Please see below for our most frequently asked questions regarding our security policy.
- What file format is being used – AICC, SCORM or other?
The file format used by CyberU is AICC. - When a user launches the content, do they remain within CSOD or are they redirected to the provider’s system?
CyberU courses open in a new pop-up window when launched from Cornerstone. - If the user is redirected to the provider’s system, please provide details around this process from a security perspective.
When a course is launched from Cornerstone, CyberU receives a session ID. This identifier does not contain any personally identifiable information, such as user’s name, username, password, etc. A temporary authentication token is created on our end when Cornerstone calls CyberU API, which allows the user to access CyberU courses. Please see the attached AICC authentication flow diagram for more technical details. - What data is communicated to the provider’s system from CSOD? (e.g. user information)
We receive a session ID from Cornerstone, which allows CyberU to create an external user on the CyberU database. This entry contains a user ID. - How is this data encrypted?
At rest data is encrypted by AWS, Postgres and Mongo Cloud. In transit data is encrypted by HTTPS for public traffic and TLS for internal traffic. - Where is this data hosted?
Data is hosted on AWS servers in Oregon (us-west-2)\ - What data is communicated to CSOD from the provider’s system? (e.g. training progress)
CyberU provides Cornerstone with a .zip file containing metadata and course link necessary to launch the course via CyberU’s website. Courses files (videos) are hosted on CyberU’s servers, so the resulting AICC file is small in size. CyberU sends course completion status back to Cornerstone every few seconds to let Cornerstone know whether a user’s course is In Progress or Completed. - What level of encryption is used to pass data? What level of assurance do you have with content partners?
We use AWS RDS Postgres database in AWS, and MongoDB Atlas for MongoDB which is also running on AWS. MongoDB Cloud connects to our AWS instance via VPC Peering for best security practice, and we also do IP whitelisting for access control. Yes, both Mongo, Postgres storage volumes are encrypted. Backups are also encrypted. - Is whitelisting a specific URL required to make content accessible? If so, what is the URL and where are the provider’s servers located?
Please see the URLs listed in our Technical Requirements guide. Servers are located in Oregon, CA (AWS us-west-2 availability zone) - What is CyberU's data retention policy?
CyberU does not actively remove data, unless specifically requested by users under data protection laws. - Does CyberU comply with all data protection laws, including GDPR (Europe)?
Yes. - Please include any other security considerations, workflows, diagram or additional information that will provide insight into your security measures.
Security components: AWS Load balancer is acting similar to a firewall in that it filters incoming traffic on ports 80 and 443. We use Loggly as our log management system to track activity.
Back-up and recovery plan: CyberU conducts daily backups of all databases. Application servers are backed every time before a deployment. Our recovery plan consists of a one-day RPO. Data from the most recent day may be lost in the event of a disaster. RTO is expected to be around 30 minutes to recover the data.