Skills Base Security statement / Technical and Organizational Measures (TOMs)
The security and privacy of customer data is our highest priority. Some of the measures that we take to protect your information include:
- Data Centers: Skills Base is hosted by default in the United States using world-class, highly secure data centers that are certified to comply with global standards including SOC 1/2/3, ISO 27001, PCI DSS and many more. European and Australian hosting using the same world-class infrastructure is also available by request for an additional fee.
- Data encryption in transit: TLS encryption (also known as HTTPS) is used to encrypt and protect user data in transit.
- Information Security Policy: All operations are governed by a corporate Information Security Policy which enforces the responsibilities of all employees and contractors in relation to security of information assets including customer data, systems and software.
- Local user Passwords: Local user passwords have a minimum length and complexity requirement and passwords are individually salted and hashed in a one-way irreversible fashion at rest.
- Single Sign On (SSO) integration: The use of SSO integration removes passwords from Skills Base and establishes a trust relationship with your organization's identity provider. This also means that users do not have to remember a separate password which they may be inclined to write down or forget. Further, SSO allows organizations to control password rules and complexity including frequency of changes.
- Account lockout: To protect users, local Skills Base accounts are automatically locked for a period of 15 minutes in the event of 5 consecutive failed login attempts.
- IT Access and Account Management: Skills Base has a defined process in place for the provisioning, management and deprovisioning of internal IT accounts that ensures customer data is always protected from unauthorized access.
- Credit cards: Skills Base systems don't store, retain or ever even receive your credit card information. All credit card details are securely processed and stored by a highly reputable 3rd party payment provider.
- Data Portability: Skills Base enables your organizational Administrators to export your data so that you can maintain your own backup, or for archival or integration purposes.
- Disaster Recovery: Skills Base has a defined process for recovery of data in the event of a disaster. We take complete backups of all data daily for use in this process and we test this process regularly to ensure robustness.
- Business Continuity: Skills Base has a defined Business Continuity Plan that allows our business to continue operating in the event that systems or physical locations become unavailable.
- Non-disclosure: Any person that is contracted or employed by Skills Base that must access data as part of their work is vetted and required to sign a legally-binding One-way confidentiality agreement.
- Software design/development: Skills Base has been built completely in-house from the ground up using modern, best practice methodologies to meet the security and functional requirements of the modern-day Internet and World Wide Web. Our software engineers are the best in their field with decades of experience. We don't outsource any software development.
- Minimization of information requirements: The amount of personally identifiable information we require to be stored in the system is limited to names and emails, however you can store more if you wish. We don't require any other personally identifiable information such as addresses, phone numbers, or credit cards. At any time you are able to export your data (as long as you have suitable privileges), and you have the option to delete data in the system whenever you require.
- Data segregation: Customer data in Skills Base is logically segregated and tightly controlled via authentication and authorization. Skills Base regions are physically and geographically separated with no data being transmitted between regions.
- Vulnerability and Threat management: Skills Base has policies in place for the management of vulnerabilities and threats including mitigation, minimization, defences and controls. This includes regular testing including vulnerability and penetration testing.
- Incident management: Skills Base has a defined process for the management of incidents and events, including those that could pose a threat to the security or integrity of data which are treated with priority.
When we learn of a breach we will take appropriate steps to mitigate it and to contain any damage. In the event that there are affected users which require notification, we will do so in a timely manner using appropriate channels so that users are able to take protective steps.
If you become aware of a breach, you can report it to us using our contact form. Setting the "priority" to "high" triggers events at our end for rapid escalation.
Authorization / Configuring Permissions
Access to Skills Base data within an organisation is controlled by administrators appointed by the customer. Skills Base provides the ability for these administrators to control the things that users can see and do in Skills Base via Security Groups. For more information please refer to the Configuring Permissions support article.
Skills Base is only available as a Software as a Service (SaaS) solution which is hosted externally to your organization's in-house systems. For organizations that are uncomfortable hosting data in the Cloud, anonymizing data can be an intermediate strategy in gaining confidence and Executive buy-in. The following are some ways to anonymize data in the Cloud:
- Instead of using employee names, you can consider using unique identifiers that are only identifiable by your company. (Note: This may prevent you from being able to take advantage of the Single Sign On feature)
- You can consider minimizing the amount of personally identifiable information sent to Cloud systems. (Skills Base only requires names and emails)
- Use of Single Sign On reduces the chance of employees using their organizational password as the password for use in external systems. (Skills Base offers Single Sign On)