Stride Software, Inc. - Security and Privacy
Updated May 2017
Corporate Trust Commitment
Stride Software, Inc. (“Stride”) is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”).
This documentation describes the architecture of, the security and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to the services branded as Stride (the “Stride Services”).
The infrastructure used by Stride to host Customer Data submitted to the Stride Services is provided by a third-party provider, Amazon Web Services, Inc. (“AWS”). Currently, the infrastructure hosted by AWS in provisioning of the Stride Services is located in the United States.
Additionally, a portion of customer support for the Stride Services is provided using third-party technology, which requires screenshots of customers’ instances of the Stride Services to be hosted on the third-party’s infrastructure.
The Stride Services include a variety of security controls. These controls include:
- Unique user identifiers (user IDs) to ensure that activities can be attributed to the responsible individual
- Password length controls
- Password complexity requirements for access to the Stride Services
Security Procedures, Policies and Logging
The Stride Services are operated in accordance with the following procedures to enhance security:
- User passwords are stored using bcrypt (the best-in-class one-way key derivation function including a salt) and are never transmitted unencrypted
- User access log entries will be maintained, containing date, time, URL executed or entity ID operated on, operation performed (viewed, edited, etc.) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by a customer or its ISP
- Logs will be replicated to secure systems to prevent tampering
- Passwords are not logged under any circumstances
- No defined passwords are set by Stride
- OAuth tokens are encrypted and not transmitted unencrypted
Stride, or an authorized independent third party, will monitor the Stride Services for unauthorized intrusions using network-based intrusion detection mechanisms. Stride may analyze data collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Stride Services function properly.
All systems used in the provision of the Stride Services log information to their respective system’s log facility or a centralized log server (for network systems) in order to enable security reviews and analysis.
Stride promptly notifies impacted customers of any actual or reasonably-suspected unauthorized disclosure of their respective Customer Data by Stride or its agents of which Stride becomes aware to the extent permitted by law.
Access to the Stride Services, directly or via the Stride API, requires a valid user ID and password combination, or an API key/secret, both of which are encrypted via TLS while in transmission. Following a successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
Production data centers used to provide the Stride Services have systems that control physical access to the data center. These systems permit only authorized personnel to access secure areas. The facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, physical access screening and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure. Further information about physical security provided by AWS is available from the AWS Security Web site, including AWS’s overview of security processes.
Reliability and Backup
All networking components, load balancers, Web servers and application servers are configured in a redundant configuration. All Customer Data submitted to the Stride Services is stored on a primary database server that is clustered with a backup database server for higher availability. All Customer Data submitted to the Stride Services is backed up daily.
The Stride Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer's network and the Stride Services, including 256-bit TLS Certificates and 256-bit AES encryption at a minimum.
Deletion of Customer Data
This process is subject to applicable legal requirements.
After contract termination, to request deletion of Customer Data submitted to the Stride Services, contact us at email@example.com. After such deletion is initiated by Stride, Customer Data will remain in inactive status on backup media for 90 days, after which it will be overwritten or deleted.
Without limiting the ability for customers to request return of their Customer Data submitted to the Stride Services, Stride reserves the right to reduce the number of days it retains such data after contract termination. Stride will update this in the event of such a change.
Sensitive Personal Data
Important: The following types of sensitive personal data may not be submitted to the Stride Services: government-issued identification numbers; financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life; information related to an individual’s physical or mental health; and information related to the provision or payment of health care.
For clarity, the foregoing restrictions do not apply to financial information provided to Stride for the purposes of checking the financial qualifications of, and collecting payments from, its customers.
Tracking and Analytics
Stride may track and analyze use of the Stride Services for the purposes of security and helping Stride improve both the Stride Services and the user experience in using the Stride Services. Stride may also use this information and user’s email addresses to contact customers or their users to provide information about the Stride Services. Without limiting the foregoing, Stride may share data about Stride customers' or their users' use of the Stride Services (“Usage Statistics”) to Stride’s service providers for the purpose of helping Stride in such tracking or analysis, including improving its users’ experience with the Stride Services, or as required by law.