Teachable cares deeply about the security and privacy of the data you entrust us with, and we understand that our information security practices are important to you. While we can’t reveal all the details of our practices, we feel it’s important to be as transparent as possible without giving a playbook to the people we’re protecting ourselves against. Below you will find some general information about how we implement our security and privacy safeguards.
Technical Security Measures
Teachable employs a range of technical security measures to protect its systems, including:
- Servers and network traffic are monitored by industry-standard tools to detect and respond to any potential security breaches.
- Teachable runs on Amazon Web Service’s (AWS) infrastructure, using best-in-class instrumentation tools that continuously monitor the infrastructure to detect signs of a potential compromise.
- TLS encryption is part of the standard security architecture at Teachable. Core transport services require encryption, such as SSH or HTTPS, to exchange information.
- Encryption technology is used to provide security for online user authentication and administrator sessions.
- Remote data access to production environments or our internal staff application requires a link to the company’s intranet or a connection via a VPN which is subject to a dual authentication mechanism.
- Changes to the infrastructure and back-end environment, including changes to security tools, follow a Software Development Lifecycle (SDLC) that defines coding and release processes.
- All committed code changes are reviewed by an individual that is different than the developer and are tested prior to commit to production.
- To prevent unauthorized access, Teachable uses unified identity management, two-factor authentication, strong passwords, and periodic reviews of access lists to ensure that data is used only as intended.
- Authorized access to internal support tools is controlled by means of a VPN, in addition to a user system requiring a unique, long password.
- All employees that have access to live production infrastructure and applications are required to authenticate with two-factor authentication.
- Unique personnel IDs are used to authenticate to systems.
- Passwords are configured to enforce password length and complexity.
- Login history and failures are tracked.
Teachable takes the following actions to ensure that the parties authorized to use a data processing system only have access to the data for which they have been specifically cleared, and that stored data or data being processed cannot be read, copied, changed or removed:
- Authorization for Teachable services and internal applications is enforced at all times and at all levels of a given system, with access rights being granted or processed on the basis of the personnel member’s job responsibilities / need-to-know, which is provided via workflow tools.
- Access to production systems is restricted to trained and specifically authorized personnel members. Such access is revoked in the event of an individual’s dismissal or termination of employment. All members of the team with access to production systems may access production solely behind a two-factor authenticated session.
- Teachable uses a centralized logging system. Access to the logging system is restricted to authorized personnel and the logs are protected from modification and deletion from non-admin personnel.
Administrative Security Measures
- Strict policies are in place to address and limit access to our systems. For certain data access tools, tool owners authorize the nature and extent of access privileges prior to granting access. The procedures for requesting and generating certificates to access data for development and production are documented.
- Teachable employees are required to complete security training as part of their onboarding.
- Teachable’s engineering team conducts company-wide security awareness activities to reinforce information security practices and policies.
- Teachable has in place a security incident response process to respond to security issues and concerns.
Physical Security Measures
Among other measures, Teachable takes the following actions to prevent unauthorized access to personal information:
- Physical access to Teachable’s facilities is restricted behind keycard access and our building is monitored 24/7.
- All individuals must identify themselves to security personnel in order to be admitted to the Teachable offices during business hours and must have a valid employee badge to access outside of business hours.
- There are documented processes in place for the issuance of Teachable building access badges; the possession as well as the return of such badges is tracked and verified
- Only authorized Teachable visitors and building staff are granted access to the premise
If you come across a vulnerability in the Teachable Platform, please email email@example.com instead of sharing it publicly. Teachable takes proactive steps to stay ahead of emerging security threats, and appreciates your cooperation in maintaining the security of our Platform.
If you believe the security of your account has been compromised or are seeing suspicious activity in your account, you should change your password immediately and contact firstname.lastname@example.org with any concerns.