Data Security

MeritHub Approach to Security Keeps Your Data Safe

Secure Architecture

MeritHub cloud-based platform is purpose built for the cloud based on fundamental principles of security and privacy.

In-product

MeritHub platform has implemented a combination of best in class security, privacy and compliance controls to keep customers and their learners' data safe.

Company Culture

MeritHub has built a company culture that educates and holds its employees accountable to fulfilling their obligations in order to protect the privacy and security of our customers’ data.

Data Security and Privacy Controls

  • Data Centers

    MeritHub physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology, the Wasabi technology, as well as the UpCloud Platform. Amazon, Wasabi, and Upcloud continually manage risk and undergo recurring assessments to ensure compliance with industry standards as seen here, here, and here. MeritHub hosts customer and learner data in the United States and Europe.

Access Management, Encryption & Endpoint Security

  • Access Management
    • MeritHub adheres to the principles of least privilege and role-based permissions when provisioning access; employees are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.

    • MeritHub utilizes multi-factor authentication for employee access to internal systems. VPN and SSH are required for accessing the MeritHub Hosted environments.

  • Encryption
    • MeritHub encrypts data using secure cryptographic algorithms.

    • All data in transit is encrypted using TLS 1.2 or greater.

    • MeritHub leverages AES-256 encryption for data at rest.

    • Key management is in place for all MeritHub encryption keys.

  • Endpoint Security
    • Employee endpoints are configured to comply with MeritHub security standards.

    • These standards require all endpoints to be properly configured, updated, and utilize up-to-date Endpoint Protection software, that endpoints employ encryption at rest, have strong complex passwords, and lock when idle.

MeritHub API Integration

  • User Information

    In API you will be sending the following information for teachers and students:

    • Name - To show in the virtual classroom
    • Email - You can send it dummy as we don't use it in case of API integration
    • Image URL- To show in the classroom if the video is off. If you want, you can send us a dummy or default image URL for each user.

  • Configure S3 Compatible Storage
    • You can configure your S3 cloud object storage bucket then files are always stored in your cloud storage, not on MeritHub storage. We do not maintain any copy of it. Your S3 keys are stored in an encrypted format.

    • You own the policies on S3 bucket where you can prevent the deletion of objects.

Network Security & System Monitoring

  • Network Security and Server Hardening
    • MeritHub segments its platform layers into separate networks with restrictive access between layers to protect customer data.

    • MeritHub utilizes separate hosting environments for Staging, Development, and Production.

    • We use cloud security company https://www.cloudflare.com/ to mitigate risks and secure API endpoints from DDOS and other attacks.

    • MeritHub logs, monitors, and audits all system events, and has alerting in place for events that indicate a potential intrusion or exfiltration attempt.

  • System Monitoring, Logging and Alerting
    • MeritHub Logging System and Alert Management System collect, aggregate, and correlate thousands of system events a day across MeritHub’s hosting environments to provide Security and DevOps teams with real-time insight into potential security events.

    • Administrative access, use of privileged commands, and system events on all endpoints in MeritHub hosting environments are logged and monitored.

    • Analysis of logs is automated to detect potential issues and alert the Security and DevOps teams.

Penetration Testing & Vulnerability Management

  • Vulnerability Management & Penetration Testing
    • MeritHub tests all code for security vulnerabilities before release and regularly scans its network and systems for vulnerabilities.

    • MeritHub engages external experts to conduct application and infrastructure penetration tests.

    • Results of these tests are prioritized and remediated in a timely manner and shared with senior management.

  • Research & Disclosure

    At MeritHub we take cybersecurity seriously and value the contributions of the security community at large. The responsible disclosure of potential issues helps us ensure the security and privacy of our administrators, teachers, students, and our data.

    If you believe you've found a security issue in one of our products, please email [email protected] and include the following details with your report:

    • A description of the issue and where it is located.

    • A description of the steps required to reproduce the issue.

    Please note that this should not be construed as encouragement or permission to perform any of the following activities:

    • Hack, penetrate, or otherwise attempt to gain unauthorized access to MeritHub applications, systems, or data in violation of applicable law;

    • Download, copy, disclose or use any proprietary or confidential MeritHub data, including customer data;

    • Adversely impact MeritHub or the operation of MeritHub applications or systems.

    • MeritHub does not waive any rights or claims with respect to such activities.

     

    Thank you for helping us keep MeritHub administrators, teachers, students, and our data safe.

    All vulnerabilities received by our team are reviewed and prioritized based on severity. For any security inquiry, please contact us at [email protected].

Application Security

  • Application Security Overview
    • All API endpoints are authenticated by the oAuth2 access token.

    • All code changes require peer-review and testing (both manual and automated) prior to promotion to production. No single individual may request and implement changes without a review from several other individuals and all changes are logged and tracked.

    • All developers are required to complete training on secure development practices.

Security Awareness

  • Security Awareness
    • MeritHub has a security awareness program that serves to ensure employees understand the importance of security and its intersection with their workday.

    • New employees and contractors are required to take security training and training completion is audited throughout the year.

    • MeritHub employees are required to read and adhere to MeritHub's IT and Security policies.

    • MeritHub's physical office has a number of security controls in place including access control, remote monitoring, and intrusion detection. 

    • The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest and emerging security threats. This information is disseminated through regular security awareness campaigns to help ensure that MeritHub employees are aware of these threats and what to do in the event that they encounter them.

Reliability, Disaster Recovery & Incident Response

  • Availability, Reliability and Scalability
    • MeritHub is designed to be highly available with minimal downtime. MeritHub uses both automated and manual tools to monitor the availability of our services.

    • Metadata is hosted in different regions for durability.

    • MeritHub Architecture consists of 100+ microservcies and every service can be scaled independently.

    • Every service's health is automatically monitored and reported every 3 seconds.

  • Disaster Recovery and Business Continuity
    • MeritHub utilizes services deployed by its hosting provider AWS to distribute production operations across separate availability zones. These distributed zones protect MeritHub's platform from network, power, infrastructure and other common location-specific failures.

    • MeritHub performs daily backups and replication of its databases across distributed zones and supports restore capability to protect the availability of MeritHub's platform in the event of a site disaster affecting any of these locations.

    • Full backups are saved at least once per day and transactions are saved continuously.

    • MeritHub tests backup and restore capabilities periodically to ensure successful disaster recovery.

  • Responding to Security Incidents
    • MeritHub has established policies and procedures for responding to security incidents.

    • All security incidents are managed by MeritHub’s Security Incident Response Team. The policies define the types of events that must be managed via the incident response process and classify them based on severity.

    • In the event of an incident, affected customers will be informed via email. Incident response procedures are tested and updated at least annually.

Data Privacy

  • Data Privacy Overview

    MeritHub's data privacy controls are designed to honor our obligations around how we collect, process, use and share personal data, as well as our processes to support data retention and disclosure in compliance with applicable privacy laws. MeritHub collects and uses personal data in accordance with our Privacy Policy that complies with the GDPR.

  • Data Sharing and Processing
    • MeritHub's platform complies with the GDPR and provides a high level of protection for administrator, teacher and learner personal data. This includes only collecting, processing, and storing customer data in compliance with these obligations and providing you the right to access or delete it at any time.

    • MeritHub has implemented policies that provide controls for deleting customer data when it is no longer needed for a legitimate business purpose.

    • MeritHub uses cookies only in accordance with our Cookies Policy.

    • MeritHub also requires our data processing vendors to certify the use of customer data for no other purposes than the provision of services.

  • Data Disposal
    • As a customer, you can request data deletion at any time during the subscription period. MeritHub can honor requests for erasure, access, and rectification so that our administrators and teachers can comply with the GDPR.

    • MeritHub’s hosting providers maintain industry standard security practices for ensuring the permanent removal of data from storage media.

  • Vendor Management

    MeritHub only shares customer data with third parties that contractually agree to protect the confidentiality and privacy of the data.

    • Google Analytics: We use google analytics to process analytics information on our Services. For more information, please visit Google Analytics' Privacy Policy.
    • Hubspot: We use Hubspot CRM to connect better with our customers. For more information, please visit Hubspot's Privacy Policy.
  • Credit Cards

    MeritHub securely processes credit card information in accordance with PCI-DSS standards. MeritHub does not access or store any credit card information. Instead, we have partnered with Stripe to securely handle credit card information. You can learn more about Stripe's security here.