Security

Catholic Online School Overview

Catholic Online School is an online technology platform for course creators that gives them the ability to build and deliver courses while requiring no specialized technical expertise. Catholic Online School cares deeply about protecting the privacy and security of our course creators, their learners, and their learning environment.

Where is Catholic Online School hosted?

Catholic Online School’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology as well as the Google Cloud Platform (GCP) technology. Both Amazon and Google continually manage risk and undergo recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

ISO 27001

SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

PCI Level 1

FISMA Moderate

Sarbanes-Oxley (SOX)

Specifically, Catholic Online School hosts our application within the US-East-1 data centres of AWS.

How does Catholic Online School manage data security?

At Catholic Online School, data security is governed by a set of policies. This includes, among many others our:

 – Data Classification and Handling Policy; and

 – Privacy Policy

Catholic Online School has a data classification and handling policy that ensures data is stored, handled, and destroyed safely. Catholic Online School also has a documented, approved and communicated privacy program responsible for the protection of data which can be reviewed here: https://www.catholiconline.school/pages/privacy

Catholic Online School’s policies ensure that we only collect the personal information required in order to provide our services.


Encryption

By default, Catholic Online School encrypts all data leaving the environment using secure cryptographic algorithms over TLS 1.2 connections and all customer data at rest hosted in Catholic Online School’s platform environment is encrypted according to Catholic Online School’s encryption standard. Though we do not control encryption on non-company owned devices, our data access policy mandates that only those individuals that need to have access to the environment should have access.

Catholic Online School’s data modification logging policy requires all data modifications to be logged, which helps Catholic Online School ensure that no data is changed without appropriate authorization.


Logical and Technical Controls

Catholic Online School is a multi-tenant SaaS application, and relies on logical separation of customer data in data stores. Logical separation of data is enforced by technical controls at both the infrastructure, application, and administrative levels. Logical controls are tested regularly in accordance with Catholic Online School’s Software Development Life Cycle (SDLC). Catholic Online School’s database is not physically segregated by customer, but rather logically separated and includes checks both on backend queries and frontend display to ensure no customers can access other customer’s data. Resiliency, Redundancy and Disaster Recovery We have provisioned the data storage as a Multi-AZ database where its data is synchronously replicated to a standby instance in a different Availability Zone (AZ) for failover purposes. It is also SSD-backed optimized for high-performance applications. Additionally, Catholic Online School conducts backups of the entire database, no matter the classification of the data. Because we leverage infrastructure as code, all our backup policies are documented as code, within our source code. Catholic Online School reviews backup logs periodically and in an ad-hoc manner.


Does Catholic Online School have a secure development and implementation process?

Catholic Online School’s secure software development lifecycle aligns with OWASP best practices. 

Such best practices include that all code changes require peer-review and testing (both manual and automated) prior to promotion to production. No single individual may request and implement changes without review from several other individuals and all changes are logged and tracked.

All development and testing environments are segregated from production and live production data is not used in testing. Additionally, our policies require that all developers complete a training course detailing secure development practices.


How does Catholic Online School manage identity, credentials, and access management?

All internal access to data is granted based on roles and business requirements, as determined by Catholic Online School. There is a team of individuals that approve, grant and remove access to ensure correct access is provided and there is a policy in place to review access rights on a regular basis.


What vulnerability management does Catholic Online School have?

We use different types of vulnerability tests on our tech stack. Our internal Security team performs ad-hoc security testing. If you would like to report a vulnerability or have a security concern regarding Catholic Online School, please email customerservice@catholiconlineschool.com. All vulnerabilities received by our team are reviewed and prioritized based on severity. 


What about Catholic Online School Employees?

Catholic Online School conducts very thorough screening of every candidate that wants to become a Catholic Online School employee. In-depth interviews, take-home assignments, and reference checks are conducted prior to new employees joining Catholic Online School. While Catholic Online School does not currently require that all employees and contractors undergo background checks, in all roles where more formal background checks are beneficial or reasonably required, we perform criminal record and other relevant background checks.

All employees and contractors are required to sign confidentiality agreements prior to beginning work for Catholic Online School.


How does Catholic Online School protect physical security?

Catholic Online School does not maintain any physical servers in its offices; our system is hosted on AWS, Google, and GCP (Infrastructure as a Service). Both Amazon and Google have controls in place for physical 3 security. 


How does Catholic Online School ensure service continuity?

Catholic Online School’s services are fully operating in the cloud and are highly available; the platform’s architecture takes into consideration single points of failures. Catholic Online School has a robust incident response process.

Catholic Online School is working on its business continuity plan, which includes periodic Business Impact Analysis.


How does Catholic Online School ensure secure acquisition?

As per Catholic Online School’s policy, we review the security safeguards provided by each third-party before entering into agreements with them. Additionally, all agreements are reviewed by our legal team. Catholic Online School also has a process by which ad hoc repeat reviews are completed as needed.


What are the current security operations?

Catholic Online School has automated monitoring and alerting on all key pieces of the application. This monitoring and alerting is 24/7 and triggers our incident response process mentioned above. Our incident response process goes through the 6 steps of identification, containment, investigation, eradication, recovery and follow-up. Network vulnerability scans are completed bi-weeky.


What are my responsibilities?

As a customer you are responsible to adhere to all our terms and conditions of service and use.