Listed below are documents for our prospective clients. Please click on the link to get to the item of interest.

Comevo Integration Overview

WCAG VPAT 2.3

Higher Education Community Vendor Assessment Tool (HECVAT)

Security Policy Overview

Written Information Security Program (WISP)

Comevo has two integration options: Single Sign On (SSO) and API Integration. This document will provide an overview of what is involved in each option.

Single Sign On – Our Launch™ Online Orientation product offers a SAML2.0 Single Sign On (SSO) Integration. This allows you to use your existing authentication system to sign students in to their online orientation.

To set up SSO, we simply need a copy of your SAML2.0 metadata. Our system supports the following attributes by default: EPPN (Student ID), GivenName (First Name), SN (Last Name), and MAIL (Email Address).

API Integration – Our API can be used for the following purposes: sending a student to orientation, pulling completion information, pulling capture form responses, and pulling navigate placements. Our API uses OAuth2.0 protocol and our API responses are in JSON format.

Comevo’s technical support team is here to answer any questions you have about the API. It is the client’s responsibility to write the programming to pull data from our API and send it back into your student information system. The two most common API endpoints used are the accessKeys endpoint which is used to send students to orientation, and the attendees endpoint which is used to pull completion information.

Below is a sample response when obtaining an access key to send a student to orientation. Note that this is an alternative method to Single Sign On.

{
   "jsonapi": {
      "version": "1.0"
   },
   "links": {
      "self": "https://api.comevo.com/v3/launch/modules/1093/accesskeys"
   },
   "data": {
      "type": "accessKeys",
      "id": "077b8180-ebe9-436c-a56f-e60fc7677c4e",
      "attributes": {
         "maxUses": 1,
         "minutesUntilExpires": 15,
         "message": ""
      }
   }
}

The access key 077b8180-ebe9-436c-a56f-e60fc7677c4e then needs to be appended to the end of your Launch™ Online Orientation URL.

Below is a sample response when pulling attendee completion information for a module:

{
   "jsonapi": {
      "version": "1.0"
   },
   "links": {
      "self": "https://api.comevo.com/v3/launch/modules/1093/attendees?start=2019-11-18"
   },
   "data": [
      {
         "type": "attendees",
         "id": "1093.3412926",
         "attributes": {
            "userId": "3412926",
            "organizationIdValue": "123456789",
            "firstName": "Comevo",
            "lastName": "Example",
            "primaryEmail": "",
            "isComplete": true,
            "lastLogin": "2019-11-19T19:46:33.757Z",
            "completionDateTime": "2019-11-19T19:47:04.257Z",
            "expires": null,
            "finalTestQuestionCount": 5,
            "finalTestScore": 5
         }
      },
      {
         "type": "attendees",
         "id": "1093.3412928",
         "attributes": {
            "userId": "3412928",
            "organizationIdValue": "987654321",
            "firstName": "Demo",
            "lastName": "Student",
            "primaryEmail": "",
            "isComplete": true,
            "lastLogin": "2019-11-19T19:47:20.303Z",
            "completionDateTime": "2019-11-19T19:47:40.833Z",
            "expires": null,
            "finalTestQuestionCount": 5,
            "finalTestScore": 4
         }
      }
   ]
}

The data array will contain an attendee object for each user who has taken orientation.  The organizationIdValue will be the student ID from your system.

You may download our WCAG/VPAT 2.3 document by clicking on the button below.

You may download our HECVAT by clicking on the button below.

 Security Policy Overview

Policy Manual

Authored by:

Kimo Yoshida, Director of Technology

Introduction

Keeping customer data safe and secure is a huge responsibility and a top priority for Comevo. We work hard to protect our customers from the latest threats.

Access control and organizational security

Personnel

All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data. Background checks are performed on all workers who have access to customer data. Everybody at Comevo is trained and made aware of security concerns and best practices for their systems. Remote access to servers is via our VPN and limited to workers who need access for their day to day work. We log all access to all accounts by IP address. Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.

Within Comevo, only authorized Comevo employees have access to customer data stored within our applications. Authentication is done via individual 2FA (two-factor authentication), and the servers only accept incoming SSH connections from Comevo Headquarters.

Training and Awareness

Our security training and awareness program does not just check compliance boxes but results in a genuine uplift in knowledge across the company. Our awareness program is built on the premise that security is everyone’s responsibility. These responsibilities are extracted from our internal Written Information Security Program (WISP), and the training and awareness program is used as the primary vehicle for communicating these responsibilities to our staff.

Dedicated teams

Our Operations team and our Security, Infrastructure and Performance (SIP) team are in charge of access/identity management, network connectivity, firewalls and log file management. These two teams’ responsibilities include:

• Maintain and support our automated test suite for development machines
• Build/operate Comevo’s infrastructure, including logs, monitoring and authentication
• Review, test and design incident response processes
• Respond to alerts triggered by any security events
• Coordinate external audits and security and privacy certifications
• Monitor and alert on anomalous activity
• Coordinate vulnerability testing

Audits, Security Policies and Standards

Comevo itself has not completed a SOC audit. We can provide a copy of the SOC reports for the data centers we use, Amazon AWS, after completing an NDA.

We have an internally built system that monitors and automatically blocks suspicious activity (including vulnerability scanning, failed logins, and a host of other suspicious activities). We also have alerts in place for excessive resource use that escalates to our Ops team for manual investigation. Our products run on a dedicated network secured with firewalls and are carefully monitored.

Data protection and privacy

Data Location

Our primary data centers are in the United States through the use of Amazon AWS Cloud Services. All data is written to multiple disks are instantly backed up daily and stored in multiple locations. Customer files are stored on Amazon S3 servers that use modern techniques to remove bottlenecks and points of failure. Our software infrastructure is regularly updated with the latest security patches.

Encryption in transit and at rest

Over public networks we send data using strong encryption. We use SSL certificates issued by Sectigo RSA Domain Validation Secure Server CA. The connection uses AWS_256_CBC for encryption, with SHA2 for message authentication and ECDHE_RSA as the key exchange mechanism.

Any files that are uploaded are stored and encrypted at rest. Our storage system uses AES-256/ SHA-256 encryption. Files are encrypted with AES-256, sliced, replicated, and geographically dispersed to separate data centers on private, end-to-end encrypted network connections.

Business Continuity and Disaster Recovery

We strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.

Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:

1. Governance. Leadership involvement is key to how we run our DR Program. With leadership involved, we have both business and technical drivers accounted for in our strategy for resilience.
2. Oversight and maintenance. We take a disciplined governance, risk, and compliance approach when monitoring and managing our DR program. It enables us to operate more efficiently and effectively when monitoring, measuring, reporting, and remediating key activities within our DR program. Site Reliability Engineers are committed to ongoing Disaster Recovery meetings and represent their critical services. They discuss identified DR gaps with the risk and compliance team and focus on the appropriate levels of remediation as necessary.
3. Testing. We conduct regular testing and strive for continual improvement as part of our DR lifecycle to ensure your data and the use of your data is highly available and performant. Backup and restore procedures are in place and tested on a regular basis. This means that when data needs to be restored, we’re prepared to get you up and running with well-trained support staff and fully tested procedures.

In addition to assurance of resiliency through governance, oversight, and testing, Comevo emphasizes on continual improvement throughout the DR Program.

As far as Business Continuity (BC) is concerned, Comevo is a cloud-based company, so it’s very easy for us to arrange for our people to work from home. That means that our team can and will continue to support you wherever they are and wherever you are.

Backups

Application data is stored on resilient storage that is replicated across data centers. Application database backups for Comevo Launch occur on the following frequencies: daily automated backups are performed and retained for 30 days with support for point in time recovery. All snapshot and backup data are encrypted. Backup data is stored offsite and is replicated to multiple data centers within a particular AWS region. We perform quarterly testing of our backups. Our backups of your data are encrypted using AES-256 best-in-class military-grade encryption.

Physical Security

The state-of-the-art AWS EC2 Cloud servers physical security begins at the perimeter layer. This layer includes many security features such as security guards, fencing, security feeds, intrusion detection technology and other security measures. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides extra protection against unauthorized entry and security breaches.

Law enforcement

Comevo won’t hand your data over to law enforcement unless a court order says we have to. We flat out reject requests from local and federal law enforcement when they seek data without a court order. Unless we are legally prevented from it, we will always inform you when we receive such requests.

Data deletion

All of your data can be deleted upon your request. Within 30 days of your request, all Comevo content will be permanently deleted from all servers and logs. This information can not be recovered once it has been permanently deleted. We also keep backups stored off-site for a maximum of 30 additional days. Therefore, after a cancellation, all data will be permanently deleted from backups within 60 days.

A data deletion request will have to go through our “Data Deletion Request Process”. An email sent to “datadeletion@comevo.com” will start the process. Upon receipt of the request, Comevo will send an online “Data Deletion Request” form to begin the formal request process.

GDPR/CCPA Commitment 

Our commitment to customer data privacy 

We are invested in our customers’ success and the protection of customer data. One way that we deliver on this promise is by helping Comevo customers understand, and where applicable, comply with the General Data Protection Regulation and the California Consumer Privacy Act. The GDPR is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 25, 2018. The CCPA is also a significant change to California and U.S. legislation and went into effect January 1, 2020.

It is designed to give the EU and CA/US citizens more control over their data and seeks to unify many existing privacy and security laws under one comprehensive law. 

The GDPR not only applies to organizations located within the EU, but it also applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

The CCPA not only applies to organizations located within CA, but it also applies to all companies processing and holding the personal data of data subjects residing in CA, regardless of the company’s location.

GDPR/CCPA Compliance

We appreciate that our customers have requirements under the GDPR/CCPA that are directly impacted by their use of Comevo services, which is why we have devoted significant resources toward helping our customers fulfill their requirements under the GDPR/CCPA and local law.

Below are several GDPR/CCPA initiatives that have been implemented for our cloud services:

• We have made significant investments in our security infrastructure.

• We offer data portability and data management tools including:

• • Profile deletion: We help customers delete personal information, such as names and email addresses.

• We have made required updates to relevant contractual terms.

• We have ensured Comevo staff that access and process Comevo customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.

• We hold any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.

• We have committed to carrying out data impact assessments and consulting with EU/CA regulators where appropriate.

Incident management

Security Incident Management

Incidents will happen, but our speed and efficiency in response will keep the impact as low as possible. The security team at Comevo aggregates logs from various sources in the hosting infrastructure and makes use of a security platform to monitor and flag any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately.

In the event of a serious security incident, Comevo has access to the expertise internally – and through external subject matter experts – to investigate incidents and drive them until closure. The database of our security incidents is cataloged against the VERIS Framework.

Conclusion

Security isn’t just about technology, it’s about trust. Over the past 15 years we’ve worked hard to earn the trust of over hundreds of institutions of higher education and companies nationwide. We will continue to work hard every day to maintain that trust. Longevity and stability is core to our mission at Comevo.

Written Information

Security Program (WISP)

Policy Manual

Authored by:

Kimo Yoshida, Director of Technology

Q1, 2020

SENSITIVE INFORMATION NOTICE: THIS PLAN CONTAINS SENSITIVE AND PROPRIETARY INFORMATION ABOUT COMEVO, INC. BUSINESS PROCESSES, CLIENTS, AND SECURITY PROCEDURES. ACCESS TO THIS PLAN WILL BE RESTRICTED TO COMEVO EMPLOYEES ONLY.

I. Objective

In order to protect our clients’ privacy and personal information, we at Comevo have developed this Written Information Security Program. This is a comprehensive set of guidelines and policies we have implemented for The Protection of Personal Information of Comevo Customers, as well as other federal, state and international regulations and standards. This plan is reviewed periodically and amended as necessary to protect personal information.

II. Designated Employees to Maintain Security Plan

At Comevo, we have appointed the Director of Technology to be the designated employee in charge of maintaining, updating, and implementing our Information Security Program.

III. Internal and External Risk Assessment

In order to assess any risks of access to personal information, we have evaluated where that information may be present. Comevo may keep information or other sensitive information on our Desktop PC’s, Filing Cabinets, Laptops, and servers which are password protected and locked. Our internal computers are protected behind a firewall.

Comevo employees may from time to time need access to personal information.  In order to ensure that none of this information is vulnerable to a breach, we have implemented the following policies:

a. Employee Training

All employees are responsible for maintaining the privacy and integrity of personal information. Any paper record containing personal information about any client or third party must be kept behind lock and key when not in use. Any computer file containing personal information will be kept password-protected. No personal information is to be disclosed without first fully authenticating the receiving party.

When disposing of paper records containing personal information, a cross-cut shredder or outside shredding service will be used. Similar appropriate electronic methods will be used for disposing of electronic media.

All employees will participate in Security Awareness Training which formally trains and educates about IT protection. It involves programs to train and educate employees about the latest Cyber threats, the individual responsibility for company security policies, the measures to prevent threats and also the ability to audit these efforts.

The Director of Technology trains all new employees on this policy, and there are also periodic reviews for existing employees.

b. Employee Compliance

Any employee who discloses personal information or fails to comply with these policies will face immediate disciplinary action including the possibility of termination.

c. Detecting and Preventing Security System Failures

Comevo will provide regular network security audits in which all server and computer system logs are evaluated for any possible electronic security breach.  These audits will be performed every 30 days. Additionally, all employees are trained to watch for any possible physical security breach, such as unauthorized personnel accessing file cabinets or computer systems.

IV. Keeping, Accessing and Transporting Personal Information

As mentioned above, Comevo will take all possible measures to ensure that employees are trained to keep all paper and electronic records containing personal information securely on-premises at all times. When there is a need to bring records containing personal information off-site, only the minimum information necessary will be brought; electronic records will be password-protected and encrypted, paper records will be kept behind lock and key. Records brought off-site should be returned to the Comevo office as soon as possible.

Under no circumstances are documents, electronic devices, or digital media to be left unattended in an employee’s car, home, or in any other potentially insecure location.

V. Disciplinary Measures

Any employee who willfully disclose personal information or fails to comply with these policies will face immediate disciplinary action including the possibility of termination.

VI. Prevention of Terminated Employees from Accessing Information

Any terminated employees’ computer access passwords will be disabled before the employee is terminated. Physical access to any documents or resources containing personal information will also be immediately discontinued.

VII. Third-Party Service Providers

Access to personal information by third-party service providers will be kept to a bare minimum. Any third-party service provider who does require access to information will be fully vetted via individual background checks. All third-party service providers mobile devices will also be fully encrypted.

VIII. Limiting Information Collected

Comevo is committed to collecting only the minimum of personal information necessary to accomplish our purposes; old information is also disposed of securely after 10 years or after whatever period is required by federal and state data retention requirements.

IX. Identifying Where Personal Information is Stored

We have identified the locations where personal information is stored on our network. Personal information is stored in the following: Filing Cabinets, Desktop PC’s, Laptops, and Servers.

X. Physical Access Restrictions

Comevo offices and computer network are kept locked – third-parties are not allowed physical access to records. Paper files that are not currently in use are kept locked in filing cabinets. In addition, electronic records are kept in databases and on servers which are behind multiple layers of electronic safeguards.

XI. Monitoring and Upgrading Information Safeguards

Comevo appointed information security coordinator, the Director of Technology, will continually monitor and annually assess all of our information safeguards to determine when upgrades may be necessary.

XII. Annual Review

The Director of Technology, appointed information security coordinator will also perform an annual review of our information security plan.

XIII. Documenting and Reviewing Breaches

The information security coordinator will thoroughly document and review any breach that may occur. Records of this will be kept on file with our Written Information Security Plan.

XIV. Computer System Requirements

To combat the external risk and security of our network and all data, we  have implemented the following policies:

a.    Secure user authentication protocols:

• Unique strong passwords are required for all user accounts; all employees receive their own user accounts. Requirements are minimum 8 characters, capital letter, symbol and number.

• Passwords are changed on a regular basis.

• Accounts are locked after 3 successive failed password attempts.

• Any terminated employees’ computer access passwords will be disabled before the employee is terminated.

b. Secure access control measures:

• Only Employees who need access to personal information are given access to proper folders.

• Each person has a unique password to the computer network. These passwords are not assigned by any vendor.

c.    Encryption on Public Networks

• We do not transmit un-encrypted Personal Information across public networks under any circumstances.

d.     Reasonable monitoring

Comevo performs a network security log audit every 30 days in order  to detect any possible breaches.

e. Laptops and Portable Devices

Any laptop or portable device which has personal information stored on it  will be kept encrypted using a whole-disk or whole-device encryption  solution, at all times.

f. Security Updates and Patches:

• We use the Pulseway RMM and it is regularly monitored. Operating system patches and security updates are installed every 30 days to all of our servers.

g. Antivirus and Updates

• We use the BitDefender GravityZone EDR/firewall software and it is kept updated on all servers and workstations. Virus definition updates are installed on a regular basis, and the entire system is tested and checked at least once per month.

h. Education and training of employees on the proper use of the  computer security system and the importance of personal information  security.

• All employees are responsible for maintaining the privacy and integrity of personal information. All employees have been trained that any paper record containing personal information about any client or third party must be kept behind lock and key when not in use. Any computer file containing personal information will be kept password-protected. The Director of Technology trains all new employees on this policy, and there are also periodic reviews for existing employees.

XV.      Effective Date

Reviewed by _________________ on the date: ____________

Employees, by signing below, you assert that you have read this Plan and will comply with its requirements:

Employee Name         Date

Manager Name           Date