From 5780654376936a017aee49d6f9607e13758ca20a Mon Sep 17 00:00:00 2001 From: Nathan Sarang-Walters Date: Wed, 14 Feb 2024 10:44:43 -0800 Subject: [PATCH] Add information about company security (#68) --- src/pages/security/index.mdx | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/pages/security/index.mdx b/src/pages/security/index.mdx index ba220511..7aa1cbbf 100644 --- a/src/pages/security/index.mdx +++ b/src/pages/security/index.mdx @@ -4,7 +4,23 @@ export const meta = { title: "Security", }; -The PrairieLearn team takes the security of our products and services seriously. Thanks for helping to make PrairieLearn secure for everyone. +The PrairieLearn team takes the security of our products and services seriously. + +## Product security + +- **Software development lifecycle**: PrairieLearn, Inc. follows a secure software development lifecycle, including secure coding practices, code reviews, and automated testing. +- **Vulnerability scanning**: GitHub Dependabot scans for vulnerabilities in third-party packages and dependencies. +- **Data protection at test**: Datastores with customer data, including S3 buckets, RDS databases, and EBS volumes, are encrypted at rest. +- **Data protection in transit**: Data that is transmitted over potentially insecure networks is encrypted in transit using TLS 1.2 or higher. + +## Enterprise security + +- **Secure remote access**: Internal systems are only accessible via AWS Systems Manager. Access to AWS Systems Manager is logged and tightly controlled. +- **Identity access and management**: PrairieLearn, Inc. uses JumpCloud for identity and access management. Multi-factor authentication is required and utilized wherever possible. + +## Third-party audits + +- **SOC 2 Type I _(coming soon)_**: PrairieLearn, Inc. is currently working with [Vanta](https://www.vanta.com/) and third-party auditors to achieve SOC 2 Type I compliance. We expect to complete this process in early 2024. The completed report will be made available to customers upon request. ## Reporting a vulnerability