Explainer: Data security on the Unifrog platform
Want to share the information below with someone who doesn't have a Unifrog account? It's also available here on our About page, and this guide is available as a blog here.
Here are some of the main aspects of data security for the Unifrog platform.
----
Only UK and EU data centres
Student data and backups are only stored and processed in UK and Ireland data centres. All data is stored in accordance with the General Data Protection Regulation (GDPR) 2018. Our ICO registration reference is Z357522X. For users applying to universities in the USA, Canada and Europe via our partners Parchment and the Common App, we send data to the country of the institution a student is applying to via the USA.
Multiple firewalls
Servers sit behind multiple firewalls within a VPC which is only accessible via a VPN; only ports 80 and 443 are publicly accessible. The database server is not accessible outside the VPC.
Encryption
Student data and backups are encrypted at rest and in transit using 256-bit SSL/TLS.1.2 encryption. You can check our supported protocols and ciphers here. Sensitive data such as passwords are hashed and salted.
Layered access security
Administrators have limited access to student data, and only when strictly necessary. We use user-type appropriate password rules regarding password length, complexity, age, number of allowed failed logins per day, re-use of old passwords, and 2-step authentication.
Secure servers
Our servers and technology infrastructures are provided by Amazon Web Services. Only our lead developers and our Managing Director have access to this environment. Servers are automatically updated as soon as security patches are released.
Database backups
Backups are made daily, and retained in reducing granularity for a minimum of 3 months. Point-in-time recovery is also available up to 5 minutes behind current time. Backups are held in multiple geographical locations.
File backups
Files uploaded to our Locker tool are not deleted until 180 days after a student has been removed from the Unifrog platform. Our storage gives files 99.999999999% durability, and we store them in multiple regions.
Server backups
Snapshots are taken at 1 hour intervals, are retained in reducing granularity for a minimum of 3 months, and are held in multiple geographical locations.
Vulnerability assessments
Penetration Testing is performed regularly, both manually and automatically by our developers. Realtime protection is provided by Amazon Web Services and other third-party providers.
Lost data
We keep complete version histories of our application creation tools like our Common App Essay, personal statement and Teacher Reference tools. If users delete student accounts by accident, we can bring the student accounts back again as long as we are alerted within one month.
CSP, Clickjacking and XSS
The platform uses a strong Content Security Policy (CSP) to help prevent Cross-Site Scripting (XSS), clickjacking and other attacks resulting from code injection. We recommend using a modern, up to date browser that supports the latest CSP specifications.
Cookies
We use 'strictly necessary' cookies that contain no tracking or personally identifiable information to enable the even load balancing of our servers. We only use cookies to enable users to remain logged into their account. When users sign in for the first time they agree to our terms, which explains in detail what cookies we use.
A note about external security accreditation
We have decided not to pursue external security accreditations, such as ISO 27001, Cyber Essentials or SOC 2 certification. This is because we believe that security threats and best practices move faster than these accreditations allow for, and we prefer to full take responsibility for staying ahead of threats and following best practices in data security.