Thinkific Security

Thinkific’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology as well as the Google Cloud Platform (GCP) technology. Both Amazon and Google continually manage risk and undergo recurring assessments to ensure compliance with industry standards as seen here and here, respectively. Thinkific hosts customer and learner data in the United States.

• Thinkific adheres to the principles of least privilege and role-based permissions when provisioning access; employees are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.
• Thinkific utilizes multi-factor authentication for employee access to internal systems. VPN multi-factor and SSH are required for accessing the Thinkific Hosted environments.
• Thinkific employees are required to use an approved password manager.

Thinkific Course Creators can now also add an additional layer of security in protecting their course site by implementing multi-factor authentication, reducing the risk of unauthorized access to their site, protecting their intellectual property, user information, and payment collection method.

• Thinkific encrypts data using secure cryptographic algorithms.
• All data in transit is encrypted using TLS 1.2 or greater.
• Thinkific leverages AES-256 encryption for data at rest.
• Key management is in place for all Thinkific encryption keys

• Employee endpoints are configured to comply with Thinkific security standards.
• These standards require all endpoints to be properly configured, updated, and utilize up-to-date Endpoint Protection software, that endpoints employ encryption at rest, have strong complex passwords, and lock when idle.

• Thinkific segments its platform layers into separate networks with restrictive access between layers to protect customer data.
• Thinkific utilizes separate hosting environments for Staging, Development, and Production.
• Thinkific hardens its endpoints and services according to industry-standard CIS benchmarks.
• Network access to Thinkific's hosting environment is restricted with only load balancers accessible from the Public Internet.
• Thinkific logs, monitors, and audits all system events, and has alerting in place for events that indicate a potential intrusion or exfiltration attempt.

• Thinkific uses an industry-leading Security Information and Event Management (SIEM) solution to collect, aggregate, and correlate millions of system events a day across Thinkific's hosting environments to provide Security and DevOps teams with real-time insight into potential security events.
• Administrative access, use of privileged commands, and system events on all endpoints in Thinkific hosting environments are logged and monitored.
• Analysis of logs is automated to detect potential issues and alert the Security and DevOps teams.

• Thinkific tests all code for security vulnerabilities before release and regularly scans its network and systems for vulnerabilities.
• Thinkific engages a third party service to conduct application and infrastructure penetration tests on a quarterly basis.
• Results of these tests are prioritized and remediated in a timely manner and shared with senior management.

At Thinkific we take cybersecurity seriously and value the contributions of the security community at large.

The responsible disclosure of potential issues helps us ensure the security and privacy of our course creators, students, and our data.

If you believe you've found a security issue in one of our products, please email security@thinkific.com and include the following details with your report:

• A description of the issue and where it is located.
• A description of the steps required to reproduce the issue.

Please note that this should not be construed as encouragement or permission to perform any of the following activities:

• Hack, penetrate, or otherwise attempt to gain unauthorized access to Thinkific applications, systems, or data in violation of applicable law;
• Download, copy, disclose or use any proprietary or confidential Thinkific data, including customer data;
• Adversely impact Thinkific or the operation of Thinkific applications or systems.
• Thinkific does not waive any rights or claims with respect to such activities.

Thank you for helping us keep Thinkific course creators, students, and our data safe.

All vulnerabilities received by our team are reviewed and prioritized based on severity. For all other security inquiries, please contact us at info@thinkific.com.

• Thinkific's secure software development life cycle aligns with OWASP best practices.
• All code changes require peer-review and testing (both manual and automated) prior to promotion to production. No single individual may request and implement changes without a review from several other individuals and all changes are logged and tracked.
• All developers are required to complete training on secure development practices.

• Thinkific has a security awareness program that serves to ensure employees understand the importance of security and its intersection with their workday.
• New employees and contractors are required to take security training and training completion is audited throughout the year.
• Thinkific employees are required to read and adhere to Thinkific's IT and Security policies.
• Thinkific's physical office has a number of security controls in place including access control, remote monitoring, CCTV, and intrusion detection.
• The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest and emerging security threats. This information is disseminated through regular security awareness campaigns to help ensure that Thinkific employees are aware of these threats and what to do in the event that they encounter them.

Our platform is designed to be highly available with minimal downtime. Thinkific uses both automated and manual tools to monitor the availability of our services.

Impacts to the reliability of our platform are promptly reported on our real-time status page. You can review Thinkific's historical uptime on our status page too.

• Thinkific utilizes services deployed by its hosting provider AWS to distribute production operations across separate availability zones. These distributed zones protect Thinkfic's platform from network, power, infrastructure and other common location-specific failures.
• Thinkific performs daily backups and replication of its databases across distributed zones and supports restore capability to protect the availability of Thinkific's platform in the event of a site disaster affecting any of these locations.
• Full backups are saved at least once per day and transactions are saved continuously.
• Thinkific tests backup and restore capabilities periodically to ensure successful disaster recovery.

• Thinkific has established policies and procedures for responding to security incidents.
• All security incidents are managed by Thinkific's Security Incident Response Team. The policies define the types of events that must be managed via the incident response process and classify them based on severity.
• In the event of an incident, affected customers will be informed via email. Incident response procedures are tested and updated at least annually.

Thinkific's data privacy controls are designed to honor our obligations around how we collect, process, use and share personal data, as well as our processes to support data retention and disclosure in compliance with applicable privacy laws. Thinkific collects and uses personal data in accordance with our Privacy Policy, and offers our course creators a Data Processing Addendum and CCPA Service Provider Addendum that complies with the GDPR and CCPA.

• Thinkific's platform complies with the GDPR and CCPA and provides a high level of protection for course creator and learner personal data. This includes only collecting, processing, and storing customer data in compliance with these obligations and providing you the right to access or delete it at any time.
• Thinkific has implemented policies that provide controls for deleting customer data when it is no longer needed for a legitimate business purpose.
• Thinkific uses cookies only in accordance with our Cookies Policy.
• Thinkific also requires our data processing vendors to certify the use of customer data for no other purposes than the provision of services.

• As a customer, you can request data deletion at any time during the subscription period. Thinkific can honor requests for erasure, access, and rectification so that our course creators can comply with the GDPR.
• Thinkific's hosting providers maintain industry standard security practices for ensuring the permanent removal of data from storage media.

• Thinkific only shares customer data with third parties that contractually agree to protect the confidentiality and privacy of the data.
• Thinkific has established agreements that require subprocessors to adhere to confidentiality commitments and take appropriate steps to ensure our security posture is maintained. Thinkific only exports personal data outside of the EEA in compliance with the GDPR, including by transferring personal data to subprocessors on the basis of the updated Standard Contractual Clauses where required.
• Thinkific monitors these sub-processing vendors by conducting reviews of their controls before use and at least annually.

Thinkific securely processes credit card information in accordance with PCI-DSS standards. Thinkific does not access or store any credit card information. Instead, we have partnered with Stripe to securely handle credit card information. You can learn more about Stripe's security here.

• SSO OpenID connects your Identity Provider with Thinkific Plus. This allows your users to securely login to your site through your platform or a third party (such as Google, Facebook, etc) with one set of credentials which increases security.
• OpenID Connect is a popular SSO standard and is supported by a number of common identity providers, including: Okta, ActiveDirectory AWS, Cognito, Auth0, JumpCloud.
• SSO helps with regulatory compliance by showing data access and antivirus protection.
• Using custom SSO? Add an extra layer of security to your Thinkific site by setting up safe-listed domains.

• Thinkific Plus includes our Support and Service Level Agreement, which details our commitment to providing you with comprehensive support.
• Sleep well knowing that we will work around the clock to ensure that mission critical components of the Plus Services are available at least 99.5% of the time.
• Ensure all your security needs are met with the ability to go through a security review before purchasing.

Thinkific’s information security practices, policies, procedures, and operations meet the SOC2 standards for security.