EngageWhiz maintains standards and policies for developing and publishing software and updates to that software. These policies include environment setup, dependency management, backups, code review, repository commits, deployments, testing, defensive programming, and more.
EngageWhiz maintains of policy of restricting and limiting the amount of third-party libraries used in code. Before a dependency can be added, several factors are evaluated before approving its usage, including:
EngageWhiz uses the GitHub Advisory Database to be notified of any security vulnerabilities found in the dependencies we use. When a vulnerability is reported, we ensure that the dependency is updated to the fixed version immediately.
All code must pass a series of reviews and testing before being eligible for deployment to production. For review, the code is first reviewed and checked by a person, where it is then audited by series of automated testing tools. Some of these tools include SonarQube and DepShield. EngageWhiz also utilitizes TypeScript for development.
For testing, Engagewhiz utilizes unit testing, and performs full testing and smoke testing on multiple browsers, devices, and configurations.
EngageWhiz provides a variety of authentication methods, including:
Institutions can customize their preferred authentication method, and even allow multiple. User authentications are logged, including the users IP. We also provide the capability for institutions to restrict user authentication to certain IPs/ranges and email domains. Institutions can also customize password requirements if using the email/password method.
EngageWhiz also supports Two-Factor Authentication (SMS TOTP).
EngageWhiz sends out a security email to users if it notices a signin on a new device or from an unusual location.
Requests to our backend must include authentication tokens generated by login which are verified on the backend.
EngageWhiz implements strict UAC to ensure users can only access the appropriate data. Instructors can add Teaching Assistants (TAs) to their courses with the TA role, which allows the instructor to configure fine-grained permissions for those users.
Data is encrypted in-transit and at-rest under the 256-bit Advanced Encryption Standard (AES-256) and all access to our services is secured over SSL/TLS. We upgrade any non-secure request (e.g. http) to a secure one (e.g. https).
On our free plan, customer data is stored in a multi-tenant environment, with customer data being logically separated. All requests to the database/server verify and ensure that customers can only access their respective data.
For our enterprise plan, customer data is stored in a single-tenant environment and completely separated from other customer data.
Our application servers are separate from our database/data-storage servers. Our application servers are located in the central united states, with our multi-tenant environment being in the same location. Our enterprise customers can choose the data center location to house their data from a list of our datacenters across the world. We can also setup application servers in other countries as well.
On the employee side, all employee authentications, actions and activity with our systems is logged and stored.
For institutions, all user authentications, actions, and activity is logged and stored. Instructors can view the logged activity in their courses.
Logs include who performed the action, the timestamp, and IP address.
Data is backed up daily every 24-hours, with backups being retained for at least 1 year (unless the institution contains HIPAA data, in which case we maintain the backups for the required time period).
Backups are stored in the United States, across 3 data centers to ensure geo-redundancy. We also maintain offline backups, which are updated monthly.
We regularly test our backup systems, and test restoring data from a backup.
Email notifications/alerts are sent with a security footer, which includes information to make the email more specific to the user/provide authenticity, making it easier to identify legitimate emails.
Institutions can configure EngageWhiz to suit their needs. This configuration is accessible via an administrative dashboard. Institutions can add as many administrators as they wish. The admin dashboard allows for the management and configuration of:
The admin dashboard also lets administrators view the courses on EngageWhiz and the usage of EngageWhiz.
In courses, if a page may contain sensitive info such as student grades or records, a confirmation dialog is displayed before the page is viewed asking to confirm viewing the data. This helps prevent accidental viewing of sensitive or private data.