Coursedog Security

Data Protection and Accessibility

  • Coursedog takes security extremely seriously and exceeds guidelines and standards for security. Coursedog maintains a set of internal security standards for its database set by Coursedog's CTO. Our internal policies strictly limit the employees that have access to anonymized production data on an as-needed basis. Specifically, access to the production database requires approval and oversight from the CTO, Senior Backend Engineer or Senior Frontend Engineer.
  • Coursedog will maintain audit logs of all requests sent to production applications for a minimum of 6 months. These logs will include the resource requested, source IP, HTTP referrer and HTTP user agent. Access log data will be provided to the client’s administrative contact upon request. All customer data within Coursedog belongs to the customer. This includes all schedule content, whether text based or the data that we store in our database. Customer can request a copy of all data, including archived catalogs.
  • Upon termination of our Software as a Service agreement, all data will be turned over to Customer in tab delimited or comma format.

Compliance

  • Coursedog does not require, nor request, any FERPA-protected data.
  • Coursedog is in full compliance with GDPR, WCAG 2.0 and OWASP guidelines.

Connection Security

  • Coursedog uses HTTPS to encrypt traffic between the web server and the user’s browser. We do not serve any resources over insecure HTTP.
  • Coursedog uses HSTS (HTTP Strict Transport Security) to ensure that browsers will only allow opening a secure connection to our servers. This protects against protocol downgrade and cookie hijacking attacks.
  • Coursedog supports almost all University-supported authentication techniques and prefers Shibboleth/CAS single sign on.

Data Security

  • Our database is encrypted with AES-256, an industry standard encryption algorithm.
  • We encrypt all user information before we store credentials in our database.
  • Coursedog uses randomly generated session tokens to identify users, which are sent over HTTPS in every request so we can ensure that data is only accessible by users with the correct privileges. We implement session timeouts consistent with industry best practices.
  • Our database and database backups are managed by MongoDB, a reputable industry leader. Only our servers are IP whitelisted to access the database, and the connection between our server and database is encrypted. Coursedog takes advantage of MongoDB's expertise in creating a strong security profile.

Security By Design

  • Coursedog has built its software and database with security at the forefront. We know the importance and fragility of data. Coursedog's web solutions are constructed to be as resilient as possible to common attack vectors.
  • Where possible, defenses against attacks are incorporated directly into the design. For example, use of MongoDB maintains a separation of the data in the query from the query itself, making an SQL injection type attack fundamentally impossible. Our use of a REST API is beneficial because session state information is not stored on the server, mitigating state-based attacks.
  • Coursedog's web-based design is an important reason why our solutions can be fundamentally more secure than our competitors. Coursedog never requires clients to install custom software to access our products. By running in the browser sandbox, our software by default runs with extremely limited privileges unlike an installed executable. Modern browser sandboxes have been tried and tested for many years and are used by millions of people to protect their computers from malicious actors while on the web. In a web browser sandbox Coursedog cannot access confidential local files or install viruses or keyloggers on Customer's machines, even if the system were compromised. This design isolates the Coursedog system from the rest of our Customers' networks.

Security Management

Coursedog has developed a robust mitigation strategy to precent, triage and resolve any disruptions. We monitor disclosed vulnerabilities in technologies used by our backend servers and browsers used by our Customers. We also maintain an open line of communication with all of our Customers to address any concerns.

We look forward to working with the Customer to streamline its curriculum & scheduling processes