Yellowdig Terms of Service can be found at https://www.yellowdig.com/about/terms. The key parts of it, as it relates to privacy and security are:
- All posted content is owned by the poster, or the organization to which the posts belong. In practical terms, this content is owned by the University.
- Yellowdig does not resell any data to third parties. Any use of the data is for the sole purpose of providing and enhancing the service.
- We take all reasonable measures to protect user data, including conformance to software security best practices, including use of encryption, firewalls, and limited access to production data.
Any use of Yellowdig is governed by these terms of service, however, any contract we enter into can add to or supersede any other existing terms, at the discretion of the customer.
Yellowdig is fully FERPA compliant. The platform only uses and has access to non-sensitive directory information, such as the name and email address of the user.
The Yellowdig application is developed using the currently accepted best practices for applications dealing with sensitive information and deployed on the Internet for access by end-users and partners, including encryption and highly restricted access to the development, deployment, and data storage environments. This includes following the OWASP Top 10 recommendations for web application security. All user passwords are encrypted with the industry best-of-breed Bcrypt algorithm.
Yellowdig successfully passed all manual and automated audits and security scans of our application by University IT departments.
Yellowdig employs many best practices for securing networks and servers:
- All traffic is encrypted using SSL/TLS with 256 bit encryption.
- Yellowdig application and database servers are protected by multiple firewalls, with external WAN access as well as internal LAN restrictions.
- Server access is granted only to those employees who need it.
- Yellowdig’s platform itself maintains all access logs and every action by every Application user is recorded.
- Critical operating system and application security patches are installed automatically as soon as they are available.
- All servers run within a Virtual Private Network (VPC), further isolating and securing servers.
Yellowdig is hosted using Amazon Web Services (AWS). AWS data centers conform to the highest standards of physical security and processes, and have achieved ISO 27001, ISO 9001, SOC 3 and other certifications. Please refer to AWS security infrastructure information documentation at http://aws.amazon.com/security/ and http://aws.amazon.com/compliance/ for additional details.
User data's are automatically backed up at regular intervals to the Amazon Elastic Block Store (EBS) service and EBS has inbuilt redundancy, saving multiple copies at different locations.
All data is maintained for a period of 5 years. Yellowdig can provide a data dump or delete data as per request from the customer. Backups and snapshots use encrypted storage using AWS’s snapshotting features.
- We host our services in the Oregon datacenters of Amazon
- We generate most of our queries by using the query generation libraries our development framework provides
- We take daily backups of our data on a separate server. These backups are currently complete versions of the production data. In the future as our data grows, we plan to have in place a more sophisticated backup strategy using AWS’ storage infrastructure.
- Multiple code backups exist in the form of git repositories and 3 multi-purpose servers which are used explicitly for backups
- Under extreme circumstances should our production server become unavailable, we can bring up another server to production in a relatively short period of time (within an hour at best, to a couple of hours)
Yellowdig applications are hosted on comprehensively firewalled servers. These firewalls default to disabling any unsupported access mechanism, and carefully configured to only allow access for known services. We build on top of the well-defined and implemented security policies of the AWS services we depend on.
Data Integrity and Disaster Recovery
Yellowdig is architected for High Availability and 100% uptime. User data is backed up frequently, and Yellowdig servers are distributed across several Availability Zones. Recovery from backups is tested regularly, and is in fact part of the normal server deployment process, ensuring that even in the event of serious malfunctions (such as data center issues), service can be restored quickly.
We look for our service providers to provide us timely notification of breaches and work with us. If a security breach occurs, we will work with our customers and users to notify them in a timely manner. Yellowdig is covered for breaches under our Professional Liability insurance policy.