Data Security Policy

Data Center Security

  • CourseArc is hosted on Amazon AWS, where many measures are in place to protect security
  • Physical access to data site is highly restricted, logged, and monitored
  • Multi-factor authentication is required to enter data center

Protection from Data Loss

  • CourseArc performs twice daily data backups to a data site in a separate region
  • Disaster Recovery exercises are carried out quarterly
  • Each client has a segregated database to prevent corruption and overlap

Application Level Security

  • User account passwords are hashed and require lowercase, uppercase, a number, and special character
  • All application requests are encrypted using TLS
  • All data is encrypted at rest
  • We perform weekly OWASP testing

Internal IT Security & Policies

  • All employees and contractors are required to undergo a background check
  • All employees and contractors with access to sensitive data are required to complete security and FERPA training annually
  • Access to sensitive data is limited on an as-needed basis. Employees and contractors are prohibited from downloading sensitive data unless it is related to a client request, and they are trained on how to encrypt such data

SOC Compliance

  • CourseArc undergoes an external SOC 2 Type 2 audit annually

Responsible Disclosure

If you discover a vulnerability in the CourseArc application, please contact which will ensure that the Data Breach Response Team is notified and is investigated thoroughly.

Data Breach Notification

If we have reason to believe that an unauthorized party has gained access to any unencrypted data that is not publicly available information, we will send out a notification of the breach. We will contact the client’s designated main point of contact(s) via phone and email within 48 hours.

If you have any questions about data security or our data breach policy please contact us by email at

Last Updated: April 14, 2022