MeritHub physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology, the Wasabi technology, as well as the UpCloud Platform. Amazon, Wasabi, and Upcloud continually manage risk and undergo recurring assessments to ensure compliance with industry standards as seen here, here, and here. MeritHub hosts customer and learner data in the United States and Europe.
MeritHub adheres to the principles of least privilege and role-based permissions when provisioning access; employees are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.
MeritHub utilizes multi-factor authentication for employee access to internal systems. VPN and SSH are required for accessing the MeritHub Hosted environments.
MeritHub encrypts data using secure cryptographic algorithms.
All data in transit is encrypted using TLS 1.2 or greater.
MeritHub leverages AES-256 encryption for data at rest.
Key management is in place for all MeritHub encryption keys.
Employee endpoints are configured to comply with MeritHub security standards.
These standards require all endpoints to be properly configured, updated, and utilize up-to-date Endpoint Protection software, that endpoints employ encryption at rest, have strong complex passwords, and lock when idle.
In API you will be sending the following information for teachers and students:
You can configure your S3 cloud object storage bucket then files are always stored in your cloud storage, not on MeritHub storage. We do not maintain any copy of it. Your S3 keys are stored in an encrypted format.
You own the policies on S3 bucket where you can prevent the deletion of objects.
MeritHub segments its platform layers into separate networks with restrictive access between layers to protect customer data.
MeritHub utilizes separate hosting environments for Staging, Development, and Production.
We use cloud security company https://www.cloudflare.com/ to mitigate risks and secure API endpoints from DDOS and other attacks.
MeritHub logs, monitors, and audits all system events, and has alerting in place for events that indicate a potential intrusion or exfiltration attempt.
MeritHub Logging System and Alert Management System collect, aggregate, and correlate thousands of system events a day across MeritHub’s hosting environments to provide Security and DevOps teams with real-time insight into potential security events.
Administrative access, use of privileged commands, and system events on all endpoints in MeritHub hosting environments are logged and monitored.
Analysis of logs is automated to detect potential issues and alert the Security and DevOps teams.
MeritHub tests all code for security vulnerabilities before release and regularly scans its network and systems for vulnerabilities.
MeritHub engages external experts to conduct application and infrastructure penetration tests.
Results of these tests are prioritized and remediated in a timely manner and shared with senior management.
At MeritHub we take cybersecurity seriously and value the contributions of the security community at large. The responsible disclosure of potential issues helps us ensure the security and privacy of our administrators, teachers, students, and our data.
If you believe you've found a security issue in one of our products, please email [email protected] and include the following details with your report:
A description of the issue and where it is located.
A description of the steps required to reproduce the issue.
Please note that this should not be construed as encouragement or permission to perform any of the following activities:
Hack, penetrate, or otherwise attempt to gain unauthorized access to MeritHub applications, systems, or data in violation of applicable law;
Download, copy, disclose or use any proprietary or confidential MeritHub data, including customer data;
Adversely impact MeritHub or the operation of MeritHub applications or systems.
MeritHub does not waive any rights or claims with respect to such activities.
Thank you for helping us keep MeritHub administrators, teachers, students, and our data safe.
All vulnerabilities received by our team are reviewed and prioritized based on severity. For any security inquiry, please contact us at [email protected].
All API endpoints are authenticated by the oAuth2 access token.
All code changes require peer-review and testing (both manual and automated) prior to promotion to production. No single individual may request and implement changes without a review from several other individuals and all changes are logged and tracked.
All developers are required to complete training on secure development practices.
MeritHub has a security awareness program that serves to ensure employees understand the importance of security and its intersection with their workday.
New employees and contractors are required to take security training and training completion is audited throughout the year.
MeritHub employees are required to read and adhere to MeritHub's IT and Security policies.
MeritHub's physical office has a number of security controls in place including access control, remote monitoring, and intrusion detection.
The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest and emerging security threats. This information is disseminated through regular security awareness campaigns to help ensure that MeritHub employees are aware of these threats and what to do in the event that they encounter them.
MeritHub is designed to be highly available with minimal downtime. MeritHub uses both automated and manual tools to monitor the availability of our services.
Metadata is hosted in different regions for durability.
MeritHub Architecture consists of 100+ microservcies and every service can be scaled independently.
Every service's health is automatically monitored and reported every 3 seconds.
MeritHub utilizes services deployed by its hosting provider AWS to distribute production operations across separate availability zones. These distributed zones protect MeritHub's platform from network, power, infrastructure and other common location-specific failures.
MeritHub performs daily backups and replication of its databases across distributed zones and supports restore capability to protect the availability of MeritHub's platform in the event of a site disaster affecting any of these locations.
Full backups are saved at least once per day and transactions are saved continuously.
MeritHub tests backup and restore capabilities periodically to ensure successful disaster recovery.
MeritHub has established policies and procedures for responding to security incidents.
All security incidents are managed by MeritHub’s Security Incident Response Team. The policies define the types of events that must be managed via the incident response process and classify them based on severity.
In the event of an incident, affected customers will be informed via email. Incident response procedures are tested and updated at least annually.
MeritHub's platform complies with the GDPR and provides a high level of protection for administrator, teacher and learner personal data. This includes only collecting, processing, and storing customer data in compliance with these obligations and providing you the right to access or delete it at any time.
MeritHub has implemented policies that provide controls for deleting customer data when it is no longer needed for a legitimate business purpose.
MeritHub also requires our data processing vendors to certify the use of customer data for no other purposes than the provision of services.
As a customer, you can request data deletion at any time during the subscription period. MeritHub can honor requests for erasure, access, and rectification so that our administrators and teachers can comply with the GDPR.
MeritHub’s hosting providers maintain industry standard security practices for ensuring the permanent removal of data from storage media.
MeritHub only shares customer data with third parties that contractually agree to protect the confidentiality and privacy of the data.
MeritHub securely processes credit card information in accordance with PCI-DSS standards. MeritHub does not access or store any credit card information. Instead, we have partnered with Stripe to securely handle credit card information. You can learn more about Stripe's security here.