Collaboratory IT + Systems FAQ

A SaaS (Software as a Service) - based application powered by a graph postgres database, API written in Go, and a Javascript frontend user interface.  The entire SaaS application is hosted securely on Amazon Web Services (AWS) data centers within the United States.

No.

Collaboratory data is stored on the Cloud in secure AWS data centers located within the United States. Internet access is tightly controlled by IaaS (Infrastructure as a Service) and no physical access to the data is permitted (i.e., Collaboratory cannot physically touch the servers). No data is stored locally except by the Collaboratory administrators at each institution who might export and download their own data. Each data element is stored securely in a backed-up, redundant postgres database within AWS and managed by RDS (Relational Data Service). Collaboratory does not retain data locally.

Amazon Web Services file hosting, S3.

Yes.

Collaboratory is always on, always available with minimum acceptable downtime.  We have no planned outage times.  If there an infrastructure upgrade that would cause downtime, we will perform it outside of business hours and actively attempt to inform customers ahead of time

Our maintenance does not generally require downtime for clients.  If there an infrastructure upgrade that would cause downtime, we will perform it outside of business hours and actively attempt to inform customers ahead of time.

Each application has redundant instances for distributing load and we are able to scale the number of instances as load increases and decreases.

We have an elastic on-demand system.  Monitors through Amazon web services that test for the availability and capacity through AWS services.  Continuance monitoring of application.

All applications and data stores are in a virtual private cloud with private-key based access only through a bastion host. All connections and actions are logged and monitored.  Roles control access to and management of institutional content, including users, profiles, units, organizations, courses, activities, and partners in Collaboratory. Relationships express a member's institutional identity and assist Collaboratory in fitting institutional expectations. Rights articulate the actions that role/relationship combos can take. Collaboratory relationships include faculty, staff, or students, and are passed via SSO from the institution. Collaboratory roles include Member, Moderator, and Administrator, and are set within the product and controlled by the Core Administrative Team at the institution.

Yes.

We offer a test environment for inbound API integrations.

Collaboratory accepts flat file uploads during the onboarding process to populate the dataset with units, members, courses, and community organizations.  Collaboratory also supports inbound API integrations that allow campus systems (e.g., SIS, LMS, HR system, or an existing engagement database) to securely send data into Collaboratory on an ongoing basis.  You can learn more about Collaboratory’s inbound API here.

Collaboratory Reports support full self-service data exports of all of an institution’s data are available in csv, xlsx, json, html, and xml formats.  Currently, custom csv data export requests can be made to the support team.  Collaboratory has an outbound reporting API that allows campuses to automatically pull real-time data from Collaboratory portal into internal and external tools (e.g., dashboards, websites, faculty reporting systems, Salesforce).  The outbound API provides access to Collaboratory’s data through RESTful JSON endpoints.  You can learn more about Collaboratory’s outbound API here.

Every Collaboratory portal comes equipped with a core, standardized dataset informed by national best practices and field literature.  However, to reflect your specific institutional context, campuses can define and manage custom fields, including drop-downs, checkboxes, and text inputs across any step of the Activity Form.  Campuses also have the flexibility to remove or "unrequire" standard fields.  These custom responses are captured alongside our core data and are fully available for your reporting and data exports. Note that the ability to fully customize data fields and form structure is available to institutions specifically within Collaboratory’s Strategic Tier contract.

Collaboratory is built using a responsive web design that automatically adjusts for different screen sizes and viewports. However, due to the nature of data entry, it is ideally used on a desktop or laptop device.

Yes.  All users can access Collaboratory's online Help Center that includes a full suite of resources and technical documentation to assist with utilizing Collaboratory.  Collaboratory also has in-app chat functionality provided by Intercom to provide with real-time assistance 9am ET - 5pm ET.

Collaboratory does not collect PCI-DSS data. AWS conducts regular security audits on all their systems where our data and applications are hosted. We do not conduct 3rd party audits on our community engagement and volunteer applications. However we employ, maintain, and follow SaaS application security industry-standard best practices.

We employ intrusion prevention methods on all externally-reachable application instances as well as monitoring of our bastion host. We test vulnerabilities in penetration testing, and are in the process of implementing Snort for intrusion detection.

No, as it doesn’t apply in our scenario. Virus protection applies to systems that users directly interact with, and long-lived systems. Each time we deploy a new version of our software (at least every two weeks), we deploy a whole new sheet, replacing the entire server.

Yes.

Yes.

Yes.  Once per quarter.

Yes. We do automated penetration testing of Collaboratory.  ZAP is the tool we use to do vulnerability testing. OWASP is the standard we adhere to that identifies vulnerabilities and builds them into the tool.  We use the ZAP security scanner quarterly. We apply fixes to medium- to critical-level vulnerabilities.

Quarterly.

Yes.

At this time, we do not utilize a third party security auditor. Annual security audits have revealed no issues.

Collaboratory provides a HECVAT Lite and those provided by our SaaS hosting provider Amazon Web Services.  To access Collaboratory's HECVAT Lite, please email info@cecollaboratory.com.

Collaboratory does agree to respond and cooperate with reasonable requests during an information security investigation/assessment, process/record review/audit.

Yes, Collaboratory does maintain internal audit logs that track user login activity and key user actions within the platform. While these logs are not currently exposed or exportable through the user interface, they are captured for internal monitoring and can be made available upon request for security or compliance reviews.

We regularly monitor CVE (Common Vulnerabilities and Exposures) notices, monthly third-party security scans and penetration testing, and log monitoring. AWS also conducts regular security audits on all its systems where our data and applications are hosted.

Please see our Privacy Policy.

We do not allow any incoming connections from third parties and we do not outsource any functions requiring data access to third party providers.

No direct access to Collaboratory databases are allowed from any internet connections. Access is controlled and limited by secure role-based users and only from private addresses within our virtual private cloud tied to our own applications.  Access to the database service itself for maintenance is run through a bastion host only accessed by operations staff. All connections to/from that host are logged and monitored.  No physical access to the AWS data centers is permitted.

Each application scopes all database queries to information tied to the current customer logged in. No direct access to Collaboratory databases are allowed from any internet connections, only from private addresses within our virtual private cloud tied to our own applications.

Data is not purged at this time.  Data is aved for historical trend reporting to better serve the institution's understanding of change.

AWS data centers apply the techniques described in DoD 5220.00-M and NIST 800-88. Please see AWS documentation for more information.  All data retention policies are specified in the current copy of the HandsOn Connect Cloud Solutions Security Statement, available upon request.

Data snapshots are taken once a day and stored and then overwritten on a rolling 14-day cycle. After 4 days, weekly backups are available going back to the start of an institution’s license.

Data daily snapshots and weekly backups are stored on AWS.

Yes.

For data in motion, we utilize Transport Layer Security (TLS). Additionally, we use SHA2 or SHA256 hashing algorithms for secure hashing of data, and Advanced Encryption Standard (AES) for certificate encryption.  Data at rest is securely encrypted within the Collaboratory database using AES-256 encryption.  Key management is handled through AWS Key Management Service (AWS KMS). This service provides highly secure management of encryption keys, automating key rotation and ensuring that the keys used to encrypt and decrypt data are managed according to best practices in access control, auditing, and compliance.

Yes, AWS encrypts all backups, snapshots, and replicas associated with the database instance are also encrypted automatically. AWS uses the same encryption keys as those used for the database to encrypt backups and snapshots. This ensures data protection and compliance with security best practices across all storage and backup solutions provided by AWS.

Our disaster recovery strategies are robust, leveraging containerization technology and advanced cloud capabilities to ensure rapid recovery and resilience. The system utilizes HashiCorp Nomad for container orchestration, operating within the AWS environment. This setup is enhanced by our commitment to Infrastructure as Code (IaC), which is specifically tailored for efficient deployment on AWS.  To maintain the highest level of reliability and preparedness, our IaC configurations are rigorously tested on a daily basis. We achieve this by systematically commissioning our development environments each morning and decommissioning them after office hours. This daily cycle not only tests our disaster recovery processes but also ensures that our team is consistently familiar with initiating full environment deployments swiftly.  Our reliance on IaC, combined with AWS’s robust infrastructure, enables us to restore a fully operational environment from a database backup in under an hour. This capability is crucial for minimizing downtime and maintaining service continuity in the face of potential disruptions.

Yes. Our VPAT can be found HERE.  The evaluation of Collaboratory Release Version was conducted using automated tools (Axe, WAVE, Lighthouse), screen readers (JAWS, NVDA), and a WCAG 2.1/2.2 checklist (Levels A and AA). Testing was performed across multiple browsers (Chrome, Firefox, Safari, Edge) and platforms (Windows, macOS, iOS, Android) to ensure accessibility and conformance with standards.

Yes.  No student identity information is stored in Collaboratory.  Generally geared towards applications interacting with private student information, or third party integration

Yes.  AWS does. Please see here for more information.

No.  Collaboratory does not currently access PCI data and has no plans to add this functionality in the future.

In order to provide secure authentication, we collect a user’s email address, first and last name, and either a securely encrypted password for direct login with Collaboratory or a token of successful authentication with the user’s institution’s SSO system. In order to distinguish authenticated faculty and staff from students, we also capture the user’s relationship to their institution.  Optionally, users may also provide the following personal information to populate their profile and account: phone number, title, avatar image, title, birth year, and sex.

We don’t collect or store confidential or highly sensitive information.  We support encryption of on transit data over TLS the site.

Yes.  Collaboratory embraces Security Assertion Markup Language (SAML 2.0)

Approximately 2 weeks.

In order to reliably identify individuals logging into Collaboratory and assign them appropriate permissions, we request the following attributes:

• EduPersonPrincipalName
• Email
• givenName
• Surname
• eduPersonAffiliation

Yes.

Not for users logging in with Collaboratory authentication credentials. However, if your institution is using SSO, then account lockout is controlled by the institution that handles authentication.

We use a Scrypt-based hashing algorithm, 128 byte random salt, and implement user password reset methods. Community partners do not log into or create accounts on Collaboratory.

SSO implementations incorporate the institution’s MFA protocols. Collaboratory does not currently support MFA for native authentication (although it should be noted that most Collaboratory implementations utilize SSO authentication).

Collaboratory uses SSO for most customer implementations and therefore does not store passwords locally in most instances. For institutions that use Collaboratory’s native authentication protocols, we use an SCrypt-based hashing algorithm, 128 byte random salt, and implement user password reset methods. Community partners do not log into or create accounts on Collaboratory.

We employ intrusion prevention methods on all externally-reachable application instances as well as monitoring of our bastion host. We test vulnerabilities in penetration testing, and are in the process of implementing Snort for intrusion detection.  We maintain security contact information for each customer and customers will be notified as soon as practicable following any data breach, if one should occur.  We maintain a Security Incident Response Team (SIRP) that mobilizes in response to detected or reported incidents and meets regularly to maintain coordination and process familiarity.

All critical events in the system that compromise availability or security from a customer perspective are communicated through our customer success department (via email).

All databases are backed up completely each night. Restoration takes approximately 20 minutes.

All emails sent by Collaboratory are explicitly from Collaboratory (support@cecollaboratory.com) and never on behalf of the institution.  The Collaboratory Help Center outlines all emails that users may receive from Collaboratory.

There is currently no maximum number of emails set by Collaboratory. The number of sent emails is dependent on how frequently the system is used at an institution.

The specific IP numbers and domains used by Collaboratory include the following. They were confirmed on 9/2020:

• 54.240.35.1

• 54.240.35.2

• 54.240.35.3

Yes, SPF and DKIM records are in place.

No.

Collaboratory offers inbound and outbound APIs that allow you to integrate with most external systems.  While we currently don’t offer many pre-built native integrations, our APIs provide full flexibility for custom integrations.  You can learn more about Collaboratory’s inbound API here and Collaboratory's outbound API here.

No.  Collaboratory does not currently integrate with, link to, or access a payment gateway and has no plans to in the future.

Yes.  Collaboratory supports a GraphQL API that enables institutions to integrate data directly from their Collaboratory portal into other institutional systems in real time.  Read more about Collaboratory's outbound API here.

Yes. Collaboratory offers an inbound API integration that allows campus systems (for example, your SIS, LMS, HR system, or an existing engagement database) to securely send data into Collaboratory on an ongoing basis. Campuses typically use this to keep foundational information current, such as units, courses/sections, member records (faculty, staff, and students), partner organizations, and activities, so that engagement professionals can focus more on using the data and less on re-entering it. Inbound API setup is coordinated with your campus IT contact and the relevant data owners, and Collaboratory’s team provides guidance through testing, validation, and go-live. You can learn more about Collaboratory’s inbound API here.

Yes.

Yes. Collaboratory offers a suite of AI-powered features to streamline data entry, simplify reporting, and support data-informed decision-making.  Current features include SmartFill (extracts data from URLs to draft activities) and SmartSort (categorizes activities as community engagement or public service).  Additional tools, such as SmartFind and SmartReport, are in development.  Read more about Collaboratory's approach to AI here.