DataCamp, Inc. Information Security Overview
Our mission is to democratize data science education by building the best platform to learn and teach data skills and make data fluency accessible to millions of people around the world. In doing so, protecting your data is one of our most important priorities. Accordingly, DataCamp will implement reasonable, administrative, technical, and physical safeguards in an effort to secure its facilities, systems, and applications from unauthorized access and to secure the user content.
DataCamp is an ISO 27001:2017 certified company, independently audited by Brand Compliance B.V. All of our security policies, measures and safeguards are subject to audit. A copy of the certificate can be found above. The statement of applicability can be made available on request.
Administrative Safeguards
All relevant employees have undergone background screening.
All employees, independent contractors and subcontractors are required to execute a confidentiality agreement.
An asset management policy is in place including a disposal policy.
Information assets are classified and protected according to their label.
All employees and subcontractors receive security awareness training on the Security Policy in place. Disciplinary action might occur in the event policies are neglected.
All access to servers and hosting providers are monitored, access logs are retained for up to 6 months and internally audited on a regular basis.
Employee access to our infrastructure is strictly limited to engineers who require such access in order to maintain the stability and efficiency of our systems. Access is based upon the principle of least privilege and requires the use of two-factor authentication.
Annual periodic penetration testing by an external party is used to audit application and server security.
Our organization’s development and production environments are fully separated.
Technical Safeguards
Data is logically separated based on a microservice architecture. All databases and backups are encrypted at rest with AES-256. Additionally, we backup all data on a daily basis with a 30 day retention period.
All endpoints are centrally managed:
- •
Automatic device locking.
- •
Automatic password policy enforcement.
- •
Automatic software roll-out.
- •
Remote wiping in case of stolen or damaged equipment.
- •
Protected with anti-malware software and data loss protection and data is transferred securely.
- •
All communication between users and our application are secured with 128-bit TLS 1.2 encryption and above.
All account passwords are protected irreversibly. Employees can not reconstruct passwords in any way or form.
Security risks and Patch Management are dealt with based on different risk levels. For example, patches for critical, high and medium risk/vulnerabilities shall be patched within 60 calendar days after they are available to users and low risk/vulnerabilities shall be patched within a commercially reasonable time after they are available to users.
Automatic inspection tools are used to ensure best practices related to authentication, network security, operating systems, and application security are adhered to.
Advanced user-, file- and network-activity anomaly detection monitors our infrastructure.
Our payment processors, Braintree and Adyen , are validated Level 1 PCI DSS Compliant Service Providers. They are part of Visa’s Global Compliant Provider List and MasterCard’s SDP List. Additionally, they conduct regular automated vulnerability scans and have extended external penetration testing conducted by outside sources.
Physical safeguards
All offices require badge-based access to enter. Our NY office has 24/7 security.
Our user-facing applications are hosted on Amazon Web Services in ISO 27001 certified data centers. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, biometric locks, and other electronic means. Only authorized personnel have access to the data centers.
Responsible Disclosure
DataCamp takes pride in proactively resolving all security vulnerabilities in our products. We are in the process of creating a formal security reward program. Until this program is live, we ask that you look at our responsible disclosure policy on how to send any in scope vulnerability findings. Any submission must contain reproduction steps, a proof of concept, and impact. We do not consider defense-in-depth practices that DataCamp, for various reasons, might decide not to have implemented as security vulnerabilities, for example, specific headers, cookie configurations, etc.