Checkology was launched in May 2016, and has been in active development since. It is owned and operated by the News Literacy Project, and developed and maintained by Kwanso.
What schools trust and use the product?
Columbia Public Schools (MO), the New York City Department of Education, the Los Angeles Unified School District (LAUSD), some West Virginia districts, Miami-Dade county, and hundreds of individual organizations.
What operator technology supports the product?
Checkology operates under all major modern web browsers, including all major/minor versions of Chrome, Safari, Internet Explorer, and Safari released from 2018 onward. It is optimized for both desktop and mobile usage using Windows or Mac machines.
Collection and storage of personally identifiable information (PII) for students is kept to an absolute minimum for viable usage of the product.
Collected information includes:
- First Name
- Last Name
- Email Address (not required for students)
- School & District
- Teacher & Class Section
PII is transferred from the client to the server with industry-standard SSL encryption, by way of a secure HTTPS connection.
Clients may opt to pre-enroll their entire roster. This is a manual process, and specifics surrounding the transfer will be discussed by both parties.
As an example, Checkology can provide a SSH-accessible SFTP server and a public PGP key, with which the client can encrypt their roster (encryption at rest) and transfer it to Checkology (encryption in transit). Other tools, like established secure end-to-end encrypted transfer services, can be provided.
All PII is encrypted with OpenSSL to provide a minimum of AES-128 encryption. All encrypted values are signed using a message authentication code (MAC) so that their underlying value cannot be modified once encrypted.
Encrypted PII is only decryptable by the teacher(s) leading a student's section/class. Access to decryption keys are limited on Checkology's servers to the Checkology app itself and a root user (whose login is limited to SSH from identified administrators and is logged).
In addition to the application encryption, all system storage is encrypted by AWS at rest using a combination of hardware and software encryption techniques.
In instances where student work is visible to other users of the platform, or when users need a username to login, students are represented by a username composed of their first name, last initial, and a number (in case of username collisions).
- For students, visibility of student usernames is limited to their individual class.
- For teachers, visibility of student usernames is limited to their class list. These are classes they've created or have been assigned a co-teacher for.
- School Admins, District Admins, and System Admins cannot see student usernames.
All user passwords are hashed, salted, and encrypted using the same encryption techniques used to store PII, before they are saved to the Checkology database.
Signup & Login
Users can choose to sign up or log in with an email/password combo, Google SSO, or Microsoft SSO. Using an SSO provider removes the necessity for Checkology to store passwords for those user accounts.
Checkology's physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Checkology and related products are currently hosted on AWS EC2 instances. For general Amazon Web Services Security & Compliance documentation, please see their Whitepaper.
As an AWS customer, we inherit all the best practices of AWS policies, architecture, and operational processes built to satisfy the requirements of AWS's most security-sensitive customers. While AWS manages security of the cloud, we are responsible for security in the cloud.
Checkology utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see: https://aws.amazon.com/security
Fire Detection and Suppression
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.
Climate and Temperature Control
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.
Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
For additional information see: https://aws.amazon.com/security
Checkology uses industry-standard AWS Security groups to firewall the application.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Host-based firewalls restrict customer applications from establishing localhost connections over the loopback network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
Incoming and outgoing web traffic is allowed for all IPs on HTTP and HTTPS. SSH connection to the server is limited by whitelist to preset list of computers.
Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
Spoofing and Sniffing Protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to.
Videos on YouTube are uploaded as unlisted with no tagging. Vimeo and Wistia videos are private. All videos are considered safe for grades 6-12.
The system stores information needed to operationally debug an administer the system for transaction failures and debugging. Logging about actions taken within the system detail which user executes work; however, due to network configuration and layering the specific IP that the user was executing the work from is not accurate and as a result we do not retain it.
All logging (both in database and on disk) is securely maintained and only those whom've been specifically granted access are able to access this information. Logging can be preserved for any desired SLA.
AWS Data Centers are designed with carefully selected sites, redundancy, high availability, and ever-expanding capacity. Data loss due to disaster within an AWS facility is extremely unlikely.
Within the Checkology system, we make automated backups and daily snapshots of the user database. Daily backups are retained for at least 7 days, weekly backups for at least 3 months, and monthly backups for at least five years.
In case of a discovered data breach, all affected districts will be notified of the event and of what data was subject to the breach in a timely manner. Further action will be decided depending on the type and severity of the breach.
Long-term User Data Storage
As of August 2020, Checkology removes all user data from the production environment before the start of the next school year. The data removed from the production environment often is, but is not always, sent to encrypted long-term storage at the discretion of NLP. Exceptions to this rule can be made for districts where either enhanced privacy or permanent/long-term storage is a requirement. Additionally, monthly automated backups are retained for at least 5 years.
If it exists, a district's student data can be requested by the district, and can be transferred to a district-owned SFTP server or via end-to-end encrypted fileshare services.