Technical and Organizational Security Measures (TOMs)

The Technical and Organizational Measures (TOMs) provided below apply to Skills Base services.  Evidence of measures implemented by Skills Base may be presented in the form of attestations, reports, screenshots or extracts from relevant sources upon request from entitled customers.

Data Centers

Skills Base is hosted by default in the United States using world-class, highly secure data centers that are certified to comply with global standards including SOC 1/2/3, ISO 27001, PCI DSS and several more. European and Australian hosting using the same world-class infrastructure is also available by request.

Access control

Access to systems and data is governed by an Information Security policy, and access is managed in accordance with a formalized and approved IT Access and Account Management process.  Access to a customer's data within Skills Base is controlled by, and the responsibility of, administrators appointed by the customer. Skills Base provides the ability for these administrators to control the things that users can see and do in Skills Base via Security Groups. For more information please refer to the Configuring Permissions article.

Data Processor (Skills Base) internal user account controls

Skills Base has a defined process in place for the provisioning, management and deprovisioning of its internal employee IT accounts to ensure customer data is protected from unauthorized access via these accounts.  Access to data processing systems within Skills Base is granted on a least-privilege basis, and audited in line with company policy.  Skills Base employees are provided security training and are subject to non-disclosure agreements and background checks.

Data separation

Skills Base implements measures that ensure data is logically separated between customers. Customer data in Skills Base is tightly controlled via authentication and authorization. Skills Base regions are physically and geographically separated with no data being transmitted between regions (unless requested by the customer).

Local user accounts

Local user passwords have a minimum length and complexity requirement, and passwords are individually salted and hashed in a one-way irreversible fashion at rest. To protect users, local Skills Base accounts are automatically locked for a period of 15 minutes in the event of consecutive failed login attempts.

Single Sign On (SSO) integration

Skills Base supports SAML 2.0 Single Sign On.  The use of SSO integration removes the need for local passwords in Skills Base and establishes a trust relationship with the customer's identity provider. This also means that users do not have to remember a separate password which they may be inclined to write down or forget. Further, SSO allows organizations to control password rules and complexity including frequency of changes, and multi-factor authentication controls.

Data encryption

TLS encryption (also known as HTTPS) is used to encrypt and protect user data in transit. AES-256 or better encryption algorithms are used to encrypt data at rest.

Information Security Policy

All operations are governed by a corporate Information Security Policy which enforces the responsibilities of all Skills Base employees and contractors in relation to security of information assets including systems, software, and customer data .

Privacy Policy

All information stored is governed by the terms of our Privacy Policy. We don't use customer data for any other purpose than to maintain and administer the service, and we will never sell customer data to third parties.

Credit card and financial records

Skills Base systems don't store, retain or ever even receive credit card information. All credit card details are securely processed and stored by a secure 3rd party payment provider.

Data Portability

Skills Base enables your organizational Administrators to export data so that customers can maintain their own backup, or for archival or integration purposes.

Data Backup

We take complete daily backups of all data for the purposes of Disaster Recovery (only).  Backups are encrypted and stored in a secure manner with minimal access rights.

Disaster Recovery

Skills Base has a defined process for recovery of data in the event of a disaster. This includes the use of hot-standby infrastructure that is physically separated from primary infrastructure. Skills Base has a defined process for recovery of services from backup medium.

Business Continuity

Skills Base has a defined Business Continuity Plan that allows our business to continue operating in the event that systems or physical locations become unavailable.

Monitoring

We implement centralized system monitoring and have rules in place to detect important events such as failures, outages and errors.  Appropriate alerting is implemented to provide notification of priority events, as defined by monitoring rules.

Web Application Firewalls

We implement Web Application Firewalls (WAFs) which monitor incoming traffic from the Internet.

Intrusion Detection Systems (IDS)

We implement Intrusion Detection Systems (IDSs) to monitor systems and network activity across our infrastructure in all regions.

Data Leakage Protection (DLP)

We implement Data Leakage Protection systems to monitor for data leakage events across all regions.

Malware Scanning

We implement automated malware scanning across all servers that we manage, across all regions.

OS Hardening

We harden Operating Systems used in the delivery of the Skills Base service by:

  • Employing Infrastructure as code (IaC) for the processes of managing and provisioning resources, through machine-readable definition files rather than physical hardware configuration or interactive configuration tools
  • Having a Standard Operating Environment (SOE) which is applied through automation
  • Using the "immutable infrastructure" paradigm, where virtual machines are frequently replaced rather than their configuration being changed
  • Frequently rolling virtual machines to ensure the latest OS updates are present
  • Running hosted applications in isolated containers

Software design/development

Skills Base has been built completely in-house from the ground up using best practice methodologies to meet the security and functional requirements of the modern-day Internet and World Wide Web. Our software engineers are the best in their field with decades of experience. We don't outsource any software development.

Minimization of information requirements

The amount of personally identifiable information we require to be stored in the system is limited to names and emails, however you can store more if you wish. We don't require any other personally identifiable information such as addresses, phone numbers, or credit cards. At any time you are able to export your data (as long as you have suitable privileges), and you have the option to delete data in the system whenever you require.

Vulnerability and Threat management

Skills Base has policies in place for the management of vulnerabilities and threats including mitigation, minimization, defenses and controls. This includes regular testing including vulnerability and penetration testing.

Vulnerability Scanning

Vulnerability scanning is performed annually on the Skills Base application, with any risks being mitigated as soon as possible. Vulnerability scan reports are available to entitled customers upon request.

Penetration Testing

Skills Base engages independent, expert third-party cyber security firms to conduct penetration testing on the Skills Base application, with any risks being mitigated as soon as possible. Penetration test reports are available to entitled customers upon request.

Incident management

Skills Base has a defined process for the management of incidents and events, including those that could pose a threat to the security or integrity of data, which are treated with priority.

Handling breaches

When we learn of a breach we will take appropriate steps to mitigate it and to contain any damage. In the event that there are affected users which require notification, we will do so in a timely manner using appropriate channels so that users are able to take protective steps.

If you become aware of a breach, you can report it to us using our contact form.