Please note that this is not a comprehensive list but meant to be a quick guide of frequently asked questions about Thinkific's security practices and protocols. If you have more specific questions or additional information that you require, please get in touch with our Technical Support team at technicalsupport@thinkific.com
In this article:
- Does Thinkific store, access, or transmit Personally Identifiable Information (PII) or Protected Health Information (PHI)?
- Does Thinkific, store, access, or transmit credit card information? Are you compliant with payment card industry (PCI) standards?
- Does Thinkific have a written security and privacy program that is actively implemented?
- Does Thinkific have an incident management program to identify, monitor, resolve, and document security incidents?
- Does Thinkific have any security framework certifications such as NIST, ISO, PIPEDA, SOC 2, or other industry recognized security frameworks or standards?
- What is Thinkific ‘s Return Point Objective (RPO) & Recovery Time Objective (RTO)?
- Where is Thinkific information and data being stored and accessed?
- Do you conduct external penetration tests? Can you share penetration test results with us?
- Can we run our own penetration test on our Thinkific site?
- How is data secured in transit and at rest?
- Where are the Thinkific servers hosted in?
- Have you examined your platform with Top 10 Most Critical Web Application Security (OWASP) Risks?
Does Thinkific store, access, or transmit Personally Identifiable Information (PII) or Protected Health Information (PHI)?
No, by default, we only require first and last name, and an email address to create a user account.
Does Thinkific, store, access, or transmit credit card information? Are you compliant with payment card industry (PCI) standards?
No, we do not process any payment through Thinkific but use external payment processors. All payment processing would be done through the payment processor of your choice.
Our direct payment processing integrations, Stripe and Paypal, are both PCI Level 1 compliant.
Does Thinkific have a written security and privacy program that is actively implemented?
Our security and privacy policies and procedures can be found in the following links:
We don’t currently have a written security program that can be shared but our team takes any security report seriously and each incident is reviewed as soon as possible and prioritized for appropriate action if required.
Does Thinkific have an incident management program to identify, monitor, resolve, and document security incidents?
Yes, our Support and Engineering teams are trained to report, review and monitor any possible incidents in the platform. We also have automated monitoring to ensure availability and performance of the service through:
- Load balanced application servers
- Near real-time application performance and availability monitoring
We don’t currently have a written security program that can be shared but our team takes any security report seriously and each incident is reviewed as soon as possible and prioritized for appropriate action if required.
Does Thinkific have any security framework certifications such as NIST, ISO, PIPEDA, SOC 2, or other industry recognized security frameworks or standards?
No, as these certifications are industry specific and may not be most applicable to Thinkific and our customers' use cases. If you have any specific questions or concerns, please send them directly to our Technical Support team at technicalsupport@thinkific.com
What is Thinkific ‘s Return Point Objective (RPO) & Recovery Time Objective (RTO)?
We do not have a formal RTO or RPO, however we do monitor the application and make every attempt to ensure that in the case of a failure, we recover as quickly as possible. You can review live updates and historical status of our platform on status.thinkific.com.
Where is Thinkific information and data being stored and accessed?
All our information is stored in secure databases hosted on the AWS cloud platform. They run on the same highly reliable infrastructure used by other Amazon Web Services.
Although the databases are currently housed within the US, the database servers are not accessible outside our AWS security network. Access to the databases is only made available to our application servers hosted within the same AWS secured network and to a very limited number of Thinkific technical employees for support purposes.The databases are not directly accessible outside of Canada.
Although there is no data encryption enabled for the stored data itself, security is mainly provided through limited accessibility.
For more information on AWS's data privacy, please see here.
Do you conduct external penetration tests? Can you share penetration test results with us?
We do not have any penetration test results that we can share publicly.
Can we run our own penetration test on our Thinkific site?
If you would like to complete your own penetration test, you must contact our team prior to running the test so that we can best assist you. Please reach out to us at technicalsupport@thinkific.com if you are planning to conduct a penetration test.
How is data secured in transit and at rest?
All data is secured in transit via TLS 1.2 over internal and external networks when SSL is enabled on your site. Data is not encrypted at rest.
Where are the Thinkific servers hosted in?
Our servers are hosted in the eastern USA, through Amazon Web Services (AWS).
Have you examined your platform with Top 10 Most Critical Web Application Security (OWASP) Risks?
Yes, we have examined the OWASP Top 10 and while we have not formally been assessed against them, we can confirm that we follow industry best practises to ensure that all elements of the top 10 have been addressed.
If you have any specific concerns about an item on the list, please reach out to our team and we can provide more information.