Cialfo Update: On GDPR Compliance

A question we get a lot is “How secure is your data?” But what people are really asking is: “How secure is my data?”

We know that keeping your data safe, available, and backed up is critical when trusting a service provider with your data. We don’t expect anything less from our vendors and neither should you.

The General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades, and we anticipate other countries taking similar steps. We’re committed to partnering with Cialfo users and customers to help them understand and prepare for the GDPR.

Cialfo is on a mission to democratize education. This means making college admissions counseling easier, more pleasant, and more productive. And this also means that when it comes to security and compliance, we worry so you don’t have to.

Please note: we’ve tried to keep this simple, but if you’re not familiar with terms like “cookies”, “IP addresses” or “API”, then feel free to email us at hello@cialfo.co for more information.

GDPR Compliance

Customers have requested tools to help them comply with the GDPR, and we’re happy to say we’ve built those tools and are working on more through the year.

Permissions

Under GDPR, companies need a lawful reason to use and process contact data and must keep records of consent and evidence other lawful purposes of processing.

Permissions allows you to collect, track, and store lawful basis of processing via contract, legitimate interest, and/or consent for your Cialfo users (students and parents).

Data portability and export

We’ve built policies around data export requests. Due to the potential size of data, this is currently a manual process. To request a data export, send us an email at hello@cialfo.co or shoot us an in-app message via “Chat with Cialfo” on your sidebar.

Security

Encryption and Key Management

In its most basic form, encryption is the process of scrambling data to make it unintelligible. When data is encrypted, the sender and receiver (in this case, Cialfo and you) are the only people that can decrypt the scrambled info back to a readable condition. This is achieved by ‘keys’, which grant only the users involved access to modify the data to make it unreadable and then readable again.

Put more simply: encryption is like translating your information into a language only you and Cialfo knows, and more importantly, a language which a cybercriminal cannot translate.

Cialfo uses the Transport Layer Security (TLS) protocol. It allows both sides (Cialfo and you) to authenticate our identities and prove that we are who we claim to be. It also encrypts our communication, ensuring no third-party can read or tamper with the data you send to Cialfo.

Cialfo also supports Perfect Forward Secrecy (PFS).

Consider PFS the cybersecurity equivalent of the Cone of Silence. Without PFS, your information is safe… until an attacker gets hold of the server’s private key. Once the private key is no longer private, the attacker can now decrypt all historic data.

In Perfect Forward Secrecy, the key exchange is ephemeral. If a hacker got hold of Cialfo’s private key, they still wouldn’t be able to read your historic information.

And finally, Cialfo’s infrastructure is implemented with industry-leading services like Amazon Web Services (AWS). AWS is SSAE 16 audited, and encrypts all data sent to it.

Security Testing

Our testing approach spans the planning, development, and testing phases, with each test building on previous work and getting progressively tougher.

In the development phase, we focus on code scanning to remove any functional and readily identifiable, non-functional security issues.

In the testing phase, our development and QA team switch to an adversarial approach, deliberately attempting to break features using automated and manual testing techniques.

Cialfo uses the git revision control system. Changes to Cialfo’s code begins in the development server, where it goes through a suite of automated tests. Once code pass the automated testing, the changes are then pushed to a staging server for other Cialfo employees to test. Only code that has passed both rounds of tests can be deployed to our customer-facing platform.

An example Git workflow showing the levels new code has to pass through before going live. UAT in this case refers to ‘user acceptance testing’, where actual users test the new feature.

We also add a specific security review for particularly sensitive changes and features. Cialfo engineers have the ability to “highlight” critical updates and push them immediately to production servers, bypassing the staging phase.

Comprehensive review of vendors

We have an important responsibility when it comes to the vendors we use to help us provide our services to our customers. We scrutinize vendor contracts to ensure they address the security, privacy, and confidentiality of our customers’ data. All of Cialfo’s vendors are GDPR compliant. We’ve also ensured your data is stored with an industry leader with a robust security program and appropriate security certifications.

User Access

Being a SaaS solution, our customers are responsible for ensuring the appropriateness of user access to their data. We understand the classification of the data that goes into the system, and ensure users that have access to the system are authorized to access that data.

Role-based authentication makes it easy to align with access restrictions that may need to be imposed to comply with data handling and classification requirements.

We also encourage good password hygiene, which mitigates common threats like password guessing and malicious parties using leaked credentials.

Backups

In addition to platform-wide resiliency, we also have a comprehensive backup program. Daily automated backups are taken everyday and sent to secure SSAE 16 audited data centers. We run backup fire drills monthly to simulate a disaster and its data recovery procedures.

Logging

Cialfo maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Cialfo services (our web app, mobile apps, and WeChat integrations). These logs are analyzed for security events via automated monitoring software.

Incident Management & Response

In the event of a security breach, Cialfo will promptly notify you of any unauthorized access to your Customer Data. Cialfo has incident management policies and procedures in place to handle such an event.

Quick Links

Privacy Policy

Terms of Use

Security


The security landscape changes fast and we take very seriously the immense responsibility of caring for our customers’ data. Our Privacy Policy can be found here.

If you would like more information or have follow-up questions, please reach out to us at hello@cialfo.co.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.