At Easy LMS, security of your data is our top priority. We constantly try to break our own security systems in order to identify weak points.
Easy LMS is built on top of our own Content Management System (CMS). This system is developed on top of the open-source Yii PHP framework. Yii uses a model-view-controller (MVC) based architecture which allows for structured, clean, and maintainable code. Yii is regarded to be solid, fast and secure.
We utilize many of Yii’s built-in security features such as data encryption, XSS prevention and data sanitization. User input data is always validated on the server, even if client-side validation is also used.
We have several types of users that can access the system, as you can see in the diagram below. Per security level, each role has access to extra parts of the system and data. From the support level and up we use a type of login that differs from a client login as an extra security layer.
Frequently Asked Questions
Below is a list of security questions we often get.
Where are your servers located?
Easy LMS runs on an Amazon Web Services cloud, or AWS for short. The servers and databases are physically located in Frankfurt, Germany. Your data is protected by the Privacy Shield. Read more about Amazon hosting, privacy and EU rules here. If you have an Enterprise Owl Account and you wish to be able to store data in a different location, contact us for more information.
How do you protect my data?
We protect your data in several ways:
- Personal data that we ask for is stored in the database using encryption. This means that even if the database is compromised, an attacker would not be able to read the data without the key to decrypt it.
- Passwords are stored using a highly secure hashing algorithm. Unlike with other data, it is impossible to retrieve the original password from its hash.
- Passwords are never sent to anyone in any way.
- All communication between the client (you) and the server goes over an encrypted connection.
Who has access to my data?
You do, at all times. We can access some of your data, for example for support purposes and invoices. We never share your data without your consent.
Who has access to the database?
Our database is reachable by authorized users only. This authorization is handled by a separate system, so no Easy LMS account has direct access to the database. This system is reachable only from within our own internal network.
Do you process and store personal data?
We only ask for data that we need, for example for billing. We store this data encrypted in our database.
Do you have a procedure in case of a data leak?
Yes. If a data leak is detected we will take action immediately to first repair the leak and disable external access. We will inform stakeholders within 48 hours of a data leak being detected.
What type of encryption do you use?
- Communication goes over https (SSL, TLS 1.2)
- Passwords are stored using bcrypt-hashing
- Personal data is stored using CBC or ECB encryption (depending on type and usage)
How do we use encryption for sensitive data?
- Passwords are hashed via blowfish
- Email addresses are encrypted via aes-128-ecb
- Other personal information is encrypted via aes-128-cbc
Do you support Single Sign On?
Yes, we support the following SSO methods:
- Azure AD
- AFAS Live
Do you have backups?
Yes we do. We make daily snapshots of our database with a retention period of 35 days.
What software platforms do you use?
- Debian ≥ Jessie
- Apache ≥ 2.4
- PHP ≥ 7.2
- MariaDB ≥ 10.2
Do you perform code reviews?
Yes, all changes of the code require a code review. A change cannot enter production with the approval of at least two developers.
What type of support do you have?
You can reach us through our website. Our support department is available from 09:30 am until 11:00 pm (CET). Support languages: Dutch, English, Portuguese.
How long does it take to respond to a request?
This depends on the type of request, but typically within 48 hours. On average we answer you within 67 minutes.
Do you perform penetration tests?
We are looking into this. Some of our clients perform their own pen tests on our system and share their results. It goes without saying that any issues that arise get our immediate attention.
Can I perform a penetration test?
We invite you to do so, many of our other customers have as well. We do ask you to let us know upfront so that we know there might be some extra pressure on our servers.
How often do you update the software?
Continuously. We constantly work on improvements to the software security and new features. Whenever there is a fix for a bug or a security issue, we deploy this immediately.
How do you test your software?
We test our software both manually and automatically. Before every deploy our system goes through several stages. One of which is the testing phase. During this phase an automated system runs thousands of automated tests, like unit tests and functional tests. This makes sure that whatever changes we make to our software don't break other functionality or security measures. Even if only one test fails, the build is rejected and sent back to development to fix.
Do you use Adobe Flash?
No, we do not, nor will we ever.
Have all employees commissioned with data processing been committed to data secrecy?
Yes, each of our employees signs a declaration that he or she will never share any information to parties that are not involved.
Do you have any hardening processes in place?
Yes, we do:
- All security patches of our operating systems are installed.
- We have anti-virus and anti-spyware installed on all our systems.
- We have endpoint protection in place.
- All login credentials, both on our workstations and in the platform, are required to be strong. We use two-factor authentication when appropriate.
- We lock all PCs automatically when someone leaves his workstation.
- We have a firewall in place.
How is separation enforced between the corporate network with its credentials and the production environment?
The credentials of the corporate network are different than those from the production environment. We don't allow access to the production environment using a form of SSO from our corporate network. So logging in on the production environment works with different credentials, which are only available to devops and sysadmins.
How is your access and key management organized?
The CTO is in charge of access and key management and assigning authorizations. We only assign access if necessary for the job of the employee.
Are you GDPR compliant?
If you have any questions about this matter, or anything else regarding the use of our tool, please feel free to contact us.
You can send us a message using the chat feature on our website, or you can send us an email via email@example.com.