Teachable Security Overview

The following information provides an overview of the security measures designed and implemented by Teachable protect its systems, including the physical, technical, and administrative controls that govern access and use of the systems.

Technical and Organizational Measures
Within its area of responsibility, Teachable adopts the following technical and organizational measures for processing transferred data.

Physical security
Among other measures, the data importer takes the following actions to prevent unauthorized access to equipment processing or using data:
· Physical access to Teachable’s facilities is restricted behind keycard access and our building is monitored 24/7.
· All individuals must identify themselves to security personnel in order to be admitted to the Teachable offices during business hours and must have a valid employee badge to access outside of business hours.
· There are documented processes in place for the issuance of Teachable building access badges; the possession as well as the return of such badges is tracked and verified.
· Only authorized Teachable visitors and building staff are granted access to the premises

Logical access and security
Strict policies are in place to address and limit access to production systems. For certain data access tools, tool owners authorize the nature and extent of access privileges prior to granting access. The procedures for requesting and generating certificates to access data for development and production are documented.

Teachable also takes the following actions to prevent the unauthorized use of data-processing equipment:
· One-time personnel identification, unified identity management, two-factor authentication, strong passwords, and periodic reviews of access lists are in place to ensure that personnel accounts are put to their intended uses.
· Authorized access to internal support tools is controlled by means of a VPN, in addition to a user system requiring a unique, long password.
· All employees having access to production resources are required to authenticate with two-factor authentication
· Unique personnel IDs are used to authenticate to systems.
· Passwords are configured to enforce password length and complexity.
· Login history and failures are tracked.

Additionally, Teachable takes the following actions to ensure that the parties authorized to use a data processing system only have access to the data for which they have been specifically cleared, and that stored data or data being processed cannot be read, copied, changed or removed:
· Authorization for Teachable services and internal applications is enforced at all times and at all levels of a given system, with access rights being granted or processed on the basis of the personnel member’s job responsibilities / need-to-know, which is provided via workflow tools.
· Access to production systems is restricted to trained and specifically authorized personnel members. Such access is revoked in the event of an individual’s dismissal or termination of employment. All members of the team with access to production systems may access production solely behind a 2 factor authenticated session.
· Teachable uses a centralized logging system. Access to the logging system is restricted to authorized personnel and the logs are protected from modification and deletion from non-admin personnel.


Technical security
Teachable deploys a range of technical security measures to protect its systems:
· Servers and network traffic are monitored by both industry-standard tools to detect and respond to any potential security breaches.
· Teachable runs on Amazon Web Service’s (AWS) infrastructure, using best-in-class instrumentation tools that log changes to the servers and detect signs of a potential compromise.
· Amazon Web Services use a combination of industry-standard sandboxing technologies and a sophisticated Network Intrusion Detection system to monitor network activity for signs of malicious activity.
· TLS encryption is part of the standard security architecture at Teachable. Core transport services require encryption, such as SSH or HTTPS, to exchange information.
· Encryption technology is used to provide security for online user authentication and administrator sessions.
· Remote data access to production environments or our internal staff application requires a link to the company’s intranet or a connection via a VPN which is subject to a dual authentication mechanism.
· Changes to the infrastructure and back-end environment, including changes to security tools, follow the Teachable coding and release process.
· All committed code changes are reviewed by an individual that is different than the developer and are tested prior to commit to production.

In addition, Teachable provides employees and contractors with education and training on specific technical and organizational security measures.
· Teachable employees are required to complete security training as part of their onboarding
· Teachable’s engineering team conducts company-wide security awareness activities to reinforce information security practices and policies.