Visible Body seeks to maintain high technical, security, and compliance standards. These Frequently Asked Questions come to us from educational institutions interested in subscribing to our web-based, Site License and Courseware products. Answers detail our current standards. There is also a list at the end of the page of requests from institutions that we have in some stage of planning.
Do you have a dedicated information security function?
Visible Body utilizes a third-party intrusion detection system that routinely scans for vulnerabilities and intrusions. Vulnerabilities are patched as discovered, depending on severity. Employees are trained on FERPA compliance and best practices for security. Visible Body has a comprehensive Incident Response Plan including notification of affected parties.
What types of data do you need access to? Is any of my data accessed or transmitted outside of the United States?
Users input their own data; Visible Body does not need to access any data in your databases.
Data Entities and Data Elements Required
Who at Visible Body’s premises can see our data and what internal controls does the provider have in place to prevent unauthorized viewing, copying or emailing of customer information?
Only employees who need access to perform their job functions have access to the data. Employees are trained annually on student and customer data privacy.
Where will you store or host my data (e.g., on-premise vs cloud)? Will all of my data be stored within the United States?
Data at rest is secured and encrypted on an Amazon Web Services (AWS) relational database instance. Data in transit is encrypted with HTTPS. All student data is stored within the US.
Where is the Visible Body Courseware product hosted?
Visible Body Courseware is hosted by Amazon Web Services in the Eastern United States.
Where does Visible Body store my credit card information?
Our sites and applications do not process or store credit card information. Student subscriptions purchased on our website are processed by Fastspring (an outside company and site). Fastspring meets the Payment Card Industry Data Security Standard (PCI DSS).
Do you need to connect to our network for performing your services?
Users inside your school network will need to connect to our site on AWS to access the product. We do not otherwise need access to the school network.
Who is responsible for the maintenance and management of the system?
Visible Body is responsible for maintenance and management. Support is available by submitting a ticket or emailing email@example.com.
Do you maintain cyber liability insurance in addition to general liability insurance?
Yes, we maintain cyber liability coverage with a limit of $1,000,000.
How is user authentication handled?
Authentication is via username and password. Access control is performed at the role and user level to determine what information a user is able to access and interact with.
How do you separate one customer’s data from another’s?
All customer data is identified by a customer ID but is stored in the same database on AWS.
What is Visible Body’s data-at-rest and data-in-motion protection.
The encryption standard for data-in-motion is TLS 1.2. The encryption used for data-at-rest is bcrypt.
How are failed data storage devices and end-of-life hardware disposed of?
All data is stored in the cloud at AWS, server disposal is handled by Amazon.
How is data destroyed after it is released by a customer? (Compliance with Department of Defense 5220.22-M or NIST 800-88?)
At customer request, data will be deleted from the database. Visible Body does not retain backups of personal information for more than 90 days.
What virus detection methods and software does Visible Body use?
All files uploaded to the application are scanned for viruses using AWS-S3-Virusscan and ClamAV.
How does Visible Body ensure that access to sensitive data or data protected by law across a public connection is encrypted with a secured connection and requires user authentication?
All connections occur over HTTPS and the user must log in with a password to view sensitive data.
Can Visible Body accommodate our request to allow for a site visit for a security audit, given 48 hours notice?
Visible Body’s offices are currently closed due to the COVID-19 pandemic. Once our offices, reopen, we can accommodate a site visit to Visible Body's office, but not Amazon Web Service's datacenter.
What happens to customer data after the business relationship is terminated?
If the business relationship is terminated, Visible Body can return or destroy customer data at customer's request.
What are the endpoint devices that connect to the application (PC, laptop, mobile, medical device, etc.)?
The Courseware Gradebook and web apps are accessible via web browser on Windows or Mac. Included mobile apps are accessible on iOS or Android.
How many users can be accommodated and how many endpoint devices? Who are the users of this app?
Courseware has been tested with up to 10,000 concurrent simulated users. Courseware is hosted on AWS, which provides a robust and scalable infrastructure to accommodate sudden increases in usage. End users are instructors and students.
What web browsers are supported? Are any add-ons required?
Site licenses and Courseware are Web-delivered. Chrome, Firefox, and Safari (v11 or later) are supported. No add-ons are required. Details are in the support articles for each product.
What are the system requirements for Courseware?
You can find all our system requirements in this support article: https://support.visiblebody.com/hc/en-us/articles/360000992994-System-Requirements-for-Courseware
Is a printer required for using Courseware?
Printing is not required.
What network ports are used for client to server and server to server communications?
Client to server communication uses port 443. Server to server communication uses port 3306.
Are there other data exchange mechanisms (batch load, data import, etc)?
CSV batch export is available in Courseware to support uploading to LMS.
What are the network bandwidth requirements?
Recommended: 30 Mbps download via HTTPS. You can see these details in the system requirements support articles for each site license product.
Visible Body is in constant conversation with customers to communicate and enhance technical, security, and compliance standards. Here are some requests we have received and do not yet provide:
- IPv6 addressing
- Infrastructure that physically or logically segments user's data
- Multi-factor authentication
- SAML 2.0 for federated authentication
- Support for SSO
- A formal written Information Security Policies document
- Penetration testing
- Real-time interfaces with other applications
- Authoritative third party certification of secure gateway environment
- Documentation of customer data ownership
- We conduct extensive internal testing and security assessments, but we have not yet conducted third-party external Information Security assessments.