Security at Thought Industries

Thought Industries maintains a comprehensive Information Security Management System (ISMS) including business continuity, disaster recovery, risk management, and controls. The platform is maintained and operated following a rigorous Software Development Life Cycle (SDLC) and a Change Management process. Below you will find a high-level overview of security at Thought Industries. If you have any questions, don't hesitate to contact us!

Hosting and Physical Server Security

Thought Industries servers are hosted on Amazon Web Services (AWS).  The AWS secure hosting environment includes certifications and reports for SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

You can read more about AWS security here: https://aws.amazon.com/security/

Networking Security

The Thought Industries platform is 100% HTTPS (TLS) encrypted & secured. Data is protected in transit (with TLS encryption) and at rest (with AES 256 encryption). All networking is restricted by firewall and routing rules (AWS Security Groups). All access is logged, and logs are retained for a minimum of 90 days. SSH access is protected by TLS and private key authentication, and is enabled for administration to a select group of TI employees based on role and business need.

Authentication

Clients can access the Thought Industries platform using a password which is known only to them and only over secure (HTTPS) connections. Clients and learner password strength requirements are configurable on a per-instance basis.

Passwords of users logging on Thought Industries are not stored. Only a secure hash (bcrypt) of the password is stored in our databases. Because the hash is expensive to compute, and because a “salt” is used, password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party. Brute-force guessing attempts are automatically detected and blocked.

When Thought Industries instances opt to connect to an external system using user-supplied credentials (SSO), where possible this is done using JWT, SAML 2.0, or CAS, and in those cases, no credentials need to be stored in Thought Industries servers.

Development and Testing Process

Thought Industries developers have been trained in secure coding practices, such as OWASP Top 10. We have fully functional automation systems in place which enable us to test and deploy changes to any of our applications in minutes. The Thought Industries platform uses industry standard, high-strength algorithms including AES and bcrypt. Quarterly security tests are conducted, including using scanning and fuzzing tools to check for potential platform vulnerabilities.

Payment Data Security

Thought Industries does not store credit card information on its servers. All payments are processed through a leading online payments provider, Stripe. For more information about PCI compliance and Stripe’s other security features, see https://stripe.com/docs/security