Last updated July 1st, 2023
Introduction
GoodGoblin is the future of navigating college applications. We are committed to providing a highly available and secure environment for you to manage your college application journey. This document highlights our security practices to help you understand how we ensure security by design.
Protecting Customer Data
GoodGoblin’s Security team is responsible for implementing and managing our security program. The focus of GoodGoblin’s security program is to prevent unauthorized access, use, and disclosure of customer data. Our security program is aligned with AICPA Trust Services Principles and is constantly evolving in accordance with industry best practices.
Independent Attestation
Customers may receive copies of external reports by reaching out to our security team via support.
Security Compliance
GoodGoblin is continuously monitoring and improving upon the design and effectiveness of our security controls. We partner with a reputable third party for their independent assessment of our efforts. All internal and external audit findings are shared with executive management.
Penetration Testing
GoodGoblin engages an independent third party to conduct annual network and application penetration tests. Identified findings are tracked to resolution, and results reports are shared with executive management.
Access Control
When provisioning access, IT adheres to the principles of least privilege and role-based access control, meaning that employees are only authorized the access and permissions required to fulfill their job responsibilities. User access reviews, including production access, are performed semi-annually. Access to the production infrastructure and supporting systems requires MFA. Employee access is revoked within two business days of an employee’s termination. In the event of involuntary termination, access is revoked immediately.
Cloud Hosting
GoodGoblin uses AWS as its cloud hosting provider. GoodGoblin corporate offices do not host any data closets or servers - all data is stored in the region US-East-1. GoodGoblin utilizes serverless instances across AWS to ensure the high availability of all services.
Data Retention
GoodGoblin retains data for the duration of the customer’s use of the application. Customer data is removed upon request for user account deletion or upon customer contract termination. GoodGoblin’s hosting provider, AWS, is responsible for ensuring the proper sanitization of disks and physical media.
Encryption
GoodGoblin encrypts all customer data at rest and in transit using strong encryption methods. All information is transmitted via HTTPS using TLS1.2+ with AES256 encryption and SHA2 signatures, defaulting to TLS1.3 based on client ability. Data at rest is encrypted at the storage level using AES256. Database connections are verified using TLS certificates and encrypted in transit using SSL. Encryption keys are managed by and stored securely in AWS. Access to encryption keys is restricted to limited, authorized personnel and requires MFA. All key usage is logged and monitored for anomalous activity.
Endpoints
Employees are provisioned company-managed workstations. All workstations are configured with disk encryption, anti-malware, and idle lockout. IT monitors employee workstations to ensure they are compliant with corporate policy and up-to-date with relevant patches.
Logging
Centralized logging is enabled for all production systems. These logs are reviewed for indications of compromise and alerted upon. The Security team is responsible for monitoring and alerting thresholds are reached, tracking security events to resolution in accordance with the incident response plan.
Network
GoodGoblin’s firewalls are configured to deny all incoming traffic by default. Firewall rules are reviewed at least annually. Alerts generated by the Intrusion Detection System (IDS) are sent to on-call personnel for investigation and triage. GoodGoblin also utilizes a WAF and CDN in order to both protect against common web application vulnerabilities, like DDoS attacks and to provide faster access to the application.
Personnel
Security of the GoodGoblin environment is the responsibility of all GoodGoblin employees, contractors, and temporary workers who have access to GoodGoblin’s information systems. Prior to their start date, all employees must have a completed background check on file, in addition to signing confidentiality agreements
All employees are required to complete security awareness training upon hire and annually thereafter. The training curriculum includes phishing awareness, remote work best practices, device security, and incident reporting. In addition to completing training, employees are required to review the employee handbook and code of conduct policy. Violations of any corporate policies may result in disciplinary measures up to and including termination.
Secure Development
GoodGoblin has built a secure software development lifecycle (SDLC), including requirements like peer code review. All code is managed in a version control repository, with branch protections in place. Access to source code requires MFA.
Non-standard code changes go through a change management process that covers emergency changes and hotfixes. The agile nature of the process allows for engineers to follow their own release cycles, deploying continuous improvements to the GoodGoblin application.
Third Parties
GoodGoblin partners with limited third parties to provide key services. These third parties, also known as subprocessors, are continuously monitored in order to ensure that their security programs continue to meet GoodGoblin’s standards. GoodGoblin reassesses its subprocessors annually, which includes a review of their independent audit reports and penetration test reports. For the full list of our subprocessors, please see here.
Vulnerability Management
Vulnerability scans are performed daily for in-scope systems. Identified vulnerabilities are remediated in accordance with severity.
Your Responsibility
Though GoodGoblin is responsible for most security controls, our customers are responsible for securing their user accounts. This includes creating strong passwords if using Google for authentication, provisioning user accounts and permissions, and disabling accounts as needed. Additionally, customers are responsible for determining the appropriateness of the data entered into the application. By default, GoodGoblin handles limited customer PII (name and email). The sensitivity of the data that customers input to generate content is ultimately their responsibility. Customers should be aware that GoodGoblin is not PCI or HIPAA-compliant and should refrain from providing cardholder information and protected health information.
Conclusion
Ensuring the security and privacy of customer information is vital to our company mission. The success of our customers is at the core of what we do. We hope this insight into our security program helps to build and maintain your trust in GoodGoblin.