Our Commitment to Data Privacy and Security

IN THIS ARTICLE
Data Privacy and Terms of Service
GDPR Readiness
Software Security
Infrastructure Security
Physical Security
Data Security
Firewall
Data Integrity and Disaster Recovery
Breach Notification
FERPA


Last updated on July 30th, 2024

To access the letter of opinion from our most recent third-party web application penetration test and retest, which concluded in October 2023, contact us at clientsuccess@yellowdig.com.  Testing is conducted annually by our testing partners.

At Yellowdig, we highly value your data privacy and security. Below, we outline the steps we've taken to ensure privacy and security. This is not a legally binding document, and over time, parts of this statement may become inaccurate. For up-to-date summaries of our current privacy and security measures, please contact us at clientsuccess@yellowdig.com.


Data Privacy and Terms of Service

Yellowdig Terms of Service can be found here. The key parts of it, as it relates to privacy and security, are:

  • All posted content is owned by the user that posts it, or the organization to which the user belongs. In practical terms, content posted to Yellowdig is owned by the organization or university that is using the platform.
  • Yellowdig does not resell any data to third parties. Any use of the data is for the sole purpose of providing and enhancing the service.
  • We take all reasonable measures to protect user data and conform to software security best practices, including use of encryption, firewalls, and limited access to production data.

Any use of Yellowdig is governed by these terms of service. However, any contract we enter into can add to or supersede any other existing terms, at the discretion of the customer.


GDPR Readiness

The European Union General Data Protection Regulation (GDPR) is an important change in data privacy regulations which had a major influence on how technology companies can operate in the European Union. Since the GDPR regulations are among the most user-friendly in the world in terms of giving users control over what companies can do with their data, the regulations have become an important privacy and data-handling benchmark. Complying with regulations requires that companies provide users some important protections and functionality, like allowing users to delete their data from a system. Yellowdig has the necessary capabilities to make it fully GDPR compliant.


Software Security

The Yellowdig application is developed using the currently accepted best practices for applications dealing with sensitive information and deployed on the Internet for access by end-users and partners, including encryption and highly restricted access to the development, deployment, and data storage environments. This includes following the OWASP Top 10 recommendations for web application security. All user passwords are encrypted with the industry best-of-breed Bcrypt algorithm. Yellowdig successfully passed all manual and automated audits and security scans of our application by a number of University IT departments.


Infrastructure Security

Yellowdig employs many best practices for securing networks and servers:

  • All public traffic is encrypted using SSL/TLS with 256 bit encryption.
  • Yellowdig application and database servers are protected by multiple firewalls, with external WAN access as well as internal LAN restrictions.
  • Server access is granted only to those employees who need it.
  • Yellowdig monitors user behavior using audit logging and sample activity metrics.
  • All servers run within a Virtual Private Network (Amazon Virtual Private Cloud), further isolating and securing servers.

Physical Security

Yellowdig is hosted using Amazon Web Services (AWS). AWS data centers conform to the highest standards of physical security and processes and have achieved ISO 27001, ISO 9001, SOC 3 and other certifications. Please refer to AWS security infrastructure information documentation at http://aws.amazon.com/security/ and http://aws.amazon.com/compliance/ for additional details.


Data Security

Users' data are automatically backed up at regular intervals to redundant backup storage . All data is maintained for a period of 5 years. Yellowdig can provide a data dump or delete data as requested from the customer. Backups and snapshots are encrypted on disk.

  • We host our services in the US-West 2 Oregon datacenters of Amazon.
  • We build applications which are not susceptible to SQL injection.
  • We test all data input for cross-site scripting vulnerabilities (xxs).
  • We create daily backups of all production data stored separately from application servers.
  • Multiple code backups exist in the form of git repositories .
  • Under extreme circumstances, should our production server become unavailable, we can bring up another server to production in a relatively short period of time.

Firewall

Yellowdig applications are hosted on comprehensively firewalled servers. These firewalls default to disabling any unsupported access mechanism and are carefully configured to only allow access for known services. We build on top of the well-defined and implemented security policies of the AWS services we depend on.


Data Integrity and Disaster Recovery

Yellowdig is architected for High Availability and 100% uptime. User data is backed up frequently. Recovery from backups is tested regularly and is in fact part of the normal server deployment process, ensuring that, even in the event of serious malfunctions (such as data center issues), service can be restored quickly.


Breach Notification

We deploy host intrusion detection to monitor our servers. We also look for our service providers to provide us timely notification of breaches and work with us. If a security breach occurs, we will work with our customers and users to notify them in a timely manner. Yellowdig is covered for breaches under our Professional Liability insurance policy. 

 


FERPA

Yellowdig is FERPA (Family Education Rights and Privacy Act) compliant through our Privacy, Security Incident Policy, and Data and Infrastructure Security. However, it is the responsibility of the client's implementation to ensure full compliance with FERPA.

Was this article helpful?
37 out of 38 found this helpful