Cyber Security Policy

Updated
October 6, 2021

Overview

Skill Struck’s mission of promoting equity in computer science education relies on the security and efficiency of our systems. We want our partner schools and their administrators, teachers and students to know that Skill Struck is a trustworthy guardian of sensitive data.

This document details our information and cyber security program. Principles of an effective security program include being threat-driven, using automation to scale, and balancing the investment between prevention and response. We regularly adjust our security practices to align with the NIST Cybersecurity Framework.

Our program has three focus areas: product security, infrastructure security, and IT security. The following sections describe each focus area and the set of security activities we practice within each.

Product security

The goal of Skill Struck’s product security efforts is to clarify the security and privacy impact of new features as they are being created to let Skill Struck engineering continuously improve the Skill Struck product safely.

Secure Software Development Lifecycle

We have an application security review process that applies to all new development projects. It includes threat modeling and code review. Security design reviews occur for any major change. We have a secure code review process that identifies high-risk code for manual review by our software engineers. We use automation in our software development build pipeline that analyzes code for potential vulnerabilities through unit tests.

Our engineer portal includes application security training material with secure coding guidelines specific to our technology stack, which all new engineering hires review.

We have an active bug finding program that includes a team reviewing the Skill Struck platform daily to ensure that all reported bugs are fixed in a timely manner. We’re responsive to security inquiries sent to support@skillstruck.com.

Security Features

Skill Struck does not give log file information or student usage information to third parties, except (i) those service providers engaged to support and assist in administering Skill Struck’s Site, or (ii) in a sanitized form disassociated from IP address or other personal data, or (iii) as authorized or directed by the school. Skill Struck stores, transmits, and displays student data only via secure and FERPA compliant methods. Only selected members of the Skill Struck staff have access to student data, and are required to be FERPA certified and must log into the platform using 2-factor authentication. 

Skill Struck protects against password brute forcing by rate limiting login attempts. After 5 failed login attempts, then the following guesses require ReCAPTCHA each time. Skill Struck salts and hashes passwords using SHA256, a high-cost hashing function recommended by NIST. Skill Struck requires two-factor authentication for administrator, teacher, and student account access.

We use Content Security Policy (CSP) to detect and prevent unauthorized Javascript from running in the context of our applications.

Infrastructure security

Our infrastructure security efforts focus on accelerating the pace of our development teams by providing the underlying tools, systems, processes, and knowledge resources to build secure and privacy-protecting systems.

All of Skill Struck’s infrastructure runs in the cloud. Our primary cloud provider, AWS, conforms to security standards including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171. See https://aws.amazon.com/compliance/ for more details.

Change Management

We have a change management process for our infrastructure that includes source code control, peer code review, logging, and alerts for unusual behavior. All production changes are deployed with an automated system that detects reliability issues and reverts problematic deploys. Our automation allows us to safely and reliably deploy code to production dozens of times per day.

Availability and Disaster Recovery

Our availability is 99.9% or higher.

We have established a set of practices and tools to defend against automated Denial of Service (DoS) attacks against Skill Struck’s infrastructure. Skill Struck uses Cloudfront to defend against these attacks.

Since our service is based entirely in the cloud, our disaster recovery plan is based on best practices from AWS for maintaining resiliency in the case of disaster. We use multiple AWS availability zones to safeguard against single data-center issues.

Skill Struck generates data backups regularly and stores them securely with our cloud provider. All backups stored offsite are encrypted and deleted securely when they become obsolete - in no case longer than 60 days. Skill Struck’s production systems are housed in a tier-1 hosting facility that is monitored 24 hours a day, 7 days a week. Access to these systems requires prior written approval from Skill Struck management and all access is logged and monitored. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, Skill Struck cannot guarantee its absolute security.

Data Encryption in Storage and Transit

We encrypt all Personally Identifiable Information (PII) in transit outside of our private network and at rest in our private network. All data is encrypted via SSL in transit and by rest by Amazon Web Services. We use industry standard cryptography (AES-256) and access control keys that are regularly audited and rotated. Read more about our security encryption with AWS by referring to their Encryption Reference Guide.

Data Isolation

Skill Struck uses logical separation to process data in a multi-tenant environment. The code controls are tested before every production deployment. Data processing occurs in containerized environments with limited access to external resources. Services use ephemeral credentials for services to access data stores. All data is stored in the USA.

Network Isolation

Skill Struck limits external access to network services by running them inside of a Virtual Private Cloud (VPC) and blocking all unnecessary ports from external traffic. Access to our production network is limited to necessary personnel, logged, and secured using multiple factor authentication. We use a bastion SSH host to gate all system-level access to production infrastructure.

Logging

Skill Struck maintains a centralized log for product and infrastructure events and metrics. Tightly access-controlled and integrity protected log backups are persisted to access-controlled archival stores on S3. All system-level actions performed in production environments with elevated permissions (sudo) are logged.

Threat Detection

We have monitoring, alerting, and response processes for suspicious activity occurring in our infrastructure.

Secret Storage

No secret data (passphrases, API keys, QR Codes for 2-factor, etc) are sent using tools like Gmail, Dropbox or Slack. We have purpose-built tools for storing and transferring this data in accordance with our security requirements.

Patching

We regularly update our operating systems images, container images, language runtimes, and language libraries to the latest known supported versions.

IT security

Policies and Standards

Our information security policy is documented in our Employee Portal. We have a Skill Struck Data Classification standard that describes the different types of data that our employees work with and how that data should be handled.

Device Policies

Our device policy describes best practices for device configuration and software usage for Skill Struck devices. It mandates full disk encryption for all devices that have access to sensitive data, the use of screen locks after a period of inactivity, and remote wipe capabilities. It also describes our permitted software and software update practices.

Account Policies

Our account policies state that all passwords should be securely stored and generated with a password manager, and mandates the use of 2FA for sensitive accounts. It also defines the OAuth authorization policies for accounts with sensitive data access (e.g. GSuite) and the techniques to avoid phishing.

Accounts are activated when an employee joins and deactivated when an employee leaves, using automated processes where possible.

Security Training

We create a culture of security for all Skill Struck employees through activities like security awareness training, which is completed during onboarding. Our security program that details each of these components is documented in our Employee Portal. All new hires must read the information security policy and undergo information security training, and existing employees have regular refresher training.

Third-Party Software

We have a third-party software security review process that must be completed before using new services at our organization on official, company-owned devices. The level of verification varies based on the risk profile of the service in question.

Background Checks

All Skill Struck employees undergo criminal background checks and sign agreements barring any use of confidential information outside of the scope of their work with the company.

Cyber Insurance

We have cyber liability insurance with coverage of 1 million US dollars. We also cater our cyber insurance coverage to specific schools and districts as needed.

Other Security Practices

External Security Assessment

We conduct an annual external security assessment of our applications. We make the reports associated with these assessments available for our users, on request.

Cyber Incident Management and Response Plan

In the event that Skill Struck management discovers that student data or personal information has been accessed or obtained by an unauthorized individual, Skill Struck shall provide notification to the school’s representatives within a reasonable amount of time of the incident, not to exceed 48 hours. Immediately following the discovery of the breach, Skill Struck’s security team will address and resolve the security deficiency accordingly. Such notification will be provided via email and a phone call to the school’s authorized student data privacy representative, and will include the following:

  • The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach for Skill Struck,” and shall present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additionally information may be provided as a supplement to the notice.
  • The security breach notification shall include, at a minimum, the following information:
  1. The name and contact information of the authorized school representative.
  2. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
  3. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within the breach occurred. The notification shall also include the date of the notice.
  4. Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
  5. A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
  • At the school’s discretion, the security breach notification may also include any of the following:
  1. Information about what the agency has done to protect individuals whose information has been breached.
  2. Advice on steps that the person whose information has been breached may take to protect himself or herself.
  • Skill Struck will also adhere to all requirements in applicable state and federal law with respect to a data breach related to the student data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.
  • Skill Struck will not directly contact the parent, legal guardian or eligible pupil unless expressly requested by an authorized school representative. If requested by an authorized school representative, the head Skill Struck IT manager will contact the legal guardian of the pupil via email or phone call. If requested by the school, Skill Struck shall reimburse the school for costs incurred to notify parents/families of a breach not originating from the school’s use of our service, upon the school providing proof of those expenses.
  • In the event of a breach originating from the school’s own use of our platform, Skill Struck shall cooperate with the school to the extent necessary to expeditiously secure student data.

In addition to following this plan, Skill Struck will address each data security breach on a case by case basis, as well as conduct an inspection of its data security measures to improve them, directed by Skill Struck’s security director.

Parents’ Bill of Rights for Data Privacy and Security

Skill Struck is committed to protect the confidentiality of information about your child that identifies him or her. Such information, which includes student‐specific data, is known as “personally identifiable information.” Under Skill Struck’s Cyber Security and Privacy Policy (aligned with New York state’s education law), if you are a parent of a child in any school district, you have the following rights regarding the privacy and security of your child’s personally identifiable information and data:

  • Your child’s personally identifiable information cannot be sold or released for any commercial purposes.
  • If your child is under age 18, you have the right to inspect and review the complete contents of your child’s education records.
  • Safeguards must be in place to protect your child’s personally identifiable data when it is stored or transferred. These safeguards must meet industry standards and best practices. Examples of such safeguards include encryption, firewalls and password protection.
  • You have the right to make complaints about possible breaches of student data and to have such complaints addressed.

Please reach out if you have any questions concerning this cybersecurity policy.
Chief Privacy Officer
Skill Struck LLC629 E Quality Drive Suite 103
American Fork, UT 84003
E-mail: support@skillstruck.com
Telephone: (801) 252-6768

This privacy policy explains what information Skill Struck, LLC, collects on our services and how we use and share that information. By using our services, you accept the practices described in this privacy policy.

If we change this privacy policy, we will include the date when we last updated it. If we deem the changes significant, we may notify you either by prominently posting a notice prior to implementing the change or by sending you a notification directly. We encourage you to review this policy periodically.

What information do we collect?

We may collect data that alone or together with other data would reasonably allow us to determine the identity of a specific person (“Personal Information”). We may also collect data that, standing alone, tells us something about a person but does not reasonably allow us to identify a specific person (“Non-Identifiable Information”). We also may gather and store site-visitation data. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. The term “information” includes all of the above data.

How do we collect the information?

We use different methods to collect information, including:

  • When you provide information directly to us;
  • When you use our services; and
  • When third parties share information with us.

To collect information automatically, we may use cookies, web beacons, third-party services, or other data-collection tools.

We may use hashtags, keys, unique identifiers, or other encryption devices to anonymize Personal Information. We treat this modified Personal Information as Non-Identifiable Information for purposes of this privacy policy.

How will we use the information we collect?

We solely determine our purposes for collecting your information. Some of these purposes may include:

  • Improving, debugging, and maintaining our products and services;
  • Studying and personalizing user experiences;
  • Fulfilling legal requirements;
  • Conducting business analysis and research;
  • Conducting marketing campaigns;
  • Addressing fraud, security, or technical issues;
  • Personalizing your updates, upgrades, enhancements, and other relevant offers; and
  • Otherwise managing our business.

We also may use your Personal Information to:

  • Process payments for services;
  • Enroll you in select discounts, rebates, promotions, or other programs; and
  • Transfer to a buyer or other successor in the event of a corporate sale, merger, or similar event.

We reserve the right to use any student’s image or likeness, as well as any content your student may produce, whether through photographs, adaptations, displays, exhibits, or otherwise, in all markets, media, or technology now or later known. Any image or likeness will be used solely for the promotion, marketing, public education, and fundraising activities of Skill Struck, LLC, and will not include the name of any individuals therein unless otherwise agreed in writing by you. Neither you nor your child will receive any compensation for the use.

With whom do we share the information?

We may share your information with:

  • Government bodies or law enforcement agencies to comply with a court order or other legal process;
  • Third parties to enforce or defend our legal rights, including our terms and conditions, and investigate violations thereof;
  • Our service providers, business partners, or affiliates, if the entity first agrees to adhere to this privacy policy;
  • Third-party purchasers or sellers; and
  • Any other persons or entities as otherwise provided for by law.

If we share your Personal Information with third-party purchasers or sellers, we will first anonymize your Personal Information.

How do we protect the information?

While we at our sole discretion may choose to maintain methods to secure your information, we do not guarantee that your Personal Information, Non-Identifiable Information, or other data or communications will be secure. You are solely responsible for carefully handling and disclosing your Personal Information. Please refer to the Federal Trade Commission's website for more information.

We also do not guarantee that any third-party services you may access from our services provide safeguards to your privacy. We encourage you to read the privacy statements of the third-party products and services you use.

What else should I know?

Your choices about how we use or collect your information. You can always choose not to provide us with certain information, but not providing that information may result in you being unable to use or purchase our services. If you have provided certain Personal Information to us, such as addresses, credit card numbers, or phone numbers, you may review and update this information at any time by going to your account settings page.

You may control information collected by cookies by updating your browser settings. If you do so, some of our services may not function properly. We may choose not to recognize or respond to any Do Not Track signals.

You may opt out from receiving commercial or promotional emails from us either by visiting your account settings page or by clicking the opt-out link in the emails we send you.

You can choose to opt out of certain data collections and usage:

  • To opt out of cookies that may be set by third-party data or advertising partners, please visit http://www.aboutads.info/choices/
  • To opt out of our data collection for targeted advertising, click here. You must opt out separately on all devices you use. Later deleting your cookies may require you to go through the opt-out process again.
  • To opt out of third-party mobile application ad tracking and analytics, click here.

Retention: After we deem your information no longer relevant to our purposes, we will take steps to have it deleted, aggregated, or made anonymous.

Contact Us

If you have any questions, comments, or concerns about this privacy policy, please email us at email us at support@skillstruck.com

COPPA Policy

Skill Struck, LLC (“Skill Struck”) values the privacy of children and of all of its users. This COPPA Privacy Policy (“COPPA Policy”) is designed to comply with the Children’s Online Privacy Protection Act (“COPPA”) and contains important information about how we collect, use, and disclose the personal information we collect from children under thirteen years old who take courses provided through our website, https://www.skillstruck.com/, (the “Site”) and the services, such as courses, provided on our Site (the “Services”). Skill Struck provides online courses in software coding and web development. Skill Struck may partner with foundations, non-profits, or for-profit entities to make these courses available to schools and other educational organizations. In the course of providing these Services, Skill Struck may come into contact with information, including personal information, from the course taker. Some, but not all, courses are directed towards children under 13. This COPPA Privacy Policy applies to the information we collect from children under 13 through Skill Struck courses directed towards children. Skill Struck will handle children’s personal information as described in this COPPA Policy. Any personal information we collect about other users (e.g., teens and adults) will be treated in accordance with the Skill Struck Privacy Policy (“Privacy Policy”). The use of our Site and any dispute over privacy, is subject to this COPPA Policy, the Privacy Policy, and our Terms of Service, including its applicable limitations on damages and the resolution of disputes. Our Terms of Service and Privacy Policy are incorporated by reference into this COPPA Policy.

Who Will Collect Information About Children?

Skill Struck operates the Site and Services and will collect children’s personal information as described in this COPPA Policy and our Privacy Policy. We can be contacted at:

1555 N. Freedom Blvd.
Provo, Utah 84604
(949) 491-2793
support@skillstruck.com

Even if Skill Struck courses are offered in conjunction with an outside partner, the partner will not receive any individual personal information from users of the Site, including children. Skill Struck may provide partners with aggregate or de-identified information about users.

What Information Do We Collect About Children and Why?

As described in further detail below, we collect some personal information from children so that we can track their progress through our courses. Data is retained for education purposes only.

How Is Information Collected?

We may collect information about children directly from children, as well as automatically through a child’s use of our Site and Services. We will not require a child to disclose more information than is reasonably necessary to use our Services. A copy of a notice of our privacy practices as posted on the learning platform.

What Information Do We Collect Directly?

From children under 13, we utilize the date of birth to verify the child’s age but do not store the age. We only store whether or not the child is under 13. If a child is under 13, we collect the child’s first name, and last initial. We do not ask children for their full last name. Children must create their own usernames, but are not required to provide an email. We only use user name and email address (if provided) to track a child’s progress in our courses or to reset passwords; we will not contact a child using his or her email address or username. We may also collect additional demographic information (such as race and gender) from children; however, we do not associate this with the child’s name or other personal information and we use it only to compile aggregate and de-identified information about participants in our courses. Parents may ask us to stop collecting personal information from their child by emailing us at support@skillstruck.com. However, in such cases the child will not be able to take or complete our courses. If a parent directs us to stop collecting and using a child’s personal information, we must disable his or her use of our courses to ensure that no information is collected.

What Information Do We Collect Automatically?

We may automatically collect the following information about a child’s use of our Site through cookies and other technologies: domain name; browser type and operating system; web pages viewed; links clicked; the length of time spent on our Site; the length of time our courses were taken; Google Analytics statistics; the referring URL, or the webpage that led the child to our Site; language information; device name and model; operating system type, name, and version; and activities within our Site. We may also collect IP address, device identifier or a similar unique identifier from users of our Site, including children; we only use such identifiers to support the internal operations of our Site and we do not use such identifiers to collect information about the child outside of our Site.

What Other Information Do We Collect About Children?

We collect information about children’s performance and activities on our Site, including completion of courses. This information is for internal use only and will not be disclosed to other entities; however, we do not use this information in personally identifiable form for our own commercial purposes. Before we analyze or use any activity data for our own commercial purposes, we de-identify and/or aggregate such information.

How Do We Use Children’s Information?

We use personal information collected from children for the following purposes:

  1. To provide our Services; and
  2. To respond to customer service and technical support issues and requests.

We de-identify and/or aggregate the information we collect from children under 13 before we use it for any other purposes, as noted below.

Unique Identifiers. We only collect and use unique identifiers, such as IP addresses, as necessary to operate our Site or Services, including to maintain or analyze their functioning; perform network communications; authenticate users or personalize content; and protect the security or integrity of users and our Site and Services. We never use unique identifiers to track users across third-party apps or websites.

Aggregate or De-identified Information. We may use aggregate or de-identified information about children for research, analysis, and similar purposes. When we do so, we strip out names, e-mail, contact information, and other personal identifiers. We may use aggregate or de-identified information for the following purposes:

  1. To better understand how users access and use our Site and Services;
  2. To improve our Site and Services and respond to user desires and preferences; and
  3. To conduct research or analysis, including research and analysis by third parties.
How Do We Share Children’s Information?

We do not sell children’s personal information, and a child may not make his or her personal information public through our services without their parents approval. In general, we may disclose the personal information that we collect about children to provide our Services, to comply with the law, and to protect Skill Struck and other users of our Services. For example, we may share children’s personal information as follows:

  1. Service Providers. We may disclose the information we collect from children to third-party vendors, service providers, contractors, or agents who perform functions on our behalf.
  2. Business Transfers. If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer the personal information we have collected from our users to the other company.
  3. In Response to Legal Process. We also may disclose the personal information we collect in order to comply with the law, a judicial proceeding, court order, subpoena, or other legal process.
  4. To Protect Us and Others. We also may disclose the personal information we collect where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Service, Privacy Policy, or this COPPA Policy, or as evidence in litigation in which Skill Struck is involved.
  5. With Parents. Parents may request information about the information we have collected from their child by contacting us at support@skillstruck.com.
  6. Aggregate adn De-Identified Information. We may also use and share aggregate or de-identified information about users with third parties for marketing, research, or similar purposes.
What Are Your Rights to Review, Delete, and Control Our Use of Children’s Personal Information?

Parents have a right to review the information we have collected about their children and students, respectively, and to delete it, and to tell us to stop using it. To exercise these rights, you may contact us at support@skillstruck.com. You will be required to authenticate yourself as the child’s parent to receive information about that child. Please note that copies of information may remain in cached or archived form on our systems after you request us to delete it.

How Will We Make Changes to This COPPA Policy

This COPPA Policy is current as of the Effective Date set forth above. We may change this COPPA Policy from time to time, so please be sure to check back periodically. We will post any changes to this COPPA Policy on our Site, at skillstruck.com. If we make any changes to this COPPA Policy that materially affect our practices with regard to the personal information we have previously collected from a child, we will endeavor to provide you with notice in advance of such change by highlighting the change on our Site.