Our users trust us with their content and learning results. This page describes how we protect that data.
us at [email protected]
We have all kinds of security measures in place to protect against the loss, misuse and/or unauthorized
alteration of the information under our control or under the control of our service providers. Your personally
identifiable information is protected by utilizing both online and offline security methods, including firewalls,
passwords and restricted physical access to the places where your information is stored.
Amazon Webservice security
Our data is hosted in Amazon Web Services (AWS) facilities in the USA. This means AWS protection is being
used to secure your data. You can read about this protection here:
Additional security information
We make daily backups of all user data.
As a safety measure, we make backups of all the data every day. We store these backups at another location.
We do not store payment details.
Easygenerator is not in the business of storing or processing payments. All payments made to Easygenerator
are processed by Stripe. All credit card data is encrypted by an SSL connection when transmitting to
their PCI-Compliant network. Details about their security setup and PCI compliance can are be found at Stripe’s
We offer optional extra security features.
Easygenerator provides an option to have all data encrypted and transmitted via an SSL/TLS/HTTPS
connection, the most common and trusted communication protocol available.
Next to security privacy laws apply to the results of the learners. Easygenerator by default stores the results of
Learners in her own result database. Some countries have privacy laws that do not allow this. Therefore
Easygenerator offers you the option to store the results on the location of your choice. We can report
learner’s results to any LMS or LRS (even behind your own firewalls).
On top of the AWS security, we have built our own layer of security. For obvious security reasons, we will not disclose
these measures. In order to prove the safety of your data, we will have a third party conduct a regular
penetration test. During this test the security of the data is tested both with automatic assaults and manual
Penetration test results from December 2016
The Security Factory was tasked with performing a web application assessment on the Easygenerator
platform. The purpose of this assessment was to verify the effectiveness of the security controls in Easygenerator to secure business-critical information, and the extent to which an attacker can compromise
systems and information should these controls fail.
The testers of the Security Factory validated the application and its infrastructure, where applicable,
against an extensive list of more than 200 vulnerabilities. This list covers the OWASP top 10 and many
more vulnerabilities categorized within weak passwords, missing OS patches, outdated software, human
errors, misconfiguration, incorrect use, vulnerable software, malware, excessive permissions, design flaws, legacy and many more.
Risk Levels Overview
The risks that are found during this test are categorized from Critical to Information. Critical is obviously the
- Critical: Remotely exploitable vulnerabilities that can compromise the system. Interaction is not normally required for this exploit to be successful. Exploits are available and are reportedly being used in the wild.
- High: Remotely exploitable Denial of Service (DOS) vulnerabilities that can compromise The system but do require user interaction. Vulnerabilities that may allow anonymous users to access sensitive information or take administrative actions. Interaction (such as an administrator viewing a particular page) may be required for this exploit to be successful, or in cases where interaction is not required (such as CSRF) the exploit causes only minor damage or impacts less critical systems.
- Medium: Remotely exploitable vulnerabilities that can compromise the system. Interaction (such as an administrator viewing a particular page) is required for this exploit to be successful. The exploit requires the user to have some level of system access or non-default permission.
- Low: A slight misconfiguration that may reduce the overall security level, but in itself does not cause serious concern.
- Information: Issues which are either out of scope or have no security impact, but which were deemed interesting enough to put in the report.
During the penetration test six risks were found.
- Critical: No issues
- High: One issue
- Medium: One issue
- Low: Four issues
- Information: No issues
Critical security issues
No issues found.
The only high-security issue was that it was possible to retrieve a password by brute force. With no
protection against brute force in place, an attacker can potentially retrieve passwords by trying every
possible combination. We have solved this issue.
Medium security issue
This issue will be solved in the first quarter of 2017 as was recommended by the Security factory. Since this
issue is not solved yet, we cannot give details on it.
Low security issues
All four issues that were found are minor issues. Nevertheless, we decided to fix these issues in the first 6
months of 2017. The security factory advised to solving these issues within 12 months. Since these issues are
not solved yet, we cannot give details on them.
No issues found.
Document on request
This document is created in January 2017. We will update this document on a regular basis, reflecting security
improvements we make in the product and the findings of further penetration tests. If you want to hve a pfd version of this document, you can request this via [email protected]