The PrairieLearn team takes the security of our products and services seriously.
- Software development lifecycle: PrairieLearn, Inc. follows a secure software development lifecycle, including secure coding practices, code reviews, and automated testing.
- Vulnerability scanning: GitHub Dependabot scans for vulnerabilities in third-party packages and dependencies.
- Data protection at test: Datastores with customer data, including S3 buckets, RDS databases, and EBS volumes, are encrypted at rest.
- Data protection in transit: Data that is transmitted over potentially insecure networks is encrypted in transit using TLS 1.2 or higher.
- Secure remote access: Internal systems are only accessible via AWS Systems Manager. Access to AWS Systems Manager is logged and tightly controlled.
- Identity access and management: PrairieLearn, Inc. uses JumpCloud for identity and access management. Multi-factor authentication is required and utilized wherever possible.
- SOC 2 Type I (coming soon): PrairieLearn, Inc. is currently working with Vanta and third-party auditors to achieve SOC 2 Type I compliance. We expect to complete this process in early 2024. The completed report will be made available to customers upon request.
If you believe you have found a vulnerability in any PrairieLearn software, please report it to us via coordinated disclosure. Do not report suspected vulnerabilities publicly, including through GitHub issues or public Slack channels. Instead, please send an email to security@prairielearn.com with as much relevant information as possible, including:
- The type of issue (e.g. SQL injection or cross-site scripting)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Impact of issue, including how an attacker might exploit the issue
The PrairieLearn security team will triage your report and respond according to its impact on PrairieLearn users and systems.