Privacy & Security are Our Priorities

A Cloud-Based, Hosted Solution.

Digication's entire infrastructure is hosted at various Amazon Web Services (AWS) locations. All servers are located in the United States. Digication primarily uses the Virginia AWS location but can be relocated to other US-based AWS locations during a crisis. One example of an alternative AWS location is in Oregon, which is approximately 2,500 miles from Virginia.

Both data at rest and database backups are encrypted using SHA256. Data in transit is encrypted via TLS protocol. Data is backed up automatically on a nightly basis. Information stored in our system remains active the entire life of the license or a minimum of 5 years.

All servers and databases are contained in an AWS Virtual Private Cloud (VPC) which gives the added security of a virtual isolated environment from other hosted clients. In addition to the use of a VPC, Digication's servers are protected by various firewalls as well as network segregation throughout the VPC to further isolate various components such as databases from any outside access.

Digication has a documented contingency plan for mission-critical computing operations and reviews and updates the contingency plan at least annually. Digication has identified specific computing services that must be provided within specified critical time frames in the event of a disaster. Digication’s cross-functional dependencies have been identified so as to determine how the failure in one system may impact another.

To guard against catastrophic events at any given data center, Digication duplicates its server infrastructure in different locations whenever available. In most catastrophic situations, Digication can resume service using a different data center within 5 business days.

Upgrades happen seamlessly across our network of systems.

Digication is not released in versions. Instead, upgrades happen seamlessly across our network of systems and are made available to all institutions at no additional cost.

New feature releases are available for system administrators to enable as needed through the admin panel or, for beta features, by contacting Digication’s Help Desk. All new features are announced to administrators via email, on Digication’s Twitter feed, through our online Help Desk, http://support.digication.com, and through our email newsletters sent to all system administrators.

Maintenance occurs on an almost daily basis. New features are announced on an almost monthly basis.

Patches and upgrades are deployed regularly (as often as weekly).

All upgrades and patches go through automated and/or physical human tests before deployment, depending on the nature of the upgrade. Certain critical upgrades, such as database migration, or infrastructure changes, are repeatedly rehearsed in test environments to minimize risks.

• Emergency security patches: Digication upgrades and deploys patches to address emergency security issues as quickly as possible. If these patches or upgrades require a change to the UI or end-user logic, system administrators will be contacted via email regarding the changes.
  

• Small patches or updates: Digication deploys upgrades and patches related to improved UI, logic, security, or performance as quickly as possible. Patches and upgrades in this category that are UI- and logic-related are announced to system administrators typically with a two-week lead time. The two-week lead time is provided to all campus system administrators so that they are given time to update documentation and share the updates with their end-user community as needed.
  
  
• Bigger feature releases: Typically Digication releases bigger feature upgrades with a per-system or per-user beta enable feature option (so that system admins can review and decide when they would like to enable the feature for the whole system or release to a subset of their campus community).
  
  For emergency security patches, small patches, and upgrades listed in 1. and 2. above, Digication automatically applies the patch or upgrade. For bigger feature releases Digication will provide one month to twenty-four months for system administrators to deploy the upgrade depending on the size of the upgrade.

Real-time monitoring and alerting for data security.

Digication monitors server and application health at a highly granular and real-time basis to detect slowness, unusual activities, and downtime. Alerts are set off to a dedicated group of Digication employees 24/7, and automated scripts are also programmed to react to certain server maintenance and scaling tasks.

Security Breach Protection & Detection

Digication uses Detectify, a third-party scanning and penetration testing service, to perform weekly scans (as prescribed by OWASP industry best practices and guidance) of its applications to assess if any security vulnerabilities have been detected; based on the findings, Digication will take necessary action.

Digication uses a number of logs, errors, and infrastructure management and monitoring tools as necessary. An APM tool is used to track and monitor real-time metrics for areas where code or database queries could be optimized.

We have security standards and measures in place to ensure data remains secure and backed up safely.

These measures help prevent the loss, misuse, or alteration of data under our control. We also have reasonable physical, electronic and procedural safeguards to protect your personal information. We employ industry-standard encryption technology to help ensure that your data is safe, secure, and available only to you. Both data at rest and database backups are encrypted using SHA256. Data in transit is encrypted via TLS protocol.

As described above, Digication's entire infrastructure is hosted by AWS. All servers and databases are contained in an AWS Virtual Private Cloud (VPC) which gives the added security of a virtual isolated environment from other hosted clients. In addition to the use of a VPC, Digication's servers are protected by various firewalls as well as network segregation throughout the VPC to further isolate various components such as databases from any outside access.

Data is backed up off-site automatically on a nightly basis. Information stored in our system remains active the entire life of the license or a minimum of 5 years.

We utilize day-to-day practices that create an extremely resilient business continuity and disaster recovery plan.

Digication has a documented contingency plan for mission-critical computing operations and reviews and updates the contingency plan at least annually. Digication has identified specific computing services that must be provided within specified critical time frames in the event of a disaster. Digication’s cross-functional dependencies have been identified so as to determine how the failure in one system may impact another.

To guard against catastrophic events at any given datacenter, Digication duplicates its server infrastructure in different locations whenever available. In most catastrophic situations, Digication can resume service using a different datacenter within 5 business days. 

Digication utilizes several day-to-day practices that create an extremely resilient business continuity and disaster recovery plan:

Source code management

All Digication application source code is managed by GIT, a distributed revision control and source code management (SCM) system. Using this system, every version of code created by every developer who ever developed code for Digication is tracked and backed up in a distributed fashion across multiple locations.

Test automation

Digication maintains a large set of automated tests to make sure the software functions as expected. This includes low-level code tests and high-level end-to-end tests. All those thousands of tests are run automatically for every code change or at least during every deployment to our production environment.

Infrastructure automation

The entire Digication server and network infrastructure is created via managed automated server and network deployment. As a result, Digication achieves High Availability (HA) through real-time server monitoring and automatic failover. This also means that during any disastrous events, a brand-new set of identical servers can be rebuilt using the same scripts within hours.

Monitoring and alerting

Digication monitors server and application health at a highly granular and real-time basis to detect slowness, unusual activities, and downtime. Alerts are set off to a dedicated group of Digication employees 24/7, and automated scripts are also programmed to react to certain server maintenance and scaling tasks.

Identity Management

Digication, for the most part, use ePortfolios to advance integrative learning with plenty of emphasis on identity development across program and curriculum. We've adopted policies and technologies to see that the right user(s) connected to our resources or that are part of our ecosystem get appropriate access to our ePortfolio and assessment tools.

We've invested in security solutions and infrastructures to keep learning, reflection, and assessment data and resources safe. We ensure user's authorization requests are validated and verified before granting appropriate and adequate permissions (depending on policies enforced to control the user's level of access.)

This, to a greater extent, ensures we continue to meet rigorous compliance requirements on the part of our users and employees, interacting across diverse technology via different software, hardware, and applications.

Data Retention Policies

Both data at rest and database backups are encrypted using SHA256. Data in transit is encrypted via TLS protocol. Data is backed up off-site automatically on a nightly basis. Information stored in our system remains active the entire life of the license or a minimum of 5 years.

Transfer of University Data

Digication is more than happy to return data to institutions.

According to Digication's standard subscription agreement, "For up to ninety (90) days after the termination of this Agreement, you may download your User Content and other Hosted Data to your computer system by contacting us at support@digication.com and requesting that such Hosted Data be exported to your computer system.  Unless otherwise agreed, User Content and other Hosted Data will be provided in a standard format selected and/or generally used by us for this purpose.  You will be responsible for contacting us regarding the export of your Hosted Data within ninety (90) days following termination of this Agreement."

Requests for Data Destruction

Digication is a cloud-based SaaS solution hosted on Amazon Web Services (AWS). The handling process of cloud resources (database backups, uploaded media files, server storage) is managed by AWS. They adhere to DoD standards wherever possible.

Family Educational Rights and Privacy Act (FERPA) Compliant

We prioritize students' privacy and make sure everyone at Digication is continually reminded about the law that protects the privacy of student education records.

This Federal law - enacted in 1974 - serves two primary purposes:

• Prohibits educational institutions from disclosing "personally identifiable information in education records" without written consent.
• Gives parents (students over 18 years old) more control of their educational records.

General Data Protection Regulation

The GDPR is a comprehensive European Union (EU) data privacy law. Along with standardizing user data privacy across the EU member states, the GDPR places requirements on some organizations that handle EU residents’ personal data, regardless of where the organizations themselves are located.

While using Digication, personal information which you or your organization (if your account is being administered and controlled under an Enterprise subscription) has provided will be hosted on our platform and therefore shared with us. Upon registration or first login with Digication you will be required to acknowledge receiving this Privacy Notice before you will be allowed to access Digication.

Digication provides the additional information below to inform you of your rights and our practices and responsibilities in processing your personal data under the GDPR. This Privacy Notice only applies when (a) you are based in the EU and (b) you are a user of Digication.

We may update this Privacy Notice from time to time to reflect changes in our practices or in the law but if we do so, we will provide you with access to an updated copy of the Privacy Notice as soon as possible. This Privacy Notice was last updated on January 1, 2021.

For more information please visit our GDPR Policy page.

The Higher Education Community Vendor Assessment Toolkit

HECVAT was created by the Higher Education Information Security Council (HEISC), working hand-in-hand with Internet2 and REN-ISAC to protect sensitive institutional information.

The HECVAT tools are a questionnaire framework designed to address cybersecurity and data privacy in higher education by continually measuring vendor risk. This framework has helped streamline processes leading to the procurement of third-party solutions in universities and colleges to this day.