Visible Body seeks to maintain high technical, security, and compliance standards. These Frequently Asked Questions come to us from educational institutions interested in subscribing to our VB Suite and Courseware products. Answers detail our current standards. There is also a list at the end of the page of requests from institutions that we have in some stage of planning. For access to our HECVAT form, please ask your sales rep.
Security
What information security measures do you have in place?
Visible Body utilizes a third-party intrusion detection system that routinely scans for vulnerabilities and intrusions. Vulnerabilities are patched as discovered, depending on severity. Employees are trained on best practices for security. Visible Body has a comprehensive Information Security Policy, as well as an Incident Response Plan including notification of affected parties.
Do you need to connect to our network for performing your services?
No. Users inside your school network will need to connect to our site on AWS to access our products. Some Courseware customers may opt to use a Deep Integration between Courseware and their LMS. These customers may need to agree to a limited set of API scopes to allow Courseware to make updates, such as adding grades, in their LMS.
Who is responsible for the maintenance and management of the system?
Visible Body is responsible for maintenance and management. Support is available by submitting a ticket or emailing support@visiblebody.com.
Do you maintain cyber liability insurance in addition to general liability insurance?
Yes, we maintain cyber liability coverage with a limit of $5,000,000.
How is user authentication handled?
Authentication is via username and password using OAuth2, or via Google SSO. Access control is performed at the role and user level to determine what information a user is able to access and interact with. For customers with Courseware and an LMS integration, authentication occurs via SSO from the LMS. For some site license customers, initial authentication may be via IP address.
What virus detection methods and software does Visible Body use?
All files uploaded to the application are scanned for viruses using ClamAV.
Can Visible Body accommodate our request to allow for a site visit for a security audit, given 48 hours notice?
Given 48 hours notice, we can accommodate a site visit to Visible Body's office, but not Amazon Web Service's datacenter.
Data Protection
What types of data do you need access to? Is any of my data accessed or transmitted outside of the United States?
For VB Suite and non-integrated Courseware products, users input their own data; Visible Body does not need to access any data in your databases. For Courseware with an LMS integration, Visible Body will receive certain data elements from your LMS.
VB Suite Data Entities and Data Elements Required
Name/Description | Example |
IP Addresses of users | 8.8.8.8 |
User email address | john.doe@example.com |
User app username | john.doe@example.com |
User app password: 8 characters, including a lowercase letter, an uppercase letter, a number, and a special character | MrM_wJUNh2Nak.9Ec4y9 |
User name |
John Doe |
Courseware Data Entities and Data Elements Required
Name/Description | Example |
IP Addresses of users | 8.8.8.8 |
Institution name | Visible Body College |
Course name | Anatomy & Physiology |
Assignment name | Lesson One |
Teacher names | Mary Jones |
Teacher email address | mary.jones@example.com |
Teacher app username | mary.jones@example.com |
Teacher app password: 8 characters, including a lowercase letter, an uppercase letter, a number, and a special character | @i4m8hNpEDyPso9akiCp |
Student email address | john.doe@example.com |
Student app username | john.doe@example.com |
Student app password: 8 characters, including a lowercase letter, an uppercase letter, a number, and a special character | m33MVhf39PA@EjYzxxnf |
Student name | John Doe |
Student in-app performance | 80.0% |
Student work: responses to quiz questions | C |
User Role | Student or Instructor |
Courseware with LMS Integration Additional Data Entities and Data Elements Required
Name/Description | Example |
LMS user ID | 12345678 |
LMS user name | mjones |
LMS user preferred name | Mary |
LMS user unique ID | 12345678 |
LMS course section ID | 12345678 |
LMS resource link ID history | 12345678, 123456789 |
LMS context id history | 12345678, 123456789 |
Who at Visible Body’s premises can see our data and what internal controls does the provider have in place to prevent unauthorized viewing, copying or emailing of customer information?
Only employees who need access to perform their job functions have access to the data. Employees are trained annually on student and customer data privacy.
Are employees trained on data privacy?
Employees are trained annually on data privacy, including FERPA compliance.
Where are the Visible Body products hosted?
Visible Body products are hosted by Amazon Web Services in the Eastern United States.
Where will you store or host my data (e.g., on-premise vs cloud)? Will all of my data be stored within the United States?
Data at rest is secured and encrypted on an Amazon Web Services (AWS) relational database instance. Data in transit is encrypted with HTTPS. All student data is stored within the US.
What is Visible Body’s data at rest and data in transit protection?
The encryption used for data at rest is AES 256. The encryption standard for data in transit is TLS 1.2.
How does Visible Body ensure that access to student data is secure?
All connections occur over HTTPS, and a user must authenticate to view student data.
Where does Visible Body store my credit card information?
Our sites and applications do not process or store credit card information. Subscriptions purchased on our website are processed by Fastspring (an outside company and site). Fastspring meets the Payment Card Industry Data Security Standard (PCI DSS).
How do you separate one Courseware customer’s data from another’s?
All Courseware customer data is logically separated by customer ID but is physically stored in the same database on AWS.
How are failed data storage devices and end-of-life hardware disposed of?
All data is stored in the cloud at AWS. Server disposal is handled by Amazon.
How is data destroyed after it is released by a customer?
At customer request, data will be deleted from the database. Visible Body does not retain backups of personal information for more than 90 days.
What happens to customer data after the business relationship is terminated?
If the business relationship is terminated, Visible Body can return or destroy customer data at the customer's request.
Usage
What are the endpoint devices that connect to the products (PC, laptop, mobile, medical device, etc.)?
The VB Suite website and Courseware are accessible via web browser on Windows, Mac, or Chromebook. Included mobile apps are accessible on iOS or Android.
How many users can be accommodated and how many endpoint devices? Who are the users of this app?
The products have been tested with up to 10,000 concurrent simulated users. The products are hosted on AWS, which provides a robust and scalable infrastructure to accommodate sudden increases in usage. End users are instructors and students.
What web browsers are supported? Are any add-ons required?
VB Suite and Courseware are Web-delivered. Chrome, Edge, and Safari are supported. No add-ons are required. Details are in the support articles for each product.
What are the system requirements for Courseware?
You can find our Courseware system requirements in this support article: https://support.visiblebody.com/hc/en-us/articles/360000992994-System-Requirements-for-Courseware
What are the system requirements for VB Suite?
You can find our VB Suite system requirements in this support article: https://support.visiblebody.com/hc/en-us/articles/360045450074-System-Requirements-for-Visible-Body-Suite
Is a printer required for using the products?
Printing is not required.
What network ports are used for client to server and server to server communications?
Client to server communication uses port 443. Server to server communication uses port 3306.
Are there other data exchange mechanisms (batch load, data import, etc)?
CSV batch export is available in Courseware to support uploading scores to LMS. Customers may also opt to integrate Courseware with their instance of Canvas by setting up a connection to one of our endpoints which allows Courseware to send grades to their Canvas gradebook.
What are the network bandwidth requirements?
Recommended: 30 Mbps download via HTTPS.
Do you support SSO?
The VB Suite website and Courseware both support Sign in with Google.In addition, Courseware customers can set up an integration between their LMS, and by linking accounts during initial sign up, provide students with a single sign on capability. Once done, they need only sign into their LMS, and then when accessing Courseware, will not have to sign in again.
Requested Improvements
Visible Body is in constant conversation with customers to communicate and enhance technical, security, and compliance standards. Here are some requests we have received and do not yet provide:
- IPv6 addressing
- Multi-factor authentication
- SAML 2.0 for federated authentication
- Support for Apple or Microsoft SSO
- Penetration testing
- Authoritative third party certification of secure gateway environment
- SOC 2 Type II compliance (in progress)