Technical FAQ

This article covers the common questions we get asked by security and IT departments when implementing a new career directory. Please refer here for any technical and security questions. If you have a question that isn’t addressed below, please reach out and we’ll answer that too.

Contents

Identity and Users

Is there a web interface to administer user accounts?

A: For Prosple product tiers that involve user authentication with external Identity Providers, all user management is done on the partner side, in the Identity Provider. Secondary profile information is stored with Prosple and there is no interface to manage this data.

For partners wishing to store users (and credentials) in the Prosple platform all user administration is managed by Prosple.

Can directory synchronisation (e.g. Active Directory) be used to manage users?

A: We can integrate directly with Active Directory. Prosple integrates with Active Directory (AD) using Lightweight Directory Access Protocol (LDAP) through an Active Directory/LDAP Connector that you install on your network.

Is there a delegated user administration option?

A: We can achieve this via integration with the Partner Idp, delegating user authentication to the partner.

Do you support standards-based federation and authentication (e.g. SAML, Shibboleth, SCIM, SPML, Oauth, Ws-Federation, OpenID)?

A: Yes, we support SAML, OpenID, Google G Suite, Microsoft Azure AD, ADFS, Active Directory / LDAP and Ping Federate.

Is there support for role-based access permissions?

A: No all users of the portal (students) enjoy the same level of access. No administrative functions are necessary and hence no admin accounts are available for partners.

Can granular authorisation rules be defined (e.g. those reflecting the organisational structure in addition to specific permissions and access levels)?

A: We currently only have user authentication for students, which all have the same level of access.

Is there a batch user import interface?

A: For partners wishing to store users (and credentials) in the Prosple platform batch user import is supported. Otherwise, given users are stored in the partner Identity Provider this is not applicable.

Can users be managed using a stable and documented API?

This is not required as we directly integrated with the Partner’s Identity system.

Is there support for externalised authorisation management (e.g. entitlement verification via on-premise systems)?

This is not supported. While authentication can be externalised, authorisation is handled within the Prosple platform.

Integrations

Do you provide APIs and Web services to push and pull data?

A: We provide RSS feeds to pull some data (jobs, content), but not to push data. REST APIs to pull data are currently in our roadmap and can be potentially prioritised on a case by case basis.

Is there a published API and / or Web Services catalogue?

A: All current APIs (with the exception of RSS feeds) are currently internal to Prosple. However public REST/GraphQL APIs are in the roadmap and can be potentially prioritised on a case by case basis. These will be fully documented.

Do you support hybrid deployment and integration models (integrations with on-premises infrastructure or enterprise systems across the required touchpoints)?

No, with the exception of authentication (which can be delegated to Partner systems) all other components of the platform are cloud based.

Do you support direct access to the underlying database for the purpose of customer defined reporting or extraction for loading into the customers own data warehouse?

We do not support direct access to our database. However can can arrange for customised reporting on certain dimensions on demand.

Do you provide integration support and developer assistance resources (e.g. SDKs including command line interfaces, wrappers for programmatic interfaces, an online developer centre or portal)?

We can provide this for the currently supported integrations, which are restricted to authentication.

Do you provide connectors for common integration platforms (e.g. Oracle SOA)?

Currently no other integrations except authentication are supported. However, other integrations are currently in our roadmap (e.g application data sent directly to CRMs like Oracle, SalesForce, etc).

What mechanisms are supported (ODBC, API, XML, etc.) to allow customer access to data such that it can be extracted and used for reporting (data warehouse usecases) purposes.

All data currently is provided by Prosple via predefined reports and Google Analytics access. These can be tailored to the partner’s needs.

Are there any costs associated with accessing customer data either directly (e.g. ODBC) or via the provided API’s / Web Services?

All data currently is provided by Prosple via predefined reports and Google Analytics access. Standard reports have no additional costs. Customised reporting may involve additional costs depending on the complexity.

Is there a professional developer / certification program?

No.

Management

Do you provide a web-based service management console for customers to manage their data?

No.

What level of health monitoring is provided to customers (e.g. real-time thresholds and alerts, online health dashboard)?

Current monitoring stack including real time tresholds, alerts and online health dashboards is done in Prosple’s New Relic platform and not accessible to customers. Some basic alarms can be configured to clients on request (such as uptime monitors).

Do you provide usage and data tracking tools?

Yes, we provide access to a Google Analytics dashboard for the directory provided to the partner.

Can the solution be scaled (horizontally / vertically) in an automated rapid manner?

Currently scaling is not automated, although the platform is very closely monitored so we can proactively scale it before any issues arise. The API used to power the websites has extremely robust caching layers and sits behind a CDN which mitigates several issues from a load perspective. However, autoscaling is currently in the roadmap including multi-zone availability, horizontal and vertical scaling.

Is there a performance-monitoring service that supports customer-defined monitoring metrics?

No.

Are service interfaces and management consoles resilient to local infrastructure failures?

No management consoles are currently provided to partners.

Do you support customer-defined real-time thresholds and alerts (e.g. e-mail, SMS)?

For partners we only support this for uptime monitoring.

Do you perform change management logging with six or more months of history?

We store access, error and audit trail logs securely in our platform with over 6 month retention, however this are not provided to partners.

Is there a performance-monitoring service that supports predefined action events?

Yes, New Relic.

Security

Are you ISO27001 (Information Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

No.

Are you ISO22301 (Business Continuity Management) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

No.

Within the context of processing Financial Information, do you have a Third Party Message (TPM)? If yes, please provide a copy to the TPM and accompanying audit framework.

No.

Do you adhere to any international reporting standards as it relates to TPM (e.g. ISAE3402 Type-2, SOX, SSAE16/SOC Type-2)?

Our infrastructure complies with SOC 2 Type 2 certification in Security and Availability on Amazon Web Services (AWS).

Are your TPM controls tested annually on operational effectiveness and over what period (e.g. for 10 consecutive months)?

No.

Are you PCI-DSS compliant? If so, please provide a valid PCI-DSS attestation of compliance.

No.

Are you ISO27001-270017 (Cloud Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

No.

Are you ISO27001-270018 (Cloud Privacy) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

No.

Do you have a data breach disclosure/notification process? If yes, please provide a copy.

We will report any unlawful data breach of this website’s database or the database(s) of our third-party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is reasonably apparent that personal information stored in an identifiable manner has been accessed. Should you have any complaint about a breach, or the way in which we will handle a breach, please contact us.

Are you HIPAA compliant? If so, please provide relevant documentation.

No.

Do you have published employee (and supplier) screening and hiring practices for employee’s who may have access to Customer data and user information?

No.

Do you provide privacy, Information Security and business continuity education (awareness) to your staff and suppliers? And how often is this renewed?

No.

Do you provide customer-configurable Data Loss Prevention capabilities (e.g. preventing storage and dissemination of specific data attributes)?

No.

Do you conduct regular application layer vulnerability scans?

No.

Do you conduct regular network and operating system penetration tests?

No.

Do you have intrusion prevention and detection capabilities?

Prosple can detect anomalies and stop malicious attempts to access your application. Anomaly detection can alert you and your users of suspicious activity, as well as block further login attempts. This functionality is available as a paid addon and not available in lower tiers that don’t involve authentication.

Do you perform proactive auditing and notification of incidents of inappropriate management activity?

Yes and should any inappropriate management activity be detected notification of the incident will be reported within 72h to the affected parties.

Do you provide support for data encryption, both at rest and in transit? If so, what standards do you adhere to?

Yes, measures include TLS for data in transit and encrypted disks.

When encryption is used, who owns and manages the related encryption keys?

Prosple.

How often do you review and test your Business Continuity Plan’s?

We don’t currently have Business Continuity Plans.

Do you offer investigation support in the event of a data breach or compromise that relates to customer users or data?

Yes, Prosple can assist within its capacity in the event of a data branch of compromise.

Do you offer investigation support to a mutually agreed third party in the event of a data breach or compromise that relates to customer users or data?

Yes, Prosple can assist within its capacity in the event of a data branch of compromise.

What level of Information Security reporting, as it relates to privacy controls and business continuity, do you provide?

Currently not provided.

Is Information Security reporting a standard inclusion within any Service Management reports provided to the customer? If so, what reporting is provided and at what frequency?

No.

Are there multitenant controls for separation of users/data within the service?

Yes.

Do you utilise configurable content hygiene controls (e.g. anti-spam, anti-virus)? If so, please provide reporting examples.

No.

Can user activity audit logs be made available to customers? If so, what mechanisms are supported (e.g. can logs be sent to an external SIEM solution such as Splunk)?

This is not currently available for partners.

What physical security is protecting the data centers and facilities that will house client data and information?

Not applicable, we do not store any client data on our side.

Have systems been developed using a structured, secure and approved system development methodology? (please provide details on the used methodology and specify how you embedded the privacy-by-default, least-privileges or RBAC and information-security-by-design principles)

No.

Have systems been developed using a structured, secure and approved system development methodology? (please provide details on the used methodology and specify how you embedded the privacy-by-default, least-privileges or RBAC and information-security-by-design principles)

No.

Storage

Can you provide documented high availability and disaster recovery capabilities and procedures?

We maintain complete snapshots of all our applications on a daily basis. Our edge caching system also provides availability of stale data when there are issues at the origin. We currently have as part of our roadmap plans to incorporate multi-availability for higher availability.

Can you provide a data eradication guarantee?

No.

What level of database and/or data backups do you perform?

We maintain complete snapshots of all our applications on a daily basis.

Are the backups saved to a geographically separate locations? If so, how many and where?

No, currently only one location is supported.

Do you offer a data archiving option? If so, what?

We have data archiving for our platform, but it doesn’t really apply to customer data as we don’t store any in our platform.

What is the defined SLA regarding recovering data from backup?

There is no SLA for this as we don’t store any customer data.

Do you adhere to DoD 5220.22-M or NITS SPA 800-88 for data sanitisation on retirement of storage devices?

No.

Do you have defined storage limits? If yes, can they be surpassed without impacting service delivery if required?

As far as data uploaded by the users, there is no storage limit.

Where are your data centres located?

Sydney. However, with multi-availability zones in our roadmap we will likely introduce new locations. This has no impact on customer data as we don’t store any.

Is there support for bulk data import and export / extraction to / from service(s) in a non-proprietary format?

There is, but we do not provide a customer interface for this. Depending on the use case this can be provided on demand.

Can customers choose the data centre(s) based on location?

No.

Is there an additional archive / e-discovery as a service offering?

Networks

Do you utilise private network connectivity between all provider data centres?

Yes.

What are the required customer firewall considerations (e.g. ports and protocols)?

Our platform is internet accessible so it needs to be accessible via port 80.

Do you conduct annual tests of average performance and latency of the service?

We constantly monitor performance and latency (daily). We can perform more complex performance tests on an ad-hoc basis.

What is your approach to capacity planning?

Capacity planning is highly mitigated by the usage of cloud infrastructure and autoscaling as we can scale up and down depending on the requirements via constant automated health checks.

Service Levels and SLAs

What is the provided service uptime guarantee (e.g. 99.9%, 99,99% etc.)?

The only uptime SLA we currently have is provided by our infrastructure and is 99.5%.

Does downtime calculation start immediately when service is unavailable or degraded?

Yes, but only at the infrastructure level.

Is scheduled maintenance limited and communicated in advance?

Only when it involves significant user impact (e.g anything longer than 5-10mins).

What is the defined SLA that protects customers against data loss and data integrity issues?

We do not store any customer data.

What is the defined SLA for Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for the service(s)?

We do not have a designated SLA for this, however, we aim for an RPO of 2h and RTO of 1h. This however only applies for Prosple content as there is no impact on any customer data.

Do you offer service credits / refunds for outages and do limits apply?

No.

What is the notification window for customer to submit SLA breach claims?

We do not currently provide any SLAs.

Do the ownership rights to data, inputs and outputs remain with the customer?

As we don’t store any customer data, all data is either owned by Prosple or the student.

Do you offer publicly accessible and downloadable terms of service?

Yes

What level of compliance with WCAG 2.0 do you meet and which assistive technology do you test your service with?

No WCAG 2.0 compliance is currently enforced.

If selected, are you willing to undergo an independent accessibility audit?

Yes

Support

Do you provide a dashboard of service health and SLA status?

No.

Is there a live-human-support offering?

Yes.

Is there online self-service support that is free or included with standard service?

No.

Do you provide an incident management system for identifying, submitting and tracking service incidents?

No.

Do you follow documented change management, incident prioritisation procedures and incident response plans?

No.

Do you provide migration support to and from service(s)?

Not applicable as we don’t store any customer data.

Do you provide documented support for third-party application integration?

No.

Do you provide sandbox / QA environments?

Yes, only during onboarding, provisioning.

Do you offer professional services for implementation, support and deployment?

These can be provided upon request.

Can the customer control the application of patches, upgrades and changes to the service?

No.

Do you offer an assigned support manager and account representative?

Yes.

Can you provide at least six months of service health history?

No.