We have instituted numerous security measures to ensure your data is safe and backed up on a consistent basis. All OrgSync server certificates are signed by a recognized Certificate authority (DigiCert) and use 256-bit SSL encryption for all communication. All communication among the database, application, and authentication servers is conducted inside a secure, private network.
Our production servers have a very limited number of ports open to the public. OrgSync communicates with client computers on port 443 using HTTPS. All other ports are inaccessible to outside users. All communication to and from this private network is encrypted, except for port 80 (HTTP), which always redirects the user to the encrypted site (HTTPS).
No one will have access to nor will we disclose any information from a student educational record without the written consent of the student except to “school official with legitimate educational interests,” to authorized representatives of the federal and state governments for audit and evaluation of federal and state supported programs, or other provisions outlined by FERPA. Learn more about OrgSync's FERPA compliance.
Protection Against Brute-Force Attacks
Our password encryption utilizes a “work factor” to protect OrgSync against brute-force attacks. OrgSync utilizes this “work factor” to slow login attempts without locking out a user. OrgSync does not have an account lockout mechanism.
All external network traffic is encrypted using TLS/SSL. As all internal communication is done within a secure private network, communication is completed with unencrypted binary protocols. Likewise, local machine disk data is not encrypted; database data, other than passwords, is not encrypted. Other than cryptographic protocols listed, OrgSync does not use other data encryption.
The security of our application is tantamount at OrgSync. Because of this, we have a policy of writing repeatable test code for every new feature, as well as in the event of a bug that needs to be corrected. Additionally, all development is put into a central file, giving all OrgSync developers access to the most up-to-date code. We utilize a Continuous Integration server, which detects a new piece of code. When new code is added, the CI server will automatically test it before it goes live. In this way, OrgSync ensures that every piece of code has been checked multiple times before it is sent to users.
All software is stored/retrieved from a secure version control repository. Developers push and pull from this repository using private RSA keys and the SSH protocol. In the event we need to remove an individual's access to the code repository, we can simply remove their RSA key from the configuration file.
Additional Security Protection
We utilize tools to protect against vulnerabilities at both the system administration and developer level, including but not limited to:
- Cross-site scripting
- Authentication and session management
- Cross-site request forgery
- Unprotected URL access
- Transport layer protection
- Blind redirects and forwarding
In order to maintain system security, internal audits and penetration testing is performed regularly by the OrgSync system operations team. Additionally, OrgSync has an internal policy of best practices, including but not limited to:
- Drive feature development via written tests
- Maintain a high level of system and code transparency within the development team
- Deploy early and often
- Focus on user experience
- Actively research new technologies
- Ensure project resource redundancy
- Treat operations with the same consideration as development
In the event of a security breach, please contact us to receive information on our Security Breach Protocol.
For more information on our security measures, please contact us to receive information on our IT Security Policy Q&A.
For more information on the security provided by AWS, please visit the AWS Security Center.
Back To Technology