Technical FAQ

What level of health monitoring is provided to customers (e.g. real-time thresholds and alerts, online health dashboard)?
Current monitoring stack including real time tresholds, alerts and online health dashboards is done in Prosple’s New Relic platform and not accessible to customers. Some basic alarms can be configured to clients on request (such as uptime monitors). A status page is provided via Prosple Status.

Do you provide usage and data tracking tools?

Yes, we provide access to a Google Analytics dashboard for the directory provided to the partner.

Can the solution be scaled (horizontally / vertically) in an automated rapid manner?

Yes, we have multizone availability and autoscaling. Our platform supports both vertical and horizontal scaling. The API used to power the websites has extremely robust caching layers and sits behind a CDN with a mitigation of average 80% load.

Is there a performance-monitoring service that supports customer-defined monitoring metrics?

Currently not supported, all monitoring provided is uniform across all clients.

Are service interfaces and management consoles resilient to local infrastructure failures?

All our services are spread across three availability zones to mitigate risk of local infrastructure failures.

Do you support customer-defined real-time thresholds and alerts (e.g. e-mail, SMS)?

For partners we only support this for uptime monitoring.

Do you perform change management logging with six or more months of history?

We have change management logs with minimum 12 months. All changes in the codebase are tracked and traceable via version control, product management changes logged in our Jira instance and all Infrastructure changes are audit trailed in a specific read only AWS account for specific audit purposes.

Is there a performance-monitoring service that supports predefined action events?

Yes, we currently use both New Relic for application monitoring as well as Cloudwatch for infrastructure monitoring.

Prosple isn’t ISO27001 certified, however all our infrastructure (AWS) and our Identity Management service (Auth0) are.

Are you ISO22301 (Business Continuity Management) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

Prosple isn’t ISO22301 certified at this point.

Within the context of processing Financial Information, do you have a Third Party Message (TPM)? If yes, please provide a copy to the TPM and accompanying audit framework.

We do not process any financial information through our systems.

Are you PCI-DSS compliant? If so, please provide a valid PCI-DSS attestation of compliance.

Prosple isn’t PCI-DSS certified, however all our infrastructure (AWS) and our Identity Management service (Auth0) are.

Are you ISO27001-270017 (Cloud Security) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

Prosple isn’t ISO27001-270017 certified at this point.

Are you ISO27001-270018 (Cloud Privacy) certified? If yes, please provide a copy of the certification, scope, statement of applicability and any outstanding improvement plans.

Prosple isn’t ISO27001-270018 certified at this point.

Do you have a data breach disclosure/notification process? If yes, please provide a copy.

We will report any unlawful data breach of this website’s database or the database(s) of our third-party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is reasonably apparent that personal information stored in an identifiable manner has been accessed. Should you have any complaint about a breach, or the way in which we will handle a breach, please .

Are you HIPAA compliant? If so, please provide relevant documentation.

Prosple isn’t HIPAA certified, however all our infrastructure (AWS) and our Identity Management service (Auth0) are.

Do you have published employee (and supplier) screening and hiring practices for employee’s who may have access to Customer data and user information?

Prosple takes the utmost care with both employee and supplier screening and hiring practices, however we do not currently have these publicly published.

Do you provide customer-configurable Data Loss Prevention capabilities (e.g. preventing storage and dissemination of specific data attributes)?

We currently do not have any specialised data loss prevention capabilities.

Do you conduct regular application layer vulnerability scans?

Yes.

Do you conduct regular network and operating system penetration tests?

Yes.

Do you have intrusion prevention and detection capabilities?

Prosple can detect anomalies and stop malicious attempts to access your application. Anomaly detection can alert you and your users of suspicious activity, as well as block further login attempts. This functionality is available as a paid addon and not available in lower tiers that don’t involve authentication.

Do you perform proactive auditing and notification of incidents of inappropriate management activity?

Yes and should any inappropriate management activity be detected notification of the incident will be reported within 72h to the affected parties.

Do you provide support for data encryption, both at rest and in transit? If so, what standards do you adhere to?

Yes, measures include TLS for data in transit and encrypted storage for data at rest (further explained above in this document).

When encryption is used, who owns and manages the related encryption keys?

Prosple.

Do you offer investigation support in the event of a data breach or compromise that relates to customer users or data?

Yes, Prosple can assist within its capacity in the event of a data branch of compromise.

What level of Information Security reporting, as it relates to privacy controls and business continuity, do you provide?

We currently do not provide this level of reporting.

Is Information Security reporting a standard inclusion within any Service Management reports provided to the customer? If so, what reporting is provided and at what frequency?

Information Security reporting is currently not a standard inclusion.

Are there multitenant controls for separation of users/data within the service?

Yes.

Can user activity audit logs be made available to customers? If so, what mechanisms are supported (e.g. can logs be sent to an external SIEM solution such as Splunk)?

We have comprehensive logging and auditing as part of our platform (all stored in Cloudwatch) however, user activity auditing is currently only supported for editors, administrators, hence not made available to customers.

We maintain complete snapshots of all our applications on a daily basis. Our edge caching system also provides availability of stale data when there are issues at the origin. We currently have as part of our roadmap plans to incorporate multi-availability for higher availability.

Can you provide a data eradication guarantee?

We currently do not provide a data eradication guarantee but the platform is highly resilient to data destruction having all our data replicated across several availability zones, on top of which we have regular backups.

What level of database and/or data backups do you perform?

We maintain complete snapshots of all our applications on a daily basis.

Are the backups saved to a geographically separate locations? If so, how many and where?

No, currently only one location is supported.

Do you offer a data archiving option? If so, what?

We have data archiving for our platform, but it doesn’t really apply to customer data as we don’t store any in our platform.

What is the defined SLA regarding recovering data from backup?

There is no SLA for this as we don’t store any customer data.

Do you adhere to DoD 5220.22-M or NITS SPA 800-88 for data sanitisation on retirement of storage devices?

Currently not.

Do you have defined storage limits? If yes, can they be surpassed without impacting service delivery if required?

As far as data uploaded by the users, there is no storage limit.

Where are your data centers located?

Sydney. However, with multi-availability zones in our roadmap we will likely introduce new locations.

Is there support for bulk data import and export / extraction to / from service(s) in a non-proprietary format?

There is, but we do not provide a customer interface for this. Depending on the use case this can be provided on demand.

Can customers choose the data centre(s) based on location?

No.

The only uptime SLA we currently have is provided by our infrastructure and is 99.5%.

Does downtime calculation start immediately when service is unavailable or degraded?

Yes, but only at the infrastructure level.

Is scheduled maintenance limited and communicated in advance?

Only when it involves significant user impact (e.g anything longer than 5-10mins).

What is the defined SLA that protects customers against data loss and data integrity issues?

We do not store any customer data.

What is the defined SLA for Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for the service(s)?

We do not have a designated SLA for this, however, we aim for an RPO of 2h and RTO of 1h. This however only applies for Prosple content as there is no impact on any customer data.

What is the notification window for customer to submit SLA breach claims?

We do not currently provide any SLAs.

Do the ownership rights to data, inputs and outputs remain with the customer?

As we don’t store any customer data, all data is either owned by Prosple or the student.

Do you offer publicly accessible and downloadable terms of service?

Yes.

What level of compliance with WCAG 2.0 do you meet and which assistive technology do you test your service with?

No WCAG 2.0 compliance is currently enforced.

If selected, are you willing to undergo an independent accessibility audit?

Yes.