Classlist Security overview
Last updated on April 2017
Classlist users trust us with their personal information and with community posts, messages and other data. That trust is based upon us keeping this material private and secure. The information below provides transparency about how we protect that data. We will continue to update this regularly as we add new security capabilities and improvements. Here is a link to our recent Government Approved Cyber Essentials Certification.
Classlist put in place a completely new security strategy in summer 2016, moving our entire platform and data to a state of the art cloud environment operated by one of the world’s largest providers. This ISO 27001 certified provider has a team of over 500 people dedicated entirely to security, who constantly monitor the data centre facilities used by Classlist for product security, infrastructure control (physical and logical) and intrusion detection. We routinely conduct security audits with ISO 27001 certified security experts. All data is fully encrypted and backed up in multiple locations. Classlist uses industry standard encryption to protect your data whilst in transit.
Classlist’s codebase is entirely written in the UK with no outsourcing to software developers or third party teams based in other countries. Our operations are entirely managed and executed within the UK. Our operational model has no requirement for any data or code interrogation by IT practitioners based outside the UK. We offer an extremely limited set of links to third party applications. These are restricted to industry-leading players such as Paypal who themselves offer very high levels of user security.
In addition to investing in top-of- the-line data security, we make stringent efforts to identify and authenticate all Classlist users before their registration is approved. Classlist school leads, class reps, and school authorities all collaborate in this. Once registered, there are tight restrictions on the information which each user is entitled to access.
Where users behave in a manner which could compromise site security they can be blocked. Classlist is a trust-based community, with any member able to report security concerns using our Help button and get feedback within minutes. If any school or other user has safeguarding concerns regarding any aspect of Classlist’s operations they make direct contact with our Safeguarding Officer, who is authorised to take immediate action.
Network and Account Security
Classlist controls which services we expose to the Internet, and segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business needs. We never store your password in plaintext. We request and retain your telephone number to provide a two-step verification process should this be required.
To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine. When you receive an email from Classlist, we take special measures to ensure it really came from us, including cryptographically signing every email from @classlist.com. We also test our outgoing emails against spam checkers to minimise the risk of your device incorrectly placing any Classlist email in junk.
Management of our Internet-facing web service is critically important to protecting your data. Our entire codebase is custom written by our in-house IT team and is regularly reviewed. Third party client applications are authenticated using token based systems meaning no third party application ever has access to your username and password.
Classlist’s infrastructure is multi-tenant and not segmented. Your data may be held on the same server as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it.
Data and Media Disposal and Destruction
Classlist retains your content unless you explicitly ask us to remove it. Deactivating a personal account does not automatically remove content. We keep a record of deactivations and other related data to prevent fraudulent applications. We never repurpose storage media for use outside our production environment if it has ever been used to store user data. We have procedures to securely destroy storage media.
Customer Account Access & Activity Logging
Classlist customer service and platform administration teams need access to customer data to resolve customer issues. We limit this based on business need and periodically review employee access to customer accounts to minimize the need for such access.
The Classlist service performs server-side logging of client interactions, including web server access logging; actions taken through our API, and successful and unsuccessful login events.
Classlist uses industry standard encryption to protect your data in transit, commonly referred to as secure socket layer (“SSL”) technology. We support a mix of cipher suites and standard transport protocols to provide a balance of strong encryption for browsers and clients that support it and backward compatibility for legacy clients which require this.
We support TLS for both inbound and outbound email. If your mail service provider supports TLS, your email will be encrypted in transit, both to and from the Classlist service.
Resiliency / Availability & Backup
Classlist operates a fault tolerant system and network architecture to ensure availability when you need it, wherever you may be. This includes diverse and redundant Internet connections; redundant network infrastructure including switches, routers, load balancers, and firewalls; redundant servers providing hot standby capabilities, and servers engineered with redundant power, redundant network hardware, and storage deployed in a RAID configuration. Data centres hosting Classlist utilise fault tolerant facility services including power, HVAC, and fire suppression. We back up all customer content at least once daily and replicate those backups, ensuring that we can recover from a complete site failure in any one data centre facility. We do not utilize portable or removable media for backups.
Your data is stored in servers in highly secure data center facilities staffed and monitored 24x7x365. All Classlist data resides inside the European Union. Access to each data center requires at a minimum, two-factors of authentication, and may include biometrics.