Data Security

(Last Updated: May 17, 2018)

Underlying all of our data practices at TechChange is a simple principle: we keep your data in as few places as possible. We accomplish this primarily by minimizing the number of pass-through points for our data flow, using only trusted third-party services, and only releasing the data that is absolutely necessary to accomplish our service needs.

Through this article, we will breakdown the life cycle of use for a user to the component parts.

You

When you access our platform from your computer, tablet, phone, or other device, you immediately make a request to our servers for the requisite information to load the page. This is done through a secure, encrypted connection to prevent third parties from sniffing your information.

You will also have some of your data passed through to two third-party services we use for data analysis and quality assurance respectively: Google Analytics and TrackJS. While they will collect cursory information regarding your location and browser, the data they collect is anonymized and insufficient to identify you.

Google Analytics
Google Analytics is a service that tracks people’s use of websites. It uses anonymized data to track how long people visit websites, what pages they visit, and how they interact with the website. We do not provide any personal data and/or personally identifiable information to Google Analytics.

TrackJS
TrackJS is a service that tracks errors on a website. TechChange employees receive notifications about errors and can then review those errors to ensure the platform is functioning as intended. TrackJS gathers information about the browser you are using and your IP address. We provide a pseudonymized identification for logged-in users. TrackJS deletes all data every 15 days.

To take a course with us, we require you to register an account with us. At that point, you must provide us with the following information:

  • Your name (you could use a fake name)
  • Your email address (you could use a throwaway account)
  • A username
  • A password

You will also have to opt in to accept our Terms of Use and Privacy Policy. You can optionally choose to receive marketing emails from us.

We immediately salt and hash your password using industry-standard cryptographic practices. It is impossible for TechChange employees or others to decrypt user passwords at any time.

The data listed above is is the only data that TechChange will require for you to access the platform. While it is possible that you will have further information requested of you during a course (through discussions, profile forms, final projects, or assessments), these are strictly opt-in.

At no point will we gather personal information about you without you explicitly providing that information to us.

Our Servers

We host all of our applications and databases through Digital Ocean, a leading cloud computing platform. By keeping our applications within a single platform, we minimize the number of through points your data can go. This also allows us to utilize a private network, further decreasing the likelihood your information will be compromised.

When you request a page from us, the request goes to a load balancing server. This server helps to make sure your request gets handled in a timely fashion. The load balancer will then send this request to an application server that is tasked with responding to you with the correct data.

The first thing the application server does is make sure you have the appropriate permissions to complete the request. If you do not, we terminate your request. If you do, a number of possible paths open up from here.

The most common path is to one of our databases. These are also hosted with Digital Ocean, allowing all of the data to remain insular. In our database, we store the minimum amount of information we need to provide the platform to you. Virtually all of the information in the database is created directly by user requests.

The other, less common path is to a trusted third-party service. We use only a handful of third-party services for specific purposes. The following lists these services, the purpose of their use, and the personal data and/or personally identifiable information we provide to them.

Postmark

Postmark provides us with a transactional email service. Basically, when you request a password reset, get @mentioned on the platform by another user, enroll in a course, or a whole slew of things triggered by your or another user’s use of the platform, we likely send you that email through Postmark. The only personal data and/or personally identifiable information we provide Postmark is your name and your email address. It is possible that other information might be provided to them, but this would be strictly as a result of your or another user’s input into the platform.

MailChimp

While Postmark provides a transactional email service for us, MailChimp provides us with marketing emails. We would use Mailchimp to announce new courses or offer discount codes. These emails are strictly opt-in upon your registration on the platform, and you can opt-out at any time. The personal data and/or personally identifiable information we provide MailChimp is your name and your email address. Upon opening an email from MailChimp, they may collect your IP address and best-guess timezone.

Google Cloud Pub/Sub

We utilize Google Cloud Pub/Sub as a service to coordinate information across our various servers. For example, we need to make sure that you receive an email after you request a password reset and that we keep track of the security token we provide you to complete your request. Google Cloud Pub/Sub allows us to make sure that this information is updated everywhere it needs to be. Google Cloud Pub/Sub provides end-to-end encryption to ensure any data we send is secure. The personal data and/or personally identifiable information we provide to Google Cloud Pub/Sub is your name and email address. Occasionally we may provide other information, such as information that you provided in an application form or discussion post. We only provide the information necessary to complete the required task.

Stripe

Stripe processes the majority of payments to take courses on the platform. Stripe requires users to provide a great deal of personal data and/or personally identifiable information, such as your real name, email address, location, credit card number, address, and phone number; however, TechChange never stores this information in our own databases or servers.

PayPal

PayPal processes some payments to take courses on the platform. Like Stripe, PayPal also requires users to provide a great deal of personal data and/or personally identifiable information. Depending on your payment method, PayPal may request that a user provide: real name, email address, location, credit card number, bank account information, address, and phone number. We never store this information in our own databases or servers.

Our Databases

When you request information from our database, we return only the data needed to fulfill your request. If your request requires us to update our database, we ensure that you have permission to update the data you are trying to change. We save only the data needed to continue use of the service and avoid extraneous data whenever possible.

Overall, we take securing our databases seriously and do our best to ensure that nobody ever has access to somebody else’s data inappropriately.