SECURITY
The Players NIL utilizes Thinkific, a third party site as our online learning platform. We chose Thinkific because they had the experience and reliability to support our prestigious NIL learning academy. We also chose Thinkific because of its robust data security program, described below.
Thinkic’s cloud-based platform is purpose built for the cloud based on fundamental principles of security and privacy. Its platform has implemented a combination of best in class security, privacy and compliance controls to keep The Players NIL, our customers and learners’ connections and data safe.
Thinkific describes its strong security program as follows:
https://www.thinkific.com/security-overview/
DATA SECURITY & PRIVACY CONTROL
Data Centers
Thinkific’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology as well as the Google Cloud Platform (GCP) technology. Both Amazon and Google continually manage risk and undergo recurring assessments to ensure compliance with industry standards as seen here and here, respectively. Thinkific hosts customer and learner data in the United States.
Access Management, Encryption & Endpoint Security
Access Management
- Thinkific adheres to the principles of least privilege and role-based permissions when provisioning access; employees are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.
- Thinkific utilizes multi-factor authentication for employee access to internal systems. VPN multi-factor and SSH are required for accessing the Thinkific Hosted environments.
- Thinkific employees are required to use an approved password manager.
Encryption
- Thinkific encrypts data using secure cryptographic algorithms.
- All data in transit is encrypted using TLS 1.2 or greater.
- Thinkific leverages AES-256 encryption for data at rest.
- Key management is in place for all Thinkific encryption keys.
Endpoint Security
- Thinkific employee endpoints are configured to comply with Thinkific security standards.
- These standards require all endpoints to be properly configured, updated, and utilize up-to-date Endpoint Protection software, that endpoints employ encryption at rest, have strong complex passwords, and lock when idle.
Network Security & System Monitoring
Network Security and Server Hardening
- Thinkific segments its platform layers into separate networks with restrictive access between layers to protect customer data.
- Thinkific utilizes separate hosting environments for Staging, Development, and Production.
- Thinkific hardens its endpoints and services according to industry-standard CIS benchmarks.
- Network access to Thinkific’s hosting environment is restricted with only load balancers accessible from the Public Internet.
- Thinkific logs, monitors, and audits all system events, and has alerting in place for events that indicate a potential intrusion or exfiltration attempt.
System Monitoring, Logging, and Alerting
- Thinkific uses an industry-leading Security Information and Event Management (SIEM) solution to collect, aggregate, and correlate millions of system events a day across Thinkific’s hosting environments to provide Security and DevOps teams with real-time insight into potential security events.
- Administrative access, use of privileged commands, and system events on all endpoints in Thinkific hosting environments are logged and monitored.
- Analysis of logs is automated to detect potential issues and alert the Security and DevOps teams.
Penetration Testing & Vulnerability Management
Vulnerability Management & Penetration Testing
- Thinkific tests all code for security vulnerabilities before release and regularly scans its network and systems for vulnerabilities.
- Thinkific engages a third party service to conduct application and infrastructure penetration tests on a quarterly basis.
- Results of these tests are prioritized and remediated in a timely manner and shared with senior management.
Application Security
Application Security Overview
- Thinkific’s secure software development life cycle aligns with OWASP best practices.
- All code changes require peer-review and testing (both manual and automated) prior to promotion to production. No single individual may request and implement changes without a review from several other individuals and all changes are logged and tracked.
- All developers are required to complete training on secure development practices.
Data Privacy
Data Privacy Overview
Thinkific’s data privacy controls are designed to honor our obligations around how we collect, process, use and share personal data, as well as our processes to support data retention and disclosure in compliance with applicable privacy laws. Thinkific collects and uses personal data in accordance with our Privacy Policy, and offers our course creators a Data Processing Addendum and CCPA Service Provider Addendum that complies with the GDPR and CCPA.
Data Sharing and Processing
- Thinkific’s platform complies with the GDPR and CCPA and provides a high level of protection for course creator and learner personal data. This includes only collecting, processing, and storing customer data in compliance with these obligations and providing you the right to access or delete it at any time.
- Thinkific has implemented policies that provide controls for deleting customer data when it is no longer needed for a legitimate business purpose.
- Thinkific uses cookies only in accordance with their Cookies Policy.
- Thinkific also requires their data processing vendors to certify the use of customer data for no other purposes than the provision of services.
Vendor Management
- Thinkific only shares customer data with third parties that contractually agree to protect the confidentiality and privacy of the data.
- Thinkific has established agreements that require subprocessors to adhere to confidentiality commitments and take appropriate steps to ensure our
security posture is maintained. Thinkific only exports personal data outside of the EEA in compliance with the GDPR, including by transferring
personal data to subprocessors on the basis of the updated Standard Contractual Clauses where required. - Thinkific monitors these sub-processing vendors by conducting reviews of their controls before use and at least annually.
Responding to Security Incidents
- Thinkific has established policies and procedures for responding to security incidents.
- All security incidents are managed by Thinkific’s Security Incident Response Team. The policies define the types of events that must be managed via the incident response process and classify them based on severity.
- Incident response procedures are tested and updated at least annually.
Credit Cards
TPNIL securely processes credit card information in accordance with PCI-DSS standards. TPNIL does not access or store any credit card information. Instead, we have partnered with Stripe to securely handle credit card information. You can learn more about Stripe’s security here.
The foregoing information and representations are provided by Thinkific and can be found at:
https://www.thinkific.com/security-overview/