Security Whitepaper
Hundreds of users worldwide utilize MyClassborad’s SaaS products to solve business problems. Our people, processes, and products all show our commitment to security. This page explains how we provide security to our customers.
Our Organizational security
Our Information Security Management System (ISMS) considers our security objectives, risks, and mitigations for all parties. In addition, we have strict policies and procedures in place to protect client data.
Employee background verification
Every employee has their background verified. We use reputable outside firms to do this for us. We do this to check their criminal, job, and educational backgrounds. Workers aren’t allocated tasks that could endanger users until this check is done.
A Commitment for Security
Each new employee signs a confidentiality agreement and agrees to follow the company’s policies on data security, privacy, and compliance. We also use tests to assess their knowledge and indicate where they need extra training. We train them on various security topics based on their roles.
We constantly educate our staff on information security, privacy, and compliance through our internal community, where they can keep up with the organization’s security procedures. We also hold internal activities to promote security and privacy.
Internal security and privacy teams
Our security and privacy programmes are implemented and managed by professional staff. They design and manage our defense systems, examine security procedures, and monitor our networks for anomalies. In addition, our engineering teams benefit from their domain-specific expertise.
Internal Audit & Compliance
Our compliance team reviews MyClassboard procedures and policies to ensure they meet standards and decide what controls, processes, and systems are required. This team also conducts internal audits and facilitates external audits and assessments.
Endpoint Security
All MyClassboard workstations have the latest OS and anti-virus software installed. They are set up to meet our security standards, which mandate that all workstations be properly installed, patched, and tracked by MyClassboard’s endpoint management tools. These workstations are safe by default, with data encryption at rest, strong passwords, and idle locking. Mobile devices used for business are managed to ensure they fulfill our security standards.
Physical security
Our workplace security
We control access to our buildings, infrastructure, and amenities using access cards. We issue access cards to employees, contractors, vendors, and visitors based on their intended use of the premises. The HR staff sets and maintains role-specific goals. We monitor access logs for irregularities.
Data Centers
Our colocation providers manage the building, cooling, power, and security while we provide the servers and storage. Access to the Data Centers is limited. Any other access requires a ticket and management approval. Entrances are controlled with biometric authentication. In addition, an incident log, activity logs, and camera footage are provided.
Monitoring
CCTV cameras installed in our business centers and data centers record all entry and exit movements. Backup footage is available for a limited time based on the location’s needs.
Infrastructure security
Network safety
Our network security and monitoring methods provide numerous layers of defense. Firewalls protect our network from unwanted traffic and unlawful access. To protect sensitive data, our systems are networked. Systems for testing and development are kept distinct from those for MyClassboard’s production infrastructure.
We have a fixed schedule for firewall access. Every day, a network engineer examines firewall adjustments. These adjustments are also reviewed every three months to update the rules. In addition, our Network Operations Center personnel monitor unusual or suspicious activity. Our proprietary programme continuously monitors all critical metrics and alerts us to any suspicious activity in our production environment.
Redundancy in network
Our platform is entirely redundant. Our distributed grid architecture protects our system and services against server failures. In a server failure, users can still access their data and use MyClassboard services.
We deploy numerous switches, routers, and security gateways to ensure device redundancy. It prevents single-point network failures.
DDoS defense
We employ proven technologies from reputable companies to avoid DDoS assaults on our servers. These solutions can mitigate DDoS attacks while allowing legitimate traffic to pass. In addition, this ensures our websites, apps, and APIs are always available.
Server security
All development and test servers are hardened (by disabling unused ports and accounts, removing default passwords, etc.). Server hardening is embedded into the base OS image and provisioned in the servers to ensure consistency.
Defending against intrusions
Our intrusion detection system monitors both host-based and network-based signals from our servers. All administrative, privileged commands and system calls on our production servers are logged. Built-in rules and artificial intelligence alert security engineers to potential threats. Our application layer WAF uses both whitelist and blacklist rules.
An ISP’s multi-layered security technique includes scrubbing, network routing, rate limitation, and filtering to tackle threats from network to application layers. This solution ensures clean traffic, a reliable proxy service, and rapid attack notification.
Data security
Data safety design
Change management policies ensure that all application modifications are approved before going live. In addition, our SDLC specifies secure coding rules and screening code modifications for potential security vulnerabilities using code analyzer tools, vulnerability scanners, and human review methods, among others.
Our OWASP-compliant application layer security architecture mitigates threats, including SQL injection, cross-site scripting, and application layer DOS assaults.
Data isolation
Our platform manages and distributes cloud space for our clients. The framework’s secure protocols logically segregate each customer’s service data from other customers’ data. This prevents another customer from accessing a customer’s service data.
When you use our services, data is saved on our servers. Your information is yours, not MyClassboard’s. We never share user data without your permission.
An ISP’s multi-layered security technique includes scrubbing, network routing, rate limitation, and filtering to tackle threats from network to application layers. This solution ensures clean traffic, a reliable proxy service, and rapid attack notification.
Encryption
All data sent to our servers via public networks is encrypted. We require TLS 1.2/1.3 encryption with strong ciphers for all connections to our servers, including web, API, mobile apps, and IMAP/POP/SMTP email clients. This ensures a safe connection by authenticating both parties and encrypting data exchanged. Our email services also use opportunistic TLS by default. TLS encrypts and secures email, preventing eavesdropping between mail servers that support the protocol.
Our encrypted connections fully support Perfect Forward Secrecy (PFS), ensuring that even if we were compromised in the future, no past conversation could be decoded. In addition, we have enabled the HSTS header on all web connections. Even if you type a URL to an unsecured page on our site, this tells all modern browsers to use encrypted connections only. On the web, we also mark all authentication cookies as secure.
Rest: Sensitive customer data is encrypted using 256-bit AES (AES). Depending on the service, your information is encrypted at rest. Our Key Management Service owns and maintains the keys (KMS). We add layers of protection by utilizing master keys to encrypt data encryption keys. Less accessible servers hold the master keys and data encryption keys.
Disposal of data
We keep user data as long as customers use MyClassboard Services. Your data will be erased from the current database six months after you close your MyClassboard account. Three months after deletion from the live database, erased from backups. If your unpaid account is dormant for 120 days, we will terminate it and provide you with the chance to back up your data.
Unusable gadgets are disposed of by a confirmed and authorized vendor. Until then, we sort and store them safely. The data on the devices is formatted before disposal. We degauss failed hard discs and shredded them. We crypto-erase and trash faulty SSDs (SSDs).
Identity and Access management
Single Sign-On
SSO allows users to access various services using the same sign-in page and credentials. However, you can only sign in to any MyClassboard service using our integrated Identity and Access Management (IAM). We also support SAML for single sign-on, allowing users to use their company’s identity provider, like LDAP or ADFS, to access MyClassboard services.
Assuring compliance, effective access control and reporting, and reducing the danger of password fatigue and weak passwords.
Multi-Factor Authentication
It adds an extra degree of protection by requiring a second verification in addition to the password. A compromised password can considerably lower the risk of unauthorized access. In addition, MyClassboard One-Auth supports multi-factor authentication. Touch ID or Face ID biometrics, Push Notifications, QR codes, and Time-based OTPs are currently supported.
Admin access
We deploy technical and policy measures to prevent staff from accessing user data at will. We use the least privilege and role-based permissions to reduce the danger of data disclosure.
A central directory manages access to production environments, secured by strong passwords, two-factor authentication, and passphrase-protected SSH keys. We also provide access over a separate network with more robust regulations and hardened equipment. We also log and audit all operations.
Operational security
Logging and tracking
We track and analyze data from services, network traffic, and device and terminal usage. This data is stored in event, audit, fault, administrator, and operator logs. It helps us discover anomalies like strange activity in workers’ accounts or efforts to access consumer data. To centrally manage access control and maintain availability, we store these logs on a secure server.
Every MyClassboard service provides detailed audit logging for all user updates and deletes operations.
Vulnerability control
With automated and manual penetration testing, we have a dedicated vulnerability management strategy that actively checks for security risks. In addition, our security staff also actively monitors public mailing lists, blogs, and wikis for security issues that may affect the company’s infrastructure.
A vulnerability that requires repair is logged, prioritized, and assigned an owner. We then assess the risks and close the vulnerability by patching the susceptible systems or implementing appropriate measures.
Anti-malware and spam protection
Our automated scanning system scans all user files to prevent malware from spreading through the MyClassboard ecosystem. Our custom anti-malware engine scans files for blacklisted signatures and malicious patterns. In addition, our patented detection engine and machine learning protect consumer data from malware.
DMARC or Domain-based Message Authentication, Reporting, and Conformance. DMARC employs SPF and DKIM to authenticate messages. In addition, we use our proprietary detection engine to spot phishing and spam attempts on MyClassboard services. We also have a dedicated anti-spam team that monitors the software’s signals and handles abuse reports.
Backup
With MyClassboard Admin Console (ZAC), we do daily incremental backups and complete weekly backups of our databases. Backup data in the DC is encrypted using the AES-256 bit method. They are tar.gz files. All backup data is kept for three months. After that, data recovery requests will be restored, and secure access will be provided during the retention period. The time it takes to restore data depends on its size and complexity.
The backup servers use RAID to ensure the safety of the backed-up data. All backups are planned and tracked. In the event of a failure, a re-run is initiated. In addition, the ZAC utility performs automatic integrity and validation tests on entire backups.
We strongly advise you to schedule frequent data backups by exporting MyClassboard services and keeping them locally in your infrastructure.
Business function and disaster recovery
Application data is copied between data centers using robust storage. Data from the primary DC is copied near-instantaneously. In case of primary DC failure, secondary DC takes over, and operations continue smoothly with low or no time loss. Both centers have several ISPs.
We have backup power, temperature control, and fire suppression systems to assure company continuity. These measures aid in resilience. We have data redundancy and a business continuity plan for major activities like support and infrastructure.
Incident management
Reporting
We have an incident response team. We alert you of relevant incidents in our environment and recommend appropriate measures. We keep note of occurrences and take necessary action. Whenever possible, we shall identify, collect, and present you with relevant evidence in application and audit logs. We also install procedures to prevent a recurrence.
We are serious about any security or privacy incidents you report to us via support@myclassboard.in.In addition, we will tell users via our blogs, forums, and social media. Finally, for issues affecting a single user or an entire enterprise, we will email the affected parties (using the primary email address of the Organization administrator registered with us).
Notification of security breaches
According to the General Data Protection Regulation, we must notify the relevant Data Protection Authority within 72 hours of becoming aware of a breach (GDPR). Furthermore, depending on the situation, we may also notify customers. In addition, we, as data processors, inform the affected data controllers promptly.
Disclosures
A vulnerability reporting programme called “Bug Bounty” recognizes and rewards the work of security researchers. To verify, reproduce, respond, and execute appropriate solutions for the identified vulnerabilities.
Management of vendors and suppliers
In accordance with our vendor management policy. We onboard new vendors after learning their procedures and assessing risk. We secure our security posture by requiring vendors to adhere to our confidentiality, availability, and integrity commitments to our clients. We evaluate the effectiveness of the organization’s processes and security controls regularly.
Customer security controls
So far, we’ve explored how we provide security to our customers. Here are some steps you may take as a client to safeguard your security:
Use a strong password.
Use MFA
Use the newest browser, mobile OS, and mobile apps to avoid vulnerabilities and take advantage of new security features.
Use caution when sharing data from our cloud environment.
Sort your data into personal and sensitive categories.
Monitor your account's devices, active online sessions, and third-party access to notice unusual activity and change your account's responsibilities and privileges.
Watch out for suspicious emails, websites, and links that pretend to be from MyClassboard or other trusted services.
Read our resource on Understanding shared responsibility with MyClassboard to learn more. For more information on partnering with MyClassboard on cloud security, privacy, and collaboration, click here.
Conclusion
Data security is a MyClassboard priority. We will continue to protect your data as we always have. For further information, please see our FAQs or contact us at support@myclassboard.in
