This article describes some of the techniques and procedures that we have in place.
At Easy LMS, the security of your data is our top priority. We constantly try to break our own security systems to identify weak points.
Software architecture
Easy LMS is built on top of our own Content Management System (CMS). This system is developed on top of the open-source Yii PHP framework. Yii uses a model-view-controller (MVC) based architecture which allows for structured, clean, and maintainable code. Yii is regarded to be solid, fast, and secure.
Yii Framework
We utilize many of Yii’s built-in security features such as data encryption, XSS prevention and data sanitization. User input data is always validated on the server, even if client-side validation is also used.
Authentication
Role Authorization
We have several types of users that can access the system, as you can see in the diagram below. Per security level, each role has access to extra parts of the system and data. From the support level and up we use a type of login that differs from a client login as an extra security layer.
Frequently asked questions
Below is a list of security questions we often get.
Where are your servers located?
Easy LMS runs on an Amazon Web Services cloud, or AWS for short. The servers and databases are physically located in Frankfurt, Germany.
How do you protect my data?
We protect your data in several ways:
All data is stored in a database that is fully encrypted. This means that the data on the database can only be retrieved in specific ways.
Personal data that we ask for is stored in the database using an extra layer of encryption. This means that even if the database is compromised, an attacker would not be able to read the data without the key to decrypt it.
Passwords are stored using a highly secure hashing algorithm. Unlike with other data, it is impossible to retrieve the original password from its hash.
Passwords are never sent to anyone in any way.
All communication between the client (you) and the server goes over an encrypted connection.
Who has access to my data?
You do, at all times. We can access some of your data, for example, for support purposes and invoices. We never share your data without your consent.
Who has access to the database?
Our database is accessible by authorized users only. This authorization is handled by a separate system, so no Easy LMS account has direct access to the database. This system is reachable only from within our own internal network.
Do you process and store personal data?
We only ask for data that we need, for example, for billing. We store this data encrypted in our database.
Do you have a procedure in case of a data leak?
Yes. If a data leak is detected we will take action immediately to first repair the leak and disable external access. We will inform stakeholders within 48 hours of a data leak being detected.
What type of encryption do you use?
Communication goes over HTTPS (TLS 1.2).
All data is encrypted using AES-256.
Passwords are stored using bcrypt-hashing.
Personal data is stored using CBC or ECB encryption (depending on type and usage).
Do you support single sign-on (SSO)?
Yes. You can read about the SSO methods we support.
Do you have backups?
Yes, we do. We take daily database snapshots with a 35-day retention period.
What type of support do you have?
You can reach us through our website. Our support department is available from 08:30 until 16:30 (CET), Monday to Friday. Our support consultants speak Dutch, English, German, and Polish. We provide support in all other languages using machine translation.
How long does it take to respond to a request?
This depends on the type of request, but typically within 24 hours.
Do you perform penetration tests?
We are looking into this. Some of our clients perform their own pen tests on our system and share their results. It goes without saying that any issues that arise get our immediate attention.
Can I perform a penetration test?
We invite you to do so, as other clients have done. We do ask that you let us know upfront so we can anticipate any extra pressure on our servers.
How often do you update the software?
Continuously. We constantly work to improve software security and add new features. Whenever there is a fix for a bug or a security issue, we deploy it immediately.
How do you test your software?
We test our software both manually and automatically. Before every deployment, our system goes through several stages. One of which is the testing phase. During this phase, an automated system runs thousands of automated tests, like unit tests, functional tests, and integration tests. This makes sure that whatever changes we make to our software don't break other functionality or security measures. Even if only one test fails, the build is rejected and sent back to development to fix.
Have all employees commissioned with data processing been committed to data secrecy?
Yes, each of our employees signs a declaration that he or she will never share any information with parties that are not involved.
Do you have any hardening processes in place?
Yes, we do:
All security patches of our operating systems are installed.
We have anti-virus and anti-spyware installed on all our systems.
We have endpoint protection in place.
All login credentials, both on our workstations and in the platform, are required to be strong. We use two-factor authentication when appropriate.
We lock all PCs automatically when someone leaves their workstation.
We have a firewall in place.
How is separation enforced between the corporate network's credentials and the production environment?
The corporate network credentials differ from those of the production environment, adding an extra layer of security. Production environment credentials are only available to DevOps and SysAdmins. Access logs are maintained.
How is your access and key management organized?
Each system has an owner who is responsible for its access and key management. We only assign access if necessary for the employee's job, and all access requests are logged and monitored.
Are you GDPR-compliant?
The GDPR came into effect on May 25, 2018. We are pleased to confirm that Easy LMS is fully GDPR-compliant. We've updated our Privacy Policy, Terms and Conditions, and operations according to the GDPR. Our Data Processing Agreement is available on our website and is part of our Terms and Conditions. Read more about GDRP and what it entails.
Are you ISO 27001-certified?
Yes! We are ISO 27001-certified. This means we have an information security management system (ISMS) that complies with international standards to ensure your data is safe in our care. It also helps us continuously improve our security and how we handle potential incidents.
Do you provide two-factor authentication for admins?
Yes! Any admin can set up two-factor authentication (2FA) in their Profile. Each admin must set up 2FA themselves. This feature cannot be enforced by a global admin or the account owner. Read more on setting up 2FA.