Security is integral to our service

Security

Introduction

Competency.IO users trust us with their data. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Security Program

Security is integral within Competency.IO. Our technical team's charter is protecting the data you store in our service. We drive a security program that includes the following focus areas: product security, infrastructure controls (physical and logical), policies, employee awareness, intrusion detection, and assessment activities.

The technical team runs an in-house Incident Response program and provides guidance to employees on how to report suspicious activity. Our technical team has procedures and tools in place to respond to security issues and continues to evaluate new technologies to improve our ability to detect attacks against our infrastructure, service, and employees.

We periodically assess our infrastructure and applications for vulnerabilities and remediate those that could impact the security of customer data. Our technical team continually evaluates new tools to increase the coverage and depth of these assessments.

Network Security

Competency.IO defines its network boundaries using a combination of load balancers, firewalls, and VPNs. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

We protect our service against distributed denial of service (DDoS) attacks using an on-demand mitigation service.

Account Security

Competency.IO never stores your password in plaintext. When we need to securely store your account password to authenticate you, we use encryption coupled together with a unique salt for each credential. We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.

While we don’t require you to set a complex password, our password strength meter will encourage you to choose a strong one. We limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.

Customer Segregation

The Competency.IO service is multi-tenant and does not segment your data from other users’ data. Your data may live on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you share it. See the Product Security section for how we enforce our authorization model for access to private and shared content.

Data Destruction

Competency.IO retains your content unless you take explicit steps to delete it. Deactivating a personal account or revoking access to a enterprise account does not automatically remove content.

For personal and enterprise data, visit the STORAGE feature within your account, you can opt to delete any or all of your uploaded data from there. References and connections to the data are then removed from our databases.

Customer Account Access

Competency.IO, like most web services, has an administrative tool. This tool allows our customer service and platform administration teams to resolve customer issues. We limit who has access to customer data within this administration tool based on business need and strongly authenticate that access.

We periodically review employee access to customer accounts to identify administrative abuse and minimize the situations where we might need to access account content in the future.

Activity Logging

The Competency.IO service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. These logs also include successful and unsuccessful login events. Due to the nature of our client / server architecture, we cannot reliably know whether specific data was viewed.

Physical Security

When you upload data to our servers, it is stored in a private, locked cage at one of our data centers, or uploaded to third-party secure data services. These data centers are staffed and monitored 24x7x365. Access to the data center requires at a minimum, two-factors of authentication, but may include biometrics as a third factor.

Each of our data centers has undergone a SOC-1 Type 2 audit, attesting to their ability to physically secure our infrastructure. Only operations personnel and data center staff have physical access to this infrastructure and our operations team is alerted each time someone accesses our cage, including a video record of the event.

All Competency.IO data resides within North America. For Canadian operations, data is stored in Canada. For US operations, the web services is hosted in Canada, but uploaded data is stored within the US.

Privacy and Compliance

Please see our privacy policy for information about our Safe Harbor compliance. We do not publish a Service Organization Control (SOC) report.



Report a Security Issue

If you believe you’ve found a security vulnerability in our service, or our infrastructure that could harm Competency.IO or anyone who uses Competency.IO, please let us know by e-mailing details of your finding to [email protected].

Please remember our User Guidelines and don't violate anyone's privacy, interfere with anyone's account, or destroy any data. Please don't interrupt or degrade our services. And please give us a reasonable amount of time to respond before publicly disclosing your findings. Thank you.