Internet Explorer doesn’t work well with our website. We recommend using a different browser like Google Chrome.

Thinkific Overview

Thinkific is an online technology platform for course creators that gives them the ability to build, market, sell and deliver their products while requiring no specialized technical expertise. Thinkific cares deeply about protecting the privacy and security of our course creators, their learners, and their learning environment.

Where is Thinkific hosted?

Thinkific’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology as well as the Google Cloud Platform (GCP) technology. Both Amazon and Google continually manage risk and undergo recurring assessments to ensure compliance with industry standards as seen here and here, respectively. Amazon’s data center operations have been accredited under:

ISO 27001
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
FISMA Moderate
Sarbanes-Oxley (SOX)

Specifically, Thinkific hosts our application within the US-East-1 data centres of AWS.

How does Thinkific manage data security?

At Thinkific, data security is governed by a set of policies. This includes, among many others our:
– Data Classification and Handling Policy; and
– Privacy Policy

Thinkific has a data classification and handling policy that ensures data is stored, handled, and destroyed safely. Thinkific also has a documented, approved and communicated privacy program responsible for the protection of data which can be reviewed here: https://www.thinkific.com/privacy-policy/. Thinkific’s policies ensure that we only collect the personal information required in order to provide our services.

Encryption

By default, Thinkific encrypts all data leaving the environment using secure cryptographic algorithms over TLS 1.2 connections and all customer data at rest hosted in Thinkific’s platform environment is encrypted according to Thinkific’s encryption standard. Though we do not control encryption on non-company owned devices, our data access policy mandates that only those individuals that need to have access to the environment should have access.

Thinkific’s data modification logging policy requires all data modifications to be logged, which helps Thinkific ensure that no data is changed without appropriate authorization.

Logical and Technical Controls

Thinkific is a multi-tenant SaaS application, and relies on logical separation of customer data in data stores. Logical separation of data is enforced by technical controls at both the infrastructure, application, and administrative levels. Logical controls are tested regularly in accordance with Thinkific’s Software Development Life Cycle (SDLC). Thinkific’s database is not physically segregated by customer, but rather logically separated and includes checks both on backend queries and frontend display to ensure no customers can access other customer’s data. Resiliency, Redundancy and Disaster Recovery We have provisioned the data storage as a Multi-AZ database where its data is synchronously replicated to a standby instance in a different Availability Zone (AZ) for failover purposes. It is also SSD-backed optimized for high-performance applications. Additionally, Thinkific conducts daily backups of the entire database, no matter the classification of the data. Because we leverage infrastructure as code, all our backup policies are documented as code, within our source code. Thinkific reviews backup logs periodically and in an ad-hoc manner.

Does Thinkific have a secure development and implementation process?

Thinkific’s secure software development lifecycle aligns with OWASP best practices.

Such best practices include that all code changes require peer-review and testing (both manual and automated) prior to promotion to production. No single individual may request and implement changes without review from several other individuals and all changes are logged and tracked.

All development and testing environments are segregated from production and live production data is not used in testing. Additionally, our policies require that all developers complete a training course detailing secure development practices.

How does Thinkific manage identity, credentials, and access management?

All internal access to data is granted based on roles and business requirements, as determined by Thinkific. There is a team of individuals that approve, grant and remove access to ensure correct access is provided and there is a policy in place to review access rights on a regular basis.

Thinkific provides its customers with a Single Sign-On mechanism that allows you to use your own system of record for students.

What vulnerability management does Thinkific have?

We use different types of vulnerability tests on our tech stack. Our internal Security team performs ad-hoc security testing. If you would like to report a vulnerability or have a security concern regarding Thinkific, please email security@thinkific.com. All vulnerabilities received by our team are reviewed and prioritized based on severity. For all other security inquiries, please contact us at info@thinkific.com.

Additionally, if you are a Plus customer, we are able to facilitate you running a penetration test on our platform. Please reach out to us at technicalsupport@thinkific.com for more information.

What about Thinkfic Employees?

Thinkific conducts very thorough screening of every candidate that wants to become a Thinkific employee. In-depth interviews, take-home assignments, and reference checks are conducted prior to new employees joining Thinkific. While Thinkific does not currently require that all employees and contractors undergo background checks, in all roles where more formal background checks are beneficial or reasonably required, we perform criminal record and other relevant background checks.

All employees and contractors are required to sign confidentiality agreements prior to beginning work for Thinkific.

How does Thinkific protect physical security?

Access to Thinkific’s head office is restricted to those with access card permissions. Thinkific’s head office is in a building that employs security guards, and Thinkific requires that all visitors identify themselves and are provided an escort during their visit of the office. Thinkific’s staff has been distributed since March 2020, but any visitors to our offices are logged and those logs are maintained for at least 3 months.

Thinkific does not maintain any physical servers in its offices; our system is hosted on AWS, Google, and GCP (Infrastructure as a Service). Both Amazon and Google have controls in place for physical 3 security. Please see: https://aws.amazon.com/compliance/data-center/controls/ and https://cloud.google.com/security/infrastructure for more information.

How does Thinkific ensure service continuity?

Thinkific’s services are fully operating in the cloud and are highly available; the platform’s architecture takes into consideration single points of failures. Thinkific has 24/7 support for our Plus customers. Any incidents are reported on our status page, where you can also review any historical incidents. You can subscribe to email updates from this page if you wish.

Thinkific has a robust incident response process with a rotating incident response team where each member has a clearly understood and identified role. We sometimes test our incident response plan with fake incidents to ensure that our processes are up to date and timely.

Thinkific is working on its business continuity plan, which would include periodic Business Impact Analysis.

How does Thinkific ensure secure acquisition?

As per Thinkific’s policy, we review the security safeguards provided by each third-party provider before entering into agreements with them. Additionally, all agreements are reviewed by our legal team. Thinkific also has a process by which ad hoc repeat reviews are completed as needed.

What are the current security operations?

Thinkific has automated monitoring and alerting on all key pieces of the application. This monitoring and alerting is 24/7 and triggers our incident response process mentioned above. Our incident response process goes through the 6 steps of identification, containment, investigation, eradication, recovery and follow-up. Network vulnerability scans are completed bi-weeky.

What are my responsibilities?

As a customer you are responsible to adhere to the Terms of Service including the Account Terms outlined in section 1, and General Conditions outlined in section 3.