V1.3. 4 June 2018
The purpose of this document is to outline the Cloud Security profile of Skylab (Cognadev’s assessment delivery platform) and the Online CPP (HTML5). Cognadev collects and stores personal, sensitive information (from individuals and companies) and we are aware of the importance of keeping this information secure. Cognadev takes measures to ensure information is stored securely. These measures are detailed in this document.
*When accessing our systems in Russia, different processes are put in place. Therefore, this document does not apply to Russia.
Skylab is the platform designed to manage nominations, reports and credits for assessments developed by Cognadev and external companies as a service. It is hosted in Microsoft Azure – North Europe (Ireland) and partly in West Europe (the Netherlands). Each client’s data is stored and separated using a forced relational database based on customer key, which means that Cognadev client’s data is separated to ensure that a client only has access to their own data. Our data centres provide power, network, hardware redundancy and backup services. Cognadev maintains security settings, application software, general settings and the user data stored.
Skylab and the Online CPP are currently dependent on the uptime of Microsoft Azure – North Europe and West Europe. The status of Microsoft Azure is publicly available here.
1.3. Data storage
Azure cloud / virtual servers. Redundancy and backup services are maintained by Azure. Local redundancy has not been configured, but will be when Azure becomes available in South Africa or other high priority regions identified by Cognadev.
1.4. People and access
The Cognadev support team (firstname.lastname@example.org) is added automatically to each Skylab account for maintenance, support or to check performance. The support team access Skylab accounts when there is a technical problem or query. Within Cognadev only authorised personnel have access to application or personal data. Skylab is designed so that candidate reports are only accessible to a specific users on a company account. Users are responsible for maintaining the security of their own login information and informing Cognadev if their credentials may have been compromised.
1.5. Security and testing
Third-party security testing has been performed by SensePost. The penetration testing performed did not gain access to any database.
1.6. Encryption and password
TLS 1.2 and ECDHE_RSA with X25519 are used on the Online CPP and all Skylab sites. The Online CPP uses AES_256_GCM and Skylab uses AES_256_CBC with HMAC-SHA1. Some of these settings are updated by Azure automatically. Skylab passwords are encrypted and not accessible to Cognadev. Data is encrypted in transit, at rest, and when backed up.
Backups, as managed by Azure, are real-time.
1.8. Breach notification
In the event of a confirmed security breach, which gains access to private information of assessment candidates and is likely to result in a risk for the rights and freedoms of natural persons, Cognadev will endeavour to identify the data that has been accessed and, in turn, notify those candidates or consultants whose data confidentiality may have been compromised. For candidates, we will base this communication on the email address entered on the candidate site to communicate the breach. For consultants, we will base this on the business address and email given when opening the account. Cognadev will use the stored IP address (the IP used to access the assessments on the candidate site) to identify and adhere to localised laws. The communication (to candidates and consultants) will occur, where feasible, within 72 hours of Cognadev becoming aware of the breach.
1.9. Other Information
Analytics and IP addresses
Upon nomination by a consultant, the following information is requested by Skylab – Consultant:
Information requested from the candidate by Skylab – Candidate:
Specific assessments may request specific information required for that assessment. Please send us a request if you require this information. Cognadev stores candidate results for the candidate if they request their results in future. Cognadev does not allow the obfuscation of personally identifying information in the system.
Records of information access
Azure keeps a detailed activity log of Skylab – CRUD events as well as access and database schema modification. We keep record of current and previous access to data. CPP transactions are logged in detail based on origination and user details.
1.10. Further information
We have separate documents stating our position on selected localised privacy laws. These are available on request.
More information can be obtained from:
• Cognadev PAIA Manual (applicable to South African legislation): https://www.cognadev.com/paia-manual/
• Skylab Consultant Terms and Conditions: https://consultant.cognadev.com/TermsAndConditions.html
• Online CPP Agreement (Confidentiality): https://live.cognadev.com/cpp/agreement.html
• More information can be requested by emailing email@example.com