissions in the application. Based on the role users have been assigned, every entry point to any feature is gatewalled based on their access privileges.

Related Policies

For more information about how we handle your data, please refer to our other policies:

• Privacy Policy — How we collect, use, and protect your personal data
• Terms & Conditions — Terms of service including our Service Level Agreement

Contact

If you have any questions about our security practices or would like to report a security concern, please contact us at:

Skolarli Edulabs Pvt. Ltd.
Email: [email protected]
Website: https://skolarli.com