- CSA STAR
CSA STAR is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. See https://cloudsecurityalliance.org/star/registry/applearn.
- Cyber Essentials
Cyber Essentials is a UK Government-backed and industry-supported scheme for protection against cyber-attacks, enforced by a set of controls. AppLearn is independently assessed against the controls set out by the scheme in order to achieve certification.
2 more topics
- Product Security
- Multi-Factor Authentication
MFA (Multi-Factor Authentication) is used at all entry points to AppLearn systems. MFA is required each time a user confirms their username and password, and additional country level conditional access policies are applied to ensure access to employee accounts can only be made from countries in which AppLearn operates.
When a customer logs into its AppLearn account, AppLearn hashes the credentials of the user before it is stored. A customer may also require its users to add another layer of security to their account by using multi-factor authentication (MFA).
AppLearn uses and supports Single Sign on through supported 3rd parties like Azure AD, Okta, Ping Identity etc
- Data Security
- Data Encrypted At-Rest
All data and resources are encrypted at rest to AES256 level, including but not limited to S3 objects, server disk images, database objects and backups.
- Data Encrypted In-Transit
The AppLearn Adopt cloud platform uses HTTPS (TLS 1.2) to encrypt network traffic transmitted between a customer application and AppLearn’s cloud infrastructure. The Adopt platform can additionally be configured with Single Sign-on (SSO) and supports SAML 2.0.
- Data Retention Policy
In line with all current regulations, and in particular GDPR, we aim to remove any data as soon as we have no legitimate reason to keep it. We have set out a data matrix showing the type of data we hold, in which systems, and what the minimum retention period for that data is. This is cross-referenced against any legislative or legal basis for retention beyond that period.
All data that falls beyond the scope for retention is reviewed and then removed using methods unique to the application that it is stored in.
2 more topics
- Incident Management & Response
- Data Breach Notification
If we learn of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us.
We are committed to keeping our clients fully informed of any matters relevant to the security of their data and to providing all information necessary for them to meet their own regulatory reporting obligations.
- Availability & Reliability
- Auto Scaling
AppLearn uses auto-scaling technologies to ensure the correct amount of resources is allocated to Adopt to handle increased load during busy periods.
- Organizational Security
- Employee Background Checks
AppLearn carries out background checks on individuals joining AppLearn in accordance with applicable local laws. AppLearn currently verifies the individual’s education and previous employment, and also carries out reference checks. Where local labour law or statutory regulations permit, and dependent on the role or position of the prospective employee, AppLearn may also conduct criminal, credit, immigration, and security checks.
Where appropriate, members of the AppLearn team accessing customer systems with confidential data are subject to additional BPSS (Baseline Personnel Security Standard) checks - the scope of which, along with evidence of assessments can be provided upon request.
- Employee Security Training
At least once a year, all AppLearn employees must complete the AppLearn security and privacy training which covers AppLearn’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. AppLearn’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees.
1 more topic
- Business Continuity
- Business Continuity Plan
Our applications are backed up every 24 hours, a frequency that provides us with a Recovery Point Objective (RPO) of 8 hours and Recovery Time Objective (RTO) of 24 hours.
Our IT infrastructure is managed and provisioned through code (Infrastructure As Code) which enables us to deploy all the elements of our entire application within our RTO objective should the need arise.
However, as we split the deployment of our application between two different geographical locations within each hosting zone, our downtime is expected to be near to zero hour.
AppLearn systems are cloud-based, whether bespoke vendor systems or our Office 365 provision, and we utilise the BCP/DR functionality provided by the cloud host to maintain functionality and uptime. Additionally, we have a 3rd party backup solution where data is securely stored with a different cloud vendor to cover a potential vendor outage. Backups are taken daily and retained in line with our Data Retention policy.
We have individual plans to cover all aspects of our business including
• Application failure
• Application data loss
• Business IT system unavailability
• Natural disasters/loss of access to our office
As all our systems are cloud-based, we are confident that we will be able to restore any service rapidly and minimise any downtime.
- Disaster Recovery Plan
Available upon request
1 more topic
- ISO 27001 - Data Center
AppLearn uses and leverages ISO27001-compliant datacenters.
- SOC 2 Type II - Data Center
AppLearn uses and leverages AWS and Azure SOC2 compliant data centres, with a reputation of being highly scalable, secure, and reliable. Information about AWS and Azure audit certifications are available at:
• AWS Security https://aws.amazon.com/security
• AWS Compliance https://aws.amazon.com/compliance
• Azure Security: https://docs.microsoft.com/en-us/azure/security/fundamentals/overview
• Azure Compliance https://docs.microsoft.com/en-gb/azure/compliance/
1 more topic
- Threat Management
- Penetration Testing
AppLearn performs penetration tests and engages independent third-party entities to conduct application-level penetration tests in Black Box and White Box approaches. Results of penetration tests are prioritized, triaged, and remediated promptly by AppLearn’s Engineering team.
The last Pen Test was carried out in November 2022. Results are available by clicking here.
- Vulnerability Scanning
AppLearn maintains controls and policies to mitigate the risk from security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements.
AppLearn uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in AppLearn’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested and applied proactively. For the AppLearn Adopt Services, operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the AppLearn cluster over a predefined schedule. For high-risk patches, AppLearn will deploy directly to existing nodes through internally developed orchestration tools.
1 more topic
Sign up to view AppLearn's Subprocessors
Sign up to see the rest of AppLearn's posture and unlock unlimited access.
Unlimited access to the directory allows you to review and compare thousands of security postures sourced from around the web.