Privacy and Non-disclosure Policy
Concerning non-disclosure and protection of intellectual property rights:
Each client and Chalk & Wire Learning Assessment Inc. affirms and will take appropriate steps to protect the intellectual property rights of the other. Specifically, the institution retains all intellectual property rights in all information, materials, and intellectual property, including but not limited to courses and materials, provided by the user or institution to Chalk & Wire, and Chalk & Wire retains all intellectual property rights in the ePortfolio2 system, including ePortfolio2™ software and hardware and computer code.
The user or institution (its employees and/or relatives thereof) acknowledges the proprietary rights of Chalk & Wire regarding the research and development of Chalk & Wire software tools. Officials of the institution or its designees, may discuss and access products for the purposes of testing and providing feedback to Chalk & Wire about new features and enhancement. They are prohibited from revealing the work of Chalk & Wire software research and development in any manner with any entity that might reasonably be expected to develop similar software for either commercial or non-commercial purposes.
FERPA/PIPEDA/The Privacy Act & other prevailing privacy legislation
Chalk & Wire understands that the institution is subject to either FERPA (USA- Family Educational Rights and Privacy Act), or PIPEDA (Canada- Personal Information Protection and Electronic Documents Act, and The Privacy Act), or The Privacy Act (Australia) or any other prevailing State/Provincial or Federal/national privacy legislation. Chalk & Wire abides by all applicable legal regulations of these Acts in force in the nation wherein the client/institution resides. Specifically, where institutions are concerned , Chalk & Wire is considered an official of the institution as regards the protection of user and institutional data. As an official of the institution, Chalk & Wire must protect the privacy all user data provided by the institution/users and shall not transmit, share, or disclose any data about a end users without their written consent, except to other officials of the institution with a legitimate interest (i.e., the institutional official must seek the information within the context of his/her professionally assigned responsibilities with the institution and the information must be used within the context of official business of the institution).
Rogers Data Centres (International Class 1 ISP/Tier II) and Chalk & Wire Access to data
Rogers Data Centres’ employees cannot access institutional data. They are not granted permission to the file servers’ directories. Permissions are limited to the Chalk & Wire System Administrator account and the individual process accounts for the application (i.e. each institution’s process account only has permissions to its name space on the SAN filer and cannot access other clients’ data). Rogers Data Centres does not have permission to access the database instance. They are responsible for 24/7 monitoring, “remote hand” only. Their user permissions reflect these arrangements.
Chalk & Wire employees' access:
- Lead developer: access to the data in a specific database only if requested to resolve a specific issue with that institution’s installation. The Lead developer does not have direct access to the production environment.
- Senior Database developer:access to the data in a specific database only if requested to resolve a specific issue with that institution’s installation. The Database developer has direct read access to the production environment.
- Director of Client Support & Services:no access to server files structure or backside database, but to assessment data and portfolio data as seen by the institution’s local administrators. Accesses this data only if requested by the client.
- Systems Administrator:access to the production and development environments. Handles code deployment, server patch, server maintenance and backups, and disaster recovery of the environment.
- Chief Technical Officer/Senior Systems Administrator:handles the deployment of code, server patching and disaster recovery. The CTO has full access to the production environment in all respects and is the primary point of contact for all technical inquired exceeding the expertise of Chalk & Wire’s HelpDesk (Live assistance/toll free/text chat, form request) 8AM8PM EST, Monday to Friday. 9AM9PM Saturday and Sunday).
Application and Security Overview
- Chalk and Wire's ePortfolio application is built using Microsoft ASP.NET 4.0.
- Database backend has been designed around the Microsoft SQL 2005 platform.
- File storage options are flexible and allow local disk (includes iSCSI), remote UNC shares, NAS/SAN devices or remote Cloud storage.
- The entire application can be run within a virtualized environment, allowing for flexible and scalable growth.
- The application has been reviewed using IBM App Scan for security vulnerabilities and has successfully passed that process. Tested in 2010 and 2012.
NOTE: Chalk & Wire after version 4.5 no longer supports new client, local hosting. The information below is provided to give the reader an overview of the server farm topography and system protocols.
- Web Servers are IIS 6.0+
- Code Base: ASP.Net 4.0
- Database Server: MS-SQL 2005
- ASP.NET 4.0 Session State database
- File Storage: Local (RAID1/RAID5) or Remote SAN/NAS device
Disaster Recovery DetailsThree components:
- DR of web drones (AAR, web farm framework and web servers): Web servers are simple drones and only host the application file. Having a hot spare(s) available as a VM or server for disaster recovery. Redundant VM’s replicated using Site Recovery manager.
- SQL Server: Nightly backups to SAN (local). Replication is handled through Replistor (migrating to AIMStor) (Many to One) to a HA SQL server backup. Moving to a Site Recovery for all SQL servers once converted to VM’s AIMStor replication of the MDF and LDF files will continue in real time.
File server: file server storage is done using SAN devices. Rsync is used to replicate to the DR SAN in real time
- Replication: Entire Farm is replicated over a pvlan to the Toronto Disaster Recovery location. The application is hosted with our own private cloud services (VMs using host controller) and is replicated to the Toronto site (main application is hosted in Ottawa, Canada/Disaster Recovery is sited at the Rogers Data Centre in Toronto).
MSSQL 2005 replication: EMC Replistor is used to copy the database files over to the redundant failover server in real time using bit level replication.
File Servers replication: Primary SAN Device replicates to failover Disaster Recovery SAN device using native volume level replication (volume mirroring) in real time.
Monthly rotational offsite storage of production data.
Disaster Recovery Testing: Disaster Recovery failover testing performed every 6 months.
Disaster Recovery documentation policies are stored offsite.
NOTE: A Detailed Disaster Recovery Plan can be provided upon request.
- Application isolation:
- Each instance of the application is run under a unique security account. Application pools for each instance isolated by the security account(worker process isolation mode).
- Database permissions are limited to unique process account (i.e. instance A does not have permissions to access instance B database.
- File system permissions limit each instance ACL to their specific namespace.
- Application input sanitized against SQL Injection (re: Object Model).
All servers are hosted in Rogers Data Centres. These are Class A/Tier II Data centers. They are approved annually for use by a Lloyds of London insurance audit as part of Chalk & Wire’s annual insurance application to Lloyds. This data centre was operational during the Northeastern USA/Canada blackout in 2003 with zero downtime.
- Biometric security enforced through an iris scanner. This offers one of the most accurate, noninvasive security measures to ensure only authorized people enter the facility.
- Guarded entrances have security cameras to scan and digitally record the interior and exterior of the facility 24 hours a day.
- Security cameras incorporate lowlight technology to allow clear visibility at night.
UPS systems and a high capacity generator:
- Multiple 650 Kilowatt diesel generators that hold enough fuel for 24 hours of runtime at 100% capacity.
- Generators are housed in a separate secure underground, sound insulated bunker.
- In the event of a power failure, the generator requires only five seconds to start and reach maximum generating capacity.
- All equipment in the Data Centre server room is powered from UPS systems designed with redundant NuWave modular UPS to ensure the equipment continues to operate in the event of a power failure.
The Network Operation Center (NOC):
- Consists of groups of trained experts, who staff the data centre 24 hours a day and are able to identify and fix problems quickly.
- Staff monitor the network and provide support for managed server and firewall services for clients.
- Staff use “remote hands” assistance, including rebooting servers or rotating tapes, and assist clients through the data centre.
- Application alarms are set and inform the NOC and CTO simultaneously.
Redundant Cooling System:
The server room has redundant cooling delivered by Liebert systems. Each unit is fitted with redundant compressors and AC units that are computer controlled to maintain temperature and humidity in the facility.
Fire Suppression System:
- Fire suppression capabilities are executed through FM200 gas that extinguishes fire without water, to ensure no water damage to the IDC’s equipment.
- The backup sprinkler system is installed and operates as a preaction system, keeping pressurized air in the pipes.
- The air is only replaced with water when the pipes reach a high temperature and the smoke detection system determines there is an active fire due to smoke.
General Users' Terms (Rev. 04.11.2015)