This article covers the common questions we get asked by security and IT departments when implementing a new career directory. Please refer here for any technical and security questions. If you have a question that isn’t addressed below, please reach out and we’ll answer that too.
Contents
Security
We take the security of our platform seriously and have implemented several measures and tools in our platform to protect students, universities and employers from security risks related to the functioning of the Prosple Network.
Database Security
All our databases including both content and user preference information are encrypted. None of our databases is accessible via internet and are secured within our private subnet inside our AWS infrastructure.
Encryption of Data at Rest
Data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots. RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.
Encryption of Data in Transit
Encrypt communications between our applications and the DB Instances use SSL/TLS. Once an encrypted connection is established, data transferred between the DB Instance and the applications will be encrypted during transfer.
Access Control
Access to our databases is achieved with user based access control mechanisms. Only vetted and privileged users have access to Production databases, and these do not contain and user credentials data (handled by a separate system, Auth0).
Network Isolation and Database Firewall
All our DB Instances exist in our own virtual network, and connect to your existing IT infrastructure using industry-standard encrypted IPSec VPN.
All our DBs instance run within a private subnet.
Only applications within our VPC are allowed to access the databases and given all our access is handled security with VPN+SSO, we don’t expose our platform with SSH access (E.g Bastion).
DB Security Groups are also used to help secure DB Instances within an our Amazon VPC. In addition, network traffic entering and exiting each subnet is allowed or denied via network ACLs.
Application Infrastructure Security (ECS)
All our databases including both content and user preference information are encrypted. None of our databases is accessible via internet and are secured within our private subnet inside our AWS infrastructure.
Application Security and Patch Policy
Our application stacks comprise mostly of the following frameworks, all known for robust security and constant security advisories:
- Drupal 9
- NodeJS
- NextJS
- GraphQL
- MariaDB
- Redis
- MongoDB
We make sure that at all times the underlying frameworks are kept up to date with the latest patches with maximum priority from released security advisories.
The applications also undergo regular vulnerability scans to complement our security patch policy.
Production vs Non-Production Environments
We have a complete separation of concerns between our Production and Non-Production(Staging) environments.
Production and Non-Production have completely separate AWS accounts and access control is maintained separately for each one, always with 2FA and Single Sign On authentication in place as well as the requirement for VPN to access the VPC where services exist.
Logging
We maintain a full set of logs across all our applications including access logs, application logs and error logs. We also have VPC flow logs in place.
Our retention policy for production logs is 24 months.
Audit Tracing
We have a completely separate AWS account purely responsible for audit logs, recording every interaction with our AWS infrastructure for audit purposes. This account is read only.
Our retention policy for production logs is 24 months.
Credentials Management
All our credentials are securely stored in a separate secure system using Auth0.
These credential repositories are ISO27001, SOC 2 Type II, ISO27018, HIPAA BAA, Gold CSA STAR and PCI DSS certified.
Identifiable information like First name, Last name and email address are also stored here and kept separate from the rest of the profile information, stored within Prosple’s platform.
User Information & Identity Management
Prosple stores user information in two separate databases, one responsible for managing profile information (degrees completed, spoken languages, notification preferences etc) the other (securely in Auth0) to manage user credentials and primary identity information like first name and last name.
There are three of authentication scenarios when dealing with the Prosple platform:
When using Prosple as an authentication provider
When using our Single Sign On features to integrate with a third party Identity Provider
Websites without authentication feature enabled
Using Prosple as an Authentication Provider
When using Prosple as an Auth provider, user credentials and primary identities will be stored in our Auth0 tenant (see security certifications in Credentials Management section of this document).
Authentication is performed between our applications and our Authentications service via standard OAuth 2.0 protocols.
Profile information can optionally be stored for logged in users.
SSO – Integrating with third party Authentication System
When using Prosple’s SSO capabilities, we can integrate with your system of choice. We support several protocols like OpenID or SAML and have various out of the box integrations for the major enterprise solutions such as Google Workspace, Microsoft Azure AD, ADFS, Active Directory/LDAP and Ping Federate.
In this scenario we do not store any user credentials as that is completely handled by the third party identity provider.
We can optionally store user profile information, as well as primary identity information (e.g for in-app greetings)
No Authentication
Our platform can be configured without any user authentication, which can be useful in case you have concerns in regards to security and privacy and aren’t able to leverage our SSO capabilities.
In this case we don’t store any user information, but authenticated features like bookmarking, email alerts and virtual experiences aren’t available.
Integrations and APIs
Prosple offers a few ways to integrate with third party systems and APIs.
The main options existing at the moment are:
Fully featured Authentication Integration (more details on “User Information & Identity Management” section)
RSS feeds that can be consumed to obtain the latest job posts on a given channel
We have in our Roadmap a fully featured GraphQL API that will allow customers to fully integrate with our service via APIs and this is already being worked on.
Meanwhile if you have any specific requests we can consider ad-hoc integrations on a per use case basis.
Service Status & Monitoring
Both our applications, microservices and infrastructure are constantly being monitored.
For monitoring at the application level, our New Relic platform is able to identify any application level risks, inefficiencies or errors, immediately alerting the Engineering team to the problem.
To complement this we have detailed access logs and application logs stored in Cloudwatch.
We also have a granular level of visibility into our infrastructure through the use of Cloudwatch, giving us a clear picture of the health of our clusters, database services, network load, disk usage, CPU and RAM utilization etc.
Performance and Availability
Being a fully distributed system spanning a network of 200+ digital channels, the Prosple platform is built on performance and availability best practices.
From a technical standpoint, the first barrier of defense is our worldwide CDN with multiple nodes scattered around the globe caching requests at the edge:
As we utilise a proactive cache clearing strategy (as opposed to TTL), we can boast a cache hit ratio at the edge of around 80-85%, heavily protecting our origin servers.
Once traffic arrives at the origin, we complement a robust in-memory cache (Redis), with our database layer cache for optimal performance.
If load becomes too high for the system, our autoscaling monitors kick in provisioning more application containers (or cluster nodes) to accommodate the load.
F.A.Q
Identity and Users
Is there a web interface to administer user accounts?
Can directory synchronisation (e.g. Active Directory) be used to manage users?
Is there a delegated user administration option?
Do you support standards-based federation and authentication (e.g. SAML, Shibboleth, SCIM, SPML, Oauth, Ws-Federation, OpenID)?
Is there support for role-based access permissions?
Can granular authorisation rules be defined (e.g. those reflecting the organisational structure in addition to specific permissions and access levels)?
Is there a batch user import interface?
Can users be managed using a stable and documented API?
Is there support for externalised authorisation management (e.g. entitlement verification via on-premise systems)?
Management
Do you provide a web-based service management console for customers to manage their data?
What level of health monitoring is provided to customers (e.g. real-time thresholds and alerts, online health dashboard)?
Do you provide usage and data tracking tools?
Can the solution be scaled (horizontally / vertically) in an automated rapid manner?
Is there a performance-monitoring service that supports customer-defined monitoring metrics?
Are service interfaces and management consoles resilient to local infrastructure failures?
Do you support customer-defined real-time thresholds and alerts (e.g. e-mail, SMS)?
Do you perform change management logging with six or more months of history?
Is there a performance-monitoring service that supports predefined action events?
Security
Are you ISO27001 (Information Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
Are you ISO22301 (Business Continuity Management) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
Within the context of processing Financial Information, do you have a Third Party Message (TPM)? If yes, please provide a copy to the TPM and accompanying audit framework.
Are you PCI-DSS compliant? If so, please provide a valid PCI-DSS attestation of compliance.
Are you ISO27001-270017 (Cloud Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
Are you ISO27001-270018 (Cloud Privacy) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
Do you have a data breach disclosure/notification process? If yes, please provide a copy.
Are you HIPAA compliant? If so, please provide relevant documentation.
Do you have published employee (and supplier) screening and hiring practices for employee’s who may have access to Customer data and user information?
Do you provide customer-configurable Data Loss Prevention capabilities (e.g. preventing storage and dissemination of specific data attributes)?
Do you conduct regular application layer vulnerability scans?
Do you conduct regular network and operating system penetration tests?
Do you have intrusion prevention and detection capabilities?
Do you perform proactive auditing and notification of incidents of inappropriate management activity?
Do you provide support for data encryption, both at rest and in transit? If so, what standards do you adhere to?
When encryption is used, who owns and manages the related encryption keys?
Do you offer investigation support in the event of a data breach or compromise that relates to customer users or data?
What level of Information Security reporting, as it relates to privacy controls and business continuity, do you provide?
Is Information Security reporting a standard inclusion within any Service Management reports provided to the customer? If so, what reporting is provided and at what frequency?
Are there multitenant controls for separation of users/data within the service?
Can user activity audit logs be made available to customers? If so, what mechanisms are supported (e.g. can logs be sent to an external SIEM solution such as Splunk)?
Storage
Can you provide documented high availability and disaster recovery capabilities and procedures?
Can you provide a data eradication guarantee?
What level of database and/or data backups do you perform?
Are the backups saved to a geographically separate locations? If so, how many and where?
Do you offer a data archiving option? If so, what?
What is the defined SLA regarding recovering data from backup?
Do you adhere to DoD 5220.22-M or NITS SPA 800-88 for data sanitisation on retirement of storage devices?
Do you have defined storage limits? If yes, can they be surpassed without impacting service delivery if required?
Where are your data centers located?
Is there support for bulk data import and export / extraction to / from service(s) in a non-proprietary format?
Can customers choose the data centre(s) based on location?
Networks
Do you utilise private network connectivity between all provider data centres?
What are the required customer firewall considerations (e.g. ports and protocols)?
Do you conduct annual tests of average performance and latency of the service?
What is your approach to capacity planning?
Service Levels and SLAs
What is the provided service uptime guarantee (e.g. 99.9%, 99,99% etc.)?
Does downtime calculation start immediately when service is unavailable or degraded?
Is scheduled maintenance limited and communicated in advance?
What is the defined SLA that protects customers against data loss and data integrity issues?
What is the defined SLA for Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for the service(s)?
What is the notification window for customer to submit SLA breach claims?
Do the ownership rights to data, inputs and outputs remain with the customer?
Do you offer publicly accessible and downloadable terms of service?
What level of compliance with WCAG 2.0 do you meet and which assistive technology do you test your service with?
If selected, are you willing to undergo an independent accessibility audit?
Support
Do you provide a dashboard of service health and SLA status?
Is there a live-human-support offering?
Is there online self-service support that is free or included with standard service?
Do you provide an incident management system for identifying, submitting and tracking service incidents?
Do you follow documented change management, incident prioritisation procedures and incident response plans?
Do you provide migration support to and from service(s)?
Do you provide documented support for third-party application integration?
Do you provide sandbox / QA environments?
Do you offer professional services for implementation, support and deployment?
Can the customer control the application of patches, upgrades and changes to the service?
Do you offer an assigned support manager and account representative?
Can you provide at least six months of service health history?
This article covers the common questions we get asked by security and IT departments when implementing a new career directory. Please refer here for any technical and security questions. If you have a question that isn’t addressed below, please reach out and we’ll answer that too.
Contents
Identity and Users
Is there a web interface to administer user accounts?
A: For Prosple product tiers that involve user authentication with external Identity Providers, all user management is done on the partner side, in the Identity Provider. Secondary profile information is stored with Prosple and there is no interface to manage this data.
For partners wishing to store users (and credentials) in the Prosple platform all user administration is managed by Prosple.
Can directory synchronisation (e.g. Active Directory) be used to manage users?
A: We can integrate directly with Active Directory. Prosple integrates with Active Directory (AD) using Lightweight Directory Access Protocol (LDAP) through an Active Directory/LDAP Connector that you install on your network.
Is there a delegated user administration option?
A: We can achieve this via integration with the Partner Idp, delegating user authentication to the partner.
Do you support standards-based federation and authentication (e.g. SAML, Shibboleth, SCIM, SPML, Oauth, Ws-Federation, OpenID)?
A: Yes, we support SAML, OpenID, Google G Suite, Microsoft Azure AD, ADFS, Active Directory / LDAP and Ping Federate.
Is there support for role-based access permissions?
A: No all users of the portal (students) enjoy the same level of access. No administrative functions are necessary and hence no admin accounts are available for partners.
Can granular authorisation rules be defined (e.g. those reflecting the organisational structure in addition to specific permissions and access levels)?
A: We currently only have user authentication for students, which all have the same level of access.
Is there a batch user import interface?
A: For partners wishing to store users (and credentials) in the Prosple platform batch user import is supported. Otherwise, given users are stored in the partner Identity Provider this is not applicable.
Can users be managed using a stable and documented API?
This is not required as we directly integrated with the Partner’s Identity system.
Is there support for externalised authorisation management (e.g. entitlement verification via on-premise systems)?
This is not supported. While authentication can be externalised, authorisation is handled within the Prosple platform.
Integrations
Do you provide APIs and Web services to push and pull data?
A: We provide RSS feeds to pull some data (jobs, content), but not to push data. REST APIs to pull data are currently in our roadmap and can be potentially prioritised on a case by case basis.
Is there a published API and / or Web Services catalogue?
A: All current APIs (with the exception of RSS feeds) are currently internal to Prosple. However public REST/GraphQL APIs are in the roadmap and can be potentially prioritised on a case by case basis. These will be fully documented.
Do you support hybrid deployment and integration models (integrations with on-premises infrastructure or enterprise systems across the required touchpoints)?
No, with the exception of authentication (which can be delegated to Partner systems) all other components of the platform are cloud based.
Do you support direct access to the underlying database for the purpose of customer defined reporting or extraction for loading into the customers own data warehouse?
We do not support direct access to our database. However can can arrange for customised reporting on certain dimensions on demand.
Do you provide integration support and developer assistance resources (e.g. SDKs including command line interfaces, wrappers for programmatic interfaces, an online developer centre or portal)?
We can provide this for the currently supported integrations, which are restricted to authentication.
Do you provide connectors for common integration platforms (e.g. Oracle SOA)?
Currently no other integrations except authentication are supported. However, other integrations are currently in our roadmap (e.g application data sent directly to CRMs like Oracle, SalesForce, etc).
What mechanisms are supported (ODBC, API, XML, etc.) to allow customer access to data such that it can be extracted and used for reporting (data warehouse usecases) purposes.
All data currently is provided by Prosple via predefined reports and Google Analytics access. These can be tailored to the partner’s needs.
Are there any costs associated with accessing customer data either directly (e.g. ODBC) or via the provided API’s / Web Services?
All data currently is provided by Prosple via predefined reports and Google Analytics access. Standard reports have no additional costs. Customised reporting may involve additional costs depending on the complexity.
Is there a professional developer / certification program?
No.
Management
Do you provide a web-based service management console for customers to manage their data?
No.
What level of health monitoring is provided to customers (e.g. real-time thresholds and alerts, online health dashboard)?
Current monitoring stack including real time tresholds, alerts and online health dashboards is done in Prosple’s New Relic platform and not accessible to customers. Some basic alarms can be configured to clients on request (such as uptime monitors).
Do you provide usage and data tracking tools?
Yes, we provide access to a Google Analytics dashboard for the directory provided to the partner.
Can the solution be scaled (horizontally / vertically) in an automated rapid manner?
Yes, we have multizone availability and autoscaling. The API used to power the websites has extremely robust caching layers and sits behind a CDN which mitigates several issues from a load perspective.
Is there a performance-monitoring service that supports customer-defined monitoring metrics?
No.
Are service interfaces and management consoles resilient to local infrastructure failures?
No management consoles are currently provided to partners.
Do you support customer-defined real-time thresholds and alerts (e.g. e-mail, SMS)?
For partners we only support this for uptime monitoring.
Do you perform change management logging with six or more months of history?
We store access, error and audit trail logs securely in our platform with over 6 month retention, however this are not provided to partners.
Is there a performance-monitoring service that supports predefined action events?
Yes, New Relic.
Security
Are you ISO27001 (Information Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
No.
Are you ISO22301 (Business Continuity Management) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
No.
Within the context of processing Financial Information, do you have a Third Party Message (TPM)? If yes, please provide a copy to the TPM and accompanying audit framework.
No.
Do you adhere to any international reporting standards as it relates to TPM (e.g. ISAE3402 Type-2, SOX, SSAE16/SOC Type-2)?
Our infrastructure complies with SOC 2 Type 2 certification in Security and Availability on Amazon Web Services (AWS).
Are your TPM controls tested annually on operational effectiveness and over what period (e.g. for 10 consecutive months)?
No.
Are you PCI-DSS compliant? If so, please provide a valid PCI-DSS attestation of compliance.
No.
Are you ISO27001-270017 (Cloud Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
No.
Are you ISO27001-270018 (Cloud Privacy) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.
No.
Do you have a data breach disclosure/notification process? If yes, please provide a copy.
We will report any unlawful data breach of this website’s database or the database(s) of our third-party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is reasonably apparent that personal information stored in an identifiable manner has been accessed. Should you have any complaint about a breach, or the way in which we will handle a breach, please contact us.
Are you HIPAA compliant? If so, please provide relevant documentation.
No.
Do you have published employee (and supplier) screening and hiring practices for employee’s who may have access to Customer data and user information?
No.
Do you provide privacy, Information Security and business continuity education (awareness) to your staff and suppliers? And how often is this renewed?
No.
Do you provide customer-configurable Data Loss Prevention capabilities (e.g. preventing storage and dissemination of specific data attributes)?
No.
Do you conduct regular application layer vulnerability scans?
No.
Do you conduct regular network and operating system penetration tests?
No.
Do you have intrusion prevention and detection capabilities?
Prosple can detect anomalies and stop malicious attempts to access your application. Anomaly detection can alert you and your users of suspicious activity, as well as block further login attempts. This functionality is available as a paid addon and not available in lower tiers that don’t involve authentication.
Do you perform proactive auditing and notification of incidents of inappropriate management activity?
Yes and should any inappropriate management activity be detected notification of the incident will be reported within 72h to the affected parties.
Do you provide support for data encryption, both at rest and in transit? If so, what standards do you adhere to?
Yes, measures include TLS for data in transit and encrypted disks.
When encryption is used, who owns and manages the related encryption keys?
Prosple.
How often do you review and test your Business Continuity Plan’s?
We don’t currently have Business Continuity Plans.
Do you offer investigation support in the event of a data breach or compromise that relates to customer users or data?
Yes, Prosple can assist within its capacity in the event of a data branch of compromise.
Do you offer investigation support to a mutually agreed third party in the event of a data breach or compromise that relates to customer users or data?
Yes, Prosple can assist within its capacity in the event of a data branch of compromise.
What level of Information Security reporting, as it relates to privacy controls and business continuity, do you provide?
Currently not provided.
Is Information Security reporting a standard inclusion within any Service Management reports provided to the customer? If so, what reporting is provided and at what frequency?
No.
Are there multitenant controls for separation of users/data within the service?
Yes.
Do you utilise configurable content hygiene controls (e.g. anti-spam, anti-virus)? If so, please provide reporting examples.
No.
Can user activity audit logs be made available to customers? If so, what mechanisms are supported (e.g. can logs be sent to an external SIEM solution such as Splunk)?
This is not currently available for partners.
What physical security is protecting the data centers and facilities that will house client data and information?
Not applicable, we do not store any client data on our side.
Have systems been developed using a structured, secure and approved system development methodology? (please provide details on the used methodology and specify how you embedded the privacy-by-default, least-privileges or RBAC and information-security-by-design principles)
No.
Have systems been developed using a structured, secure and approved system development methodology? (please provide details on the used methodology and specify how you embedded the privacy-by-default, least-privileges or RBAC and information-security-by-design principles)
No.
Storage
Can you provide documented high availability and disaster recovery capabilities and procedures?
We maintain complete snapshots of all our applications on a daily basis. Our edge caching system also provides availability of stale data when there are issues at the origin. We currently have as part of our roadmap plans to incorporate multi-availability for higher availability.
Can you provide a data eradication guarantee?
No.
What level of database and/or data backups do you perform?
We maintain complete snapshots of all our applications on a daily basis.
Are the backups saved to a geographically separate locations? If so, how many and where?
No, currently only one location is supported.
Do you offer a data archiving option? If so, what?
We have data archiving for our platform, but it doesn’t really apply to customer data as we don’t store any in our platform.
What is the defined SLA regarding recovering data from backup?
There is no SLA for this as we don’t store any customer data.
Do you adhere to DoD 5220.22-M or NITS SPA 800-88 for data sanitisation on retirement of storage devices?
No.
Do you have defined storage limits? If yes, can they be surpassed without impacting service delivery if required?
As far as data uploaded by the users, there is no storage limit.
Where are your data centres located?
Sydney. However, with multi-availability zones in our roadmap we will likely introduce new locations. This has no impact on customer data as we don’t store any.
Is there support for bulk data import and export / extraction to / from service(s) in a non-proprietary format?
There is, but we do not provide a customer interface for this. Depending on the use case this can be provided on demand.
Can customers choose the data centre(s) based on location?
No.
Is there an additional archive / e-discovery as a service offering?
Networks
Do you utilise private network connectivity between all provider data centres?
Yes.
What are the required customer firewall considerations (e.g. ports and protocols)?
Our platform is internet accessible so it needs to be accessible via port 80.
Do you conduct annual tests of average performance and latency of the service?
We constantly monitor performance and latency (daily). We can perform more complex performance tests on an ad-hoc basis.
What is your approach to capacity planning?
Capacity planning is highly mitigated by the usage of cloud infrastructure and autoscaling as we can scale up and down depending on the requirements via constant automated health checks.
Service Levels and SLAs
What is the provided service uptime guarantee (e.g. 99.9%, 99,99% etc.)?
The only uptime SLA we currently have is provided by our infrastructure and is 99.5%.
Does downtime calculation start immediately when service is unavailable or degraded?
Yes, but only at the infrastructure level.
Is scheduled maintenance limited and communicated in advance?
Only when it involves significant user impact (e.g anything longer than 5-10mins).
What is the defined SLA that protects customers against data loss and data integrity issues?
We do not store any customer data.
What is the defined SLA for Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for the service(s)?
We do not have a designated SLA for this, however, we aim for an RPO of 2h and RTO of 1h. This however only applies for Prosple content as there is no impact on any customer data.
Do you offer service credits / refunds for outages and do limits apply?
No.
What is the notification window for customer to submit SLA breach claims?
We do not currently provide any SLAs.
Do the ownership rights to data, inputs and outputs remain with the customer?
As we don’t store any customer data, all data is either owned by Prosple or the student.
Do you offer publicly accessible and downloadable terms of service?
Yes
What level of compliance with WCAG 2.0 do you meet and which assistive technology do you test your service with?
No WCAG 2.0 compliance is currently enforced.
If selected, are you willing to undergo an independent accessibility audit?
Yes
Support
Do you provide a dashboard of service health and SLA status?
No.
Is there a live-human-support offering?
Yes.
Is there online self-service support that is free or included with standard service?
No.
Do you provide an incident management system for identifying, submitting and tracking service incidents?
No.
Do you follow documented change management, incident prioritisation procedures and incident response plans?
No.
Do you provide migration support to and from service(s)?
Not applicable as we don’t store any customer data.
Do you provide documented support for third-party application integration?
No.
Do you provide sandbox / QA environments?
Yes, only during onboarding, provisioning.
Do you offer professional services for implementation, support and deployment?
These can be provided upon request.
Can the customer control the application of patches, upgrades and changes to the service?
No.
Do you offer an assigned support manager and account representative?
Yes.
Can you provide at least six months of service health history?
No.