Security & Compliance at eduMe
Last updated: 17 July 2024
Security and compliance are always top of mind at eduMe and we understand its significance to both customers and partners.
We have a dedicated information security programme and are dedicated to its continual improvement. eduMe’s security practices are aligned with the ISO 27001 standard and the SOC 2 Trust Services Criteria.
Compliance
GDPR
eduMe aims to ensure compliance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). eduMe adheres to the principles with which any party handling personal data must comply.
SOC 2 Type II
eduMe Limited was audited by Prescient Assurance. We have obtained the AICPA’s SOC for Service Organizations, SOC 2 Type II. eduMe’s SOC 2 Type II report can be requested through your Customer Success Manager.
If you have any further enquiries please contact us at hello@edume.com.
Infrastructure Security
Hosting
eduMe utilises Heroku (a Salesforce subsidiary) as its cloud service provider. Data is stored on Heroku’s servers located in the EU (Dublin, Ireland).
eduMe leverages Heroku’s security and compliance controls for data centre physical security and cloud infrastructure. Heroku applies security best practices and manages platform security, protecting customers from threats. Heroku data centres are ISO 27001 and FISMA certified. More information for this service provider can be found at Heroku’s security policy.
Monitoring & Logging
Logging
We monitor our database and application server performance with tools provided by Heroku, and with additional application performance monitoring tools and log analysis tools. We have alerts configured for downtime and degraded service.
Availability
To ensure users have real-time service availability updates, eduMe maintains a Status page.
In an emergency situation, we expect to benefit from Heroku's Continuous Protection, which allows us to restore data to any point in time in the previous 4 days, so we expect data loss to be very small.
Encryption
eduMe uses secure connections for all data transfers (TLS). Data is encrypted at rest in our databases (See Heroku Postgres documentation).
Security Practices
Access Control
We implement role-based access control based on the principle of least privilege. A subset of eduMe's personnel has access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents and implement data security. Access is controlled, logged, and managed by enterprise password manager apps and types of authentication.
Change Management
Pull requests (PR) are peer reviewed. Every PR that is merged is automatically subjected to a formal QA and release process.
Incident Response
We have an incident response policy in place that applies both to incidents reported by customers or third parties, as well as issues detected automatically by our monitoring capabilities.
Personnel Security
All of our employees undergo a background check and provide two character references during the hiring process. Security awareness training takes place annually and is tracked in our automated compliance tool.
All employees are issued corporate laptops that are monitored daily to ensure key security controls are in place (company approved password manager, hard-disk encryption automatic updates, up-to-date anti-malware software).
Independent Penetration Testing
As a minimum, eduMe undergoes an external penetration test by an independent third party.
Vulnerability Disclosure Policy
Please refer to our Vulnerability Disclosure Policy page for more details.
Have a security concern?
If you think you have received a phishing email or need to report a security concern to eduMe, please contact security@edume.com. A genuine eduMe email will always come from a edume.com domain. Phishing emails may attempt to spoof (impersonate) the email address that eduMe sends emails from. They appear to come from an edume.com address but are actually sent from a different domain. Do not click on any links or attachments in suspicious emails.