Chronus’ best-in-class security and compliance give organizations the confidence to deploy employee development programs at scale without compromising data integrity or privacy.
Chronus employs robust encryption protocols, secure access controls, and continuous monitoring to fortify its platform against potential threats, giving organizations the confidence to deploy employee development programs at scale without compromising data integrity or privacy.
SOC 2 examination is a report on controls at Chronus LLC (Chronus) relevant to security, availability, and confidentiality Trust Service Criteria (TSC). Our SOC 2 report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at Chronus relevant to TSC. Our SOC 2 achievement demonstrates our ongoing commitment to maintaining the highest standards of data security for our customers.
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
Chronus has obtained Provisional Authorization from the Defense Information Systems Agency (DISA) which provides Chronus with the necessary approval to serve U.S. Department of Defense agencies. The Provisional Authorization from DISA provides customers with a reusable certification that attests to Chronus’ compliance with DoD security standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation with Chronus.
The Federal Risk and Authorization Management Program (FedRAMP) is a US government created program for a standardized approach to the assessment and continuous monitoring of cloud products and services. For cloud service providers, federal agencies adhere by authorizing services that demonstrate their compliance with one of the FedRAMP security baselines. Chronus is currently working back with various teams to get FedRAMP authorized by early 2025.
Chronus ensures GDPR compliance for EU customers through data handling processes, subprocessor agreements, and EU standard contractual clauses.
Chronus ensures compliance under the California Consumer Privacy Act (CCPA) as applicable.
CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix.
Access to Chronus systems is strictly controlled and users are granted access using a role-based access control (RBAC) model. Access is revoked as soon as the purpose for access is accomplished. Access to Chronus systems is reviewed on a quarterly basis to ensure proper user access.
All critical information of the Chronus mentor application shall be backed up synchronously in the identified AWS availability zones across regions as per the compliance requirements. Backups are scheduled within AWS as per the defined frequency and tested to ensure that the backups are in a usable state. Backups are stored within secure S3 buckets in AWS. Backups are encrypted using AES 256 encryption.
All production data resides on AWS across multiple availability zones in customer-preferred regions. For information on disposal and destruction of AWS-managed equipment, please visit https://aws.amazon.com/compliance/. For Chronus-managed workstations, Chronus electronic media sanitization conforms to DoD requirements to perform DoD 5220.22-M secure wipe of the read / writable media using scrub.
RBAC is a fundamental aspect of our security framework, designed to enhance data protection and restrict unauthorized access to sensitive information. This approach ensures that users within your organization have appropriate permissions aligned with their roles, responsibilities, and level of access required for their job functions. Our RBAC system enables the assignment of specific roles to users, granting them access only to the features and data necessary for their tasks. We have implemented RBAC across various layers of our product and infrastructure. This multi-layered approach ensures that access controls are consistently enforced, mitigating potential security risks.
The platform maintains logs of various types and for all access and user activity. These logs are necessary for monitoring anomalies and abusive patterns, inappropriate use of resources, and overall operational status and health of the platform. Log data is centralized to our security information and event management (SIEM) platform for analysis and alerting. Logs are monitored regularly for anomalous activity.
Chronus supports a variety of integrations with popular business software such as: Zoom, Google Meet, Microsoft Teams, Slack, Google Calendar, Apple Calendar, Microsoft Exchange, and Microsoft 365.
Chronus uses Amazon Web Services Shield for Distributed Denial of Service (DDoS) attack protection and AWS CloudWatch to monitor and alert on events related to its AWS infrastructure.
Chronus is hosted on Amazon Web Services (AWS) and supports three regions: U.S. East, Europe, and Australia. Additionally, for U.S. federal and DoD customers, Chronus utilizes AWS GovCloud to host the Chronus mentor application.
Chronus has a formal business continuity plan for extended service outages caused by unforeseen or unavoidable disasters in an effort to restore services to the widest extent possible in a reasonable time frame. Chronus has documented a set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. Chronus conducts Disaster Recovery (DR) simulations every six months.
Chronus uses Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic.
Employee security awareness is a key component of any security program. Employees are trained at least once per year on security principles and best practices. This includes, but is not limited to, spotting and reporting phishing emails, avoiding password reuse, utiliziing software only from trusted sources, etc.
Chronus has formal incident response policies and procedures in place to deal with different types of incidents.
What compliance standards does Chronus adhere to?
Chronus has been audited and certified for ISO 27001, DOD CC IL4, CSA Star Level 1, SOC 2 Type 2 compliance. Read more in our Trust Portal.
Can Chronus assist customers in achieving compliance with GDPR, CCPA, and other privacy laws?
Yes, Chronus is equipped to assist customers in achieving compliance with GDPR and other relevant privacy regulations. Chronus is able to execute a Data Processing Addendum (DPA) with customers to support their compliance with GDPR and other privacy laws. Please refer Chronus DPA.
Where is Chronus infrastructure hosted?
Chronus is hosted on Amazon Web Services (AWS) and supports three regions: U.S. East, Europe, and Australia. Additionally, for U.S. federal and DoD customers, Chronus utilizes AWS GovCloud to host the Chronus mentor application.
Does Chronus necessitate the provision of personally identifiable information (PII) to render services?
Chronus may require PII depending on the services utilized, but it ensures secure handling and compliance with applicable data protection laws.
How does Chronus ensure the security of data?
Chronus employs robust encryption, access controls, regular security audits, and best practices to safeguard customer data against unauthorized access and breaches. Read more in our Trust Portal.
What is the duration for which Chronus retains customer data?
Chronus retains customer data only for the necessary duration as outlined in its data retention policies or as required by applicable laws. Read more in our Trust Portal.
Does Chronus engage third-party vendors, and do these vendors have access to customer data?
Yes, access to customer data is strictly controlled and governed by stringent agreements and security protocols. Read more in our Trust Portal.
Has Chronus implemented a security incident management process?
Yes, Chronus has a formal incident response process to deal with different type of incidents, including data breaches if ever necessary.
Does Chronus support SSO / MFA?
Chronus allows users access to the platform through Username/Password and Single Sign-On (SSO) mechanisms such as SAML, SOAP, LinkedIn SSO, and Cookie. Multi-factor authentication (MFA) can be achieved by enabling MFA through SSO authentication.
Does Chronus have Cyber Insurance?
Chronus has Cyber Insurance coverage for situations involving cyber attacks or occurrences resulting in loss.
Does Chronus conduct penetration tests and code scans?
Yes, Chronus conducts regular automated and manual penetration testing efforts. We utilize a combination of certified third-party scanning tools and proprietary solutions for code scanning.