User privacy and security is considered firstly in all our operational and engineering decisions, particularly when choosing commercial services to integrate with and provide highly specialized functionality to our product, like storing data and protecting user-provided meta data. Our infrastructure optimizes best-in-class services from Amazon Web Services (AWS), Heroku, GitHub and Google Firebase - each the clear leader among their peers. TurbineLMS has no physical servers or data centers. Physical security practices follow the guidance of the TurbineLMS Employee Security Program.
TurbineLMS uses GDPR and CCPA compliant data controllers. All Data sent between you and TurbineLMS is encrypted HTTPS traffic using TLS v1.2. Data is encrypted at rest using AES256 encryption and stored in data centers certified for compliance with the ISO 27001 standard. TurbineLMS encourages customers to use their own AWS account to store any file uploaded to TurbineLMS. This is a server-side integration handled by TurbineLMS engineers.
Access to user data is restricted. We require an organization owner give explicit permission to TurbineLMS engineers or support staff not required to troubleshoot affected data or platform features. These actions are monitored.
TurbineLMS follows a microservices architecture pattern and authenticates users with Google Firebase Authentication. A JWT token is generated with a server-side key and HMAC SHA256 encryption to enable TurbineLMS Single sign-on (SSO). Client facing apps include auth.TurbineLMS.com (TurbineLMS Auth), app.TurbineLMS.com (TurbineLMS) and admin.TurbineLMSlms.com (TurbineLMS Admin). Specific user permissions are required to access each application. TurbineLMS Auth and LMS are accessible by all users. TurbineLMS Admin is accessible by organization (customer) owners, admins and users permissioned by owners and admins.
We require physical security of our machines, devices and passwords through use of 256-bit AES encrypted password management, two-factor authentication (2FA) authentication and regular security reviews of people and technology.