Easyblog users have entrusted us to host their blogs and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is handled securely. Easyblog uses some of the most advanced technology for Internet security that is commercially available today. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected. Visit our privacy policy for more information on data handling.


User Security

  • Server Security: Easyblog servers are configured to be as secure as possible.  
  • Database Security: Our database servers are on private networks and not accessible over the internet. Our school wide setup isolates each school from each other using their own installation of our software and separate databases.
  • Passwords: All passwords are individually salted and hashed.
  • Privacy: We have a comprehensive privacy policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.
  • Data Residency: All Easyblog user data is stored on servers located in the United States.


Physical Security


All Easyblog information systems and infrastructure are hosted in world-class data centers. These data centers include all the necessary physical security controls you would expect in a data center these days (e.g., 24×7 monitoring, cameras, visitor logs, entry requirements).


Availability

  • Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
  • Power: Servers have redundant internal and external power supplies. Data centers have backup power supplies, and are able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.
  • Uptime: Continuous uptime and performance monitoring.  We employ multiple methods of alerting in the event of a failure. 
  • Failover: Our database is replicated in real-time and can failover.

Network Security

  • Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
  • Firewalls: Firewalls restrict access to all ports except 80 (http) and 443 (https).  As well as DDoS protection and monitoring.
  • Access Control: 2FA (two-factor authentication), and role-based access is enforced for systems management by authorized engineering staff.
  • Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
  • Encryption in Transit: By default, our survey collectors have Transport Layer Security (TLS) enabled to encrypt respondent traffic. All other communications with the Easyblog website are sent over TLS connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients. Our application endpoints are TLS only and score an “A” rating on SSL Labs tests.  Every installation of our schoolwide solution also meets this high standard.


Vulnerability Management

  • Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.
  • Third Party Scans: Our environments are continuously scanned using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.


Organizational & Administrative Security

  • Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
  • Audit Logging: We maintain and monitor audit logs on our services and systems.
  • QA and Testing: All changes will be thoroughly tested by our developers and quality assurance team.
  • Scheduled Maintenance Window: We perform all scheduled updates to production services at the weekend. 


Handling of Security Breaches


Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Easyblog learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.


Your Responsibilities


Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.