Updating Results

Technical FAQ

Team Prosple

This article covers the common questions we get asked by security and IT departments when implementing a new career directory. Please refer here for any technical and security questions. If you have a question that isn’t addressed below, please reach out and we’ll answer that too.

Contents

     1. Security

1.1. Database Security

       1.1.1. Encryption of Data at Rest

       1.1.2. Encryption of Data in Transit

       1.1.3. Access Control

       1.1.4. Network Isolation and Database Firewall

1.2. Application Infrastructure Security (ECS)

1.3. Application Security and Patch Policy

1.4. Production vs Non-Production Environments

1.5. Logging

1.6. Audit Tracing

1.7. Credentials Management

      2. User Information & Identity Management

2.1. Using Prosple as an Authentication Provider

2.2. SSO – Integrating with third party Authentication System

2.3. No Authentication

      3. Integrations and APIs

      4. Service Status & Monitoring

      5. Performance and Availability

      6. F.A.Q

6.1. Identity and Users

6.2. Management

6.3. Security

6.4. Storage

6.5. Networks

6.6. Service Levels and SLAs

6.7. Support

 

Security

We take the security of our platform seriously and have implemented several measures and tools in our platform to protect students, universities and employers from security risks related to the functioning of the Prosple Network.

Database Security

All our databases including both content and user preference information are encrypted. None of our databases is accessible via internet and are secured within our private subnet inside our AWS infrastructure.

Encryption of Data at Rest

Data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots. RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.

Encryption of Data in Transit

Encrypt communications between our applications and the DB Instances use SSL/TLS. Once an encrypted connection is established, data transferred between the DB Instance and the applications will be encrypted during transfer.

Access Control

Access to our databases is achieved with user based access control mechanisms. Only vetted and privileged users have access to Production databases, and these do not contain and user credentials data (handled by a separate system, Auth0).

Network Isolation and Database Firewall

All our DB Instances exist in our own virtual network, and connect to your existing IT infrastructure using industry-standard encrypted IPSec VPN.

All our DBs instance run within a private subnet.

Only applications within our VPC are allowed to access the databases and given all our access is handled security with VPN+SSO, we don’t expose our platform with SSH access (E.g Bastion).

DB Security Groups are also used to help secure DB Instances within an our Amazon VPC. In addition, network traffic entering and exiting each subnet is allowed or denied via network ACLs.

Application Infrastructure Security (ECS)

All our databases including both content and user preference information are encrypted. None of our databases is accessible via internet and are secured within our private subnet inside our AWS infrastructure.

Application Security and Patch Policy

Our application stacks comprise mostly of the following frameworks, all known for robust security and constant security advisories:

    • Drupal 9
    • NodeJS
    • NextJS
    • GraphQL
    • MariaDB
    • Redis
    • MongoDB

We make sure that at all times the underlying frameworks are kept up to date with the latest patches with maximum priority from released security advisories.

The applications also undergo regular vulnerability scans to complement our security patch policy.

Production vs Non-Production Environments

We have a complete separation of concerns between our Production and Non-Production(Staging) environments.

Production and Non-Production have completely separate AWS accounts and access control is maintained separately for each one, always with 2FA and Single Sign On authentication in place as well as the requirement for VPN to access the VPC where services exist.

Logging

We maintain a full set of logs across all our applications including access logs, application logs and error logs. We also have VPC flow logs in place.

Our retention policy for production logs is 24 months.

Audit Tracing

We have a completely separate AWS account purely responsible for audit logs, recording every interaction with our AWS infrastructure for audit purposes. This account is read only.

Our retention policy for production logs is 24 months.

Credentials Management

All our credentials are securely stored in a separate secure system using Auth0.

These credential repositories are ISO27001, SOC 2 Type II, ISO27018, HIPAA BAA, Gold CSA STAR and PCI DSS certified.

Identifiable information like First name, Last name and email address are also stored here and kept separate from the rest of the profile information, stored within Prosple’s platform.

User Information & Identity Management

Prosple stores user information in two separate databases, one responsible for managing profile information (degrees completed, spoken languages, notification preferences etc) the other (securely in Auth0) to manage user credentials and primary identity information like first name and last name.

There are three of authentication scenarios when dealing with the Prosple platform:

  1. When using Prosple as an authentication provider

  2. When using our Single Sign On features to integrate with a third party Identity Provider

  3. Websites without authentication feature enabled

Using Prosple as an Authentication Provider

When using Prosple as an Auth provider, user credentials and primary identities will be stored in our Auth0 tenant (see security certifications in Credentials Management section of this document).

Authentication is performed between our applications and our Authentications service via standard OAuth 2.0 protocols.

Profile information can optionally be stored for logged in users.

SSO – Integrating with third party Authentication System

When using Prosple’s SSO capabilities, we can integrate with your system of choice. We support several protocols like OpenID or SAML and have various out of the box integrations for the major enterprise solutions such as Google Workspace, Microsoft Azure AD, ADFS, Active Directory/LDAP and Ping Federate.

In this scenario we do not store any user credentials as that is completely handled by the third party identity provider.

We can optionally store user profile information, as well as primary identity information (e.g for in-app greetings)

No Authentication

Our platform can be configured without any user authentication, which can be useful in case you have concerns in regards to security and privacy and aren’t able to leverage our SSO capabilities.

In this case we don’t store any user information, but authenticated features like bookmarking, email alerts and virtual experiences aren’t available.

Integrations and APIs

Prosple offers a few ways to integrate with third party systems and APIs.

The main options existing at the moment are:

  1. Fully featured Authentication Integration (more details on “User Information & Identity Management” section)

  2. RSS feeds that can be consumed to obtain the latest job posts on a given channel

We have in our Roadmap a fully featured GraphQL API that will allow customers to fully integrate with our service via APIs and this is already being worked on.

Meanwhile if you have any specific requests we can consider ad-hoc integrations on a per use case basis.

Service Status & Monitoring

Both our applications, microservices and infrastructure are constantly being monitored.

For monitoring at the application level, our New Relic platform is able to identify any application level risks, inefficiencies or errors, immediately alerting the Engineering team to the problem.

To complement this we have detailed access logs and application logs stored in Cloudwatch.

We also have a granular level of visibility into our infrastructure through the use of Cloudwatch, giving us a clear picture of the health of our clusters, database services, network load, disk usage, CPU and RAM utilization etc.

Performance and Availability

Being a fully distributed system spanning a network of 200+ digital channels, the Prosple platform is built on performance and availability best practices.

From a technical standpoint, the first barrier of defense is our worldwide CDN with multiple nodes scattered around the globe caching requests at the edge:

As we utilise a proactive cache clearing strategy (as opposed to TTL), we can boast a cache hit ratio at the edge of around 80-85%, heavily protecting our origin servers.

Once traffic arrives at the origin, we complement a robust in-memory cache (Redis), with our database layer cache for optimal performance.

If load becomes too high for the system, our autoscaling monitors kick in provisioning more application containers (or cluster nodes) to accommodate the load.

F.A.Q

Identity and Users

Is there a web interface to administer user accounts?

For Prosple product tiers that involve user authentication with external Identity Providers, all user management is done on the partner side, in the Identity Provider. For partners wishing to store users (and credentials) in the Prosple platform all user administration is managed by Prosple. Secondary profile information is stored with Prosple and there is no interface to manage this data, only users themselves can manage it.

Can directory synchronisation (e.g. Active Directory) be used to manage users?

We can integrate directly with Active Directory. Prosple integrates with Active Directory (AD) using Lightweight Directory Access Protocol (LDAP) through an Active Directory/LDAP Connector that you install on your network.

Is there a delegated user administration option?

We can achieve this via integration with the Partner Idp, delegating user authentication to the partner.

Do you support standards-based federation and authentication (e.g. SAML, Shibboleth, SCIM, SPML, Oauth, Ws-Federation, OpenID)?

Yes, we support SAML, OpenID, Google G Suite, Microsoft Azure AD, ADFS, Active Directory / LDAP and Ping Federate.

Is there support for role-based access permissions?

Yes, however only for Prosple employeers. For students (student sites) and employers (employer hub) there is a uniform set of permissions for each role. No administrative functions are necessary and hence no admin accounts are available for partners.

Can granular authorisation rules be defined (e.g. those reflecting the organisational structure in addition to specific permissions and access levels)?

Given the features in both student sites and employer hub don’t warrant more granular permission schemes, this is currently not possible.

Is there a batch user import interface?

For partners wishing to store users (and credentials) in the Prosple platform batch user import is supported. Otherwise, given users are stored in the partner Identity Provider this is not applicable.

Can users be managed using a stable and documented API?

User management is not currently supported in any of our client facing APIs. However, this is not required in the case of SSO clients as we directly integrated with the Partner’s Identity system.

Is there support for externalised authorisation management (e.g. entitlement verification via on-premise systems)?

This is not supported. While authentication can be externalised, authorisation is handled within the Prosple platform.

Management

Do you provide a web-based service management console for customers to manage their data?

Not applicable in the case of Prosple as we don’t manage customer data in our platform. We do manage student data and students have a web interface to manage their own data within our system.

What level of health monitoring is provided to customers (e.g. real-time thresholds and alerts, online health dashboard)?

Current monitoring stack including real time tresholds, alerts and online health dashboards is done in Prosple’s New Relic platform and not accessible to customers. Some basic alarms can be configured to clients on request (such as uptime monitors). A status page is provided via Prosple Status.

Do you provide usage and data tracking tools?

Yes, we provide access to a Google Analytics dashboard for the directory provided to the partner.

Can the solution be scaled (horizontally / vertically) in an automated rapid manner?

Yes, we have multizone availability and autoscaling. Our platform supports both vertical and horizontal scaling. The API used to power the websites has extremely robust caching layers and sits behind a CDN with a mitigation of average 80% load.

Is there a performance-monitoring service that supports customer-defined monitoring metrics?

Currently not supported, all monitoring provided is uniform across all clients.

Are service interfaces and management consoles resilient to local infrastructure failures?

All our services are spread across three availability zones to mitigate risk of local infrastructure failures.

Do you support customer-defined real-time thresholds and alerts (e.g. e-mail, SMS)?

For partners we only support this for uptime monitoring.

Do you perform change management logging with six or more months of history?

We have change management logs with minimum 12 months. All changes in the codebase are tracked and traceable via version control, product management changes logged in our Jira instance and all Infrastructure changes are audit trailed in a specific read only AWS account for specific audit purposes.

Is there a performance-monitoring service that supports predefined action events?

Yes, we currently use both New Relic for application monitoring as well as Cloudwatch for infrastructure monitoring.

Security

Are you ISO27001 (Information Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

Prosple isn’t ISO27001 certified, however all our infrastructure (AWS) and our Identity Management service (Auth0) are.

Are you ISO22301 (Business Continuity Management) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

Prosple isn’t ISO22301 certified at this point.

Within the context of processing Financial Information, do you have a Third Party Message (TPM)? If yes, please provide a copy to the TPM and accompanying audit framework.

We do not process any financial information through our systems.

Are you PCI-DSS compliant? If so, please provide a valid PCI-DSS attestation of compliance.

Prosple isn’t PCI-DSS certified, however all our infrastructure (AWS) and our Identity Management service (Auth0) are.

Are you ISO27001-270017 (Cloud Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

Prosple isn’t ISO27001-270017 certified at this point.

Are you ISO27001-270018 (Cloud Privacy) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

Prosple isn’t ISO27001-270018 certified at this point.

Do you have a data breach disclosure/notification process? If yes, please provide a copy.

We will report any unlawful data breach of this website’s database or the database(s) of our third-party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is reasonably apparent that personal information stored in an identifiable manner has been accessed. Should you have any complaint about a breach, or the way in which we will handle a breach, please contact us.

Are you HIPAA compliant? If so, please provide relevant documentation.

Prosple isn’t HIPAA certified, however all our infrastructure (AWS) and our Identity Management service (Auth0) are.

Do you have published employee (and supplier) screening and hiring practices for employee’s who may have access to Customer data and user information?

Prosple takes the utmost care with both employee and supplier screening and hiring practices, however we do not currently have these publicly published.

Do you provide customer-configurable Data Loss Prevention capabilities (e.g. preventing storage and dissemination of specific data attributes)?

We currently do not have any specialised data loss prevention capabilities.

Do you conduct regular application layer vulnerability scans?

Yes.

Do you conduct regular network and operating system penetration tests?

Yes.

Do you have intrusion prevention and detection capabilities?

Prosple can detect anomalies and stop malicious attempts to access your application. Anomaly detection can alert you and your users of suspicious activity, as well as block further login attempts. This functionality is available as a paid addon and not available in lower tiers that don’t involve authentication.

Do you perform proactive auditing and notification of incidents of inappropriate management activity?

Yes and should any inappropriate management activity be detected notification of the incident will be reported within 72h to the affected parties.

Do you provide support for data encryption, both at rest and in transit? If so, what standards do you adhere to?

Yes, measures include TLS for data in transit and encrypted storage for data at rest (further explained above in this document).

When encryption is used, who owns and manages the related encryption keys?

Prosple.

Do you offer investigation support in the event of a data breach or compromise that relates to customer users or data?

Yes, Prosple can assist within its capacity in the event of a data branch of compromise.

What level of Information Security reporting, as it relates to privacy controls and business continuity, do you provide?

We currently do not provide this level of reporting.

Is Information Security reporting a standard inclusion within any Service Management reports provided to the customer? If so, what reporting is provided and at what frequency?

Information Security reporting is currently not a standard inclusion.

Are there multitenant controls for separation of users/data within the service?

Yes.

Can user activity audit logs be made available to customers? If so, what mechanisms are supported (e.g. can logs be sent to an external SIEM solution such as Splunk)?

We have comprehensive logging and auditing as part of our platform (all stored in Cloudwatch) however, user activity auditing is currently only supported for editors, administrators, hence not made available to customers.

Storage

Can you provide documented high availability and disaster recovery capabilities and procedures?

We maintain complete snapshots of all our applications on a daily basis. Our edge caching system also provides availability of stale data when there are issues at the origin. We currently have as part of our roadmap plans to incorporate multi-availability for higher availability.

Can you provide a data eradication guarantee?

We currently do not provide a data eradication guarantee but the platform is highly resilient to data destruction having all our data replicated across several availability zones, on top of which we have regular backups.

What level of database and/or data backups do you perform?

We maintain complete snapshots of all our applications on a daily basis.

Are the backups saved to a geographically separate locations? If so, how many and where?

No, currently only one location is supported.

Do you offer a data archiving option? If so, what?

We have data archiving for our platform, but it doesn’t really apply to customer data as we don’t store any in our platform.

What is the defined SLA regarding recovering data from backup?

There is no SLA for this as we don’t store any customer data.

Do you adhere to DoD 5220.22-M or NITS SPA 800-88 for data sanitisation on retirement of storage devices?

Currently not.

Do you have defined storage limits? If yes, can they be surpassed without impacting service delivery if required?

As far as data uploaded by the users, there is no storage limit.

Where are your data centers located?

Sydney. However, with multi-availability zones in our roadmap we will likely introduce new locations.

Is there support for bulk data import and export / extraction to / from service(s) in a non-proprietary format?

There is, but we do not provide a customer interface for this. Depending on the use case this can be provided on demand.

Can customers choose the data centre(s) based on location?

No.

Networks

Do you utilise private network connectivity between all provider data centres?

Yes.

What are the required customer firewall considerations (e.g. ports and protocols)?

Our platform is internet accessible so it needs to be accessible via port 80.

Do you conduct annual tests of average performance and latency of the service?

We constantly monitor performance and latency (daily). We can perform more complex performance tests on an ad-hoc basis.

What is your approach to capacity planning?

Capacity planning is highly mitigated by the usage of cloud infrastructure and autoscaling as we can scale up and down depending on the requirements via constant automated health checks.

Service Levels and SLAs

What is the provided service uptime guarantee (e.g. 99.9%, 99,99% etc.)?

The only uptime SLA we currently have is provided by our infrastructure and is 99.5%.

Does downtime calculation start immediately when service is unavailable or degraded?

Yes, but only at the infrastructure level.

Is scheduled maintenance limited and communicated in advance?

Only when it involves significant user impact (e.g anything longer than 5-10mins).

What is the defined SLA that protects customers against data loss and data integrity issues?

We do not store any customer data.

What is the defined SLA for Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for the service(s)?

We do not have a designated SLA for this, however, we aim for an RPO of 2h and RTO of 1h. This however only applies for Prosple content as there is no impact on any customer data.

What is the notification window for customer to submit SLA breach claims?

We do not currently provide any SLAs.

Do the ownership rights to data, inputs and outputs remain with the customer?

As we don’t store any customer data, all data is either owned by Prosple or the student.

Do you offer publicly accessible and downloadable terms of service?

Yes.

What level of compliance with WCAG 2.0 do you meet and which assistive technology do you test your service with?

No WCAG 2.0 compliance is currently enforced.

If selected, are you willing to undergo an independent accessibility audit?

Yes.

Support

Do you provide a dashboard of service health and SLA status?

Yes, we have a status page available for this purpose.

Is there a live-human-support offering?

Yes.

Is there online self-service support that is free or included with standard service?

No.

Do you provide an incident management system for identifying, submitting and tracking service incidents?

Yes.

Do you follow documented change management, incident prioritisation procedures and incident response plans?

Yes.

Do you provide migration support to and from service(s)?

Where applicable we might do this on a per case basis.

Do you provide documented support for third-party application integration?

No.

Do you provide sandbox / QA environments?

Yes, only during on-boarding, provisioning.

Do you offer professional services for implementation, support and deployment?

These can be provided upon request.

Can the customer control the application of patches, upgrades and changes to the service?

No this process is standardised across the entire platform.

Do you offer an assigned support manager and account representative?

Yes.

Can you provide at least six months of service health history?

Yes.