Security
Securing Your Trust, Protecting Your Data
Chronus’ best-in-class security and compliance give organizations the confidence to deploy employee development programs at scale without compromising data integrity or privacy.
Up All Night, So You Don’t Have To Be
Chronus employs robust encryption protocols, secure access controls, and continuous monitoring to fortify its platform against potential threats, giving organizations the confidence to deploy employee development programs at scale without compromising data integrity or privacy.
Compliance
SOC2
SOC 2 examination is a report on controls at Chronus LLC (Chronus) relevant to security, availability, and confidentiality Trust Service Criteria (TSC). Our SOC 2 report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at Chronus relevant to TSC. Our SOC 2 achievement demonstrates our ongoing commitment to maintaining the highest standards of data security for our customers.
ISO 27001
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
DOD CC IL4
Chronus has obtained Provisional Authorization from the Defense Information Systems Agency (DISA) which provides Chronus with the necessary approval to serve U.S. Department of Defense agencies. The Provisional Authorization from DISA provides customers with a reusable certification that attests to Chronus’ compliance with DoD security standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation with Chronus.
FedRamp Moderate
The Federal Risk and Authorization Management Program (FedRAMP) is a US government created program for a standardized approach to the assessment and continuous monitoring of cloud products and services. For cloud service providers, federal agencies adhere by authorizing services that demonstrate their compliance with one of the FedRAMP security baselines.
GDPR
Chronus ensures GDPR compliance for EU customers through data handling processes, subprocessor agreements, and EU standard contractual clauses.
CCPA
Chronus ensures compliance under the California Consumer Privacy Act (CCPA) as applicable.
CSA STAR
CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix.
Data Security
Access Monitoring
Access to Chronus systems is strictly controlled and users are granted access using a role-based access control (RBAC) model. Access is revoked as soon as the purpose for access is accomplished. Access to Chronus systems is reviewed on a quarterly basis to ensure proper user access.
Backups Enabled
All critical information of the Chronus mentor application shall be backed up synchronously in the identified AWS availability zones across regions as per the compliance requirements. Backups are scheduled within AWS as per the defined frequency and tested to ensure that the backups are in a usable state. Backups are stored within secure S3 buckets in AWS. Backups are encrypted using AES 256 encryption.
Data Erasure
All production data resides on AWS across multiple availability zones in customer-preferred regions. For information on disposal and destruction of AWS-managed equipment, please visit https://aws.amazon.com/compliance/. For Chronus-managed workstations, Chronus electronic media sanitization conforms to DoD requirements to perform DoD 5220.22-M secure wipe of the read / writable media using scrub.
Product Security
Role-Based Access Control
RBAC is a fundamental aspect of our security framework, designed to enhance data protection and restrict unauthorized access to sensitive information. This approach ensures that users within your organization have appropriate permissions aligned with their roles, responsibilities, and level of access required for their job functions. Our RBAC system enables the assignment of specific roles to users, granting them access only to the features and data necessary for their tasks. We have implemented RBAC across various layers of our product and infrastructure. This multi-layered approach ensures that access controls are consistently enforced, mitigating potential security risks.
Audit Logging
The platform maintains logs of various types and for all access and user activity. These logs are necessary for monitoring anomalies and abusive patterns, inappropriate use of resources, and overall operational status and health of the platform. Log data is centralized to our security information and event management (SIEM) platform for analysis and alerting. Logs are monitored regularly for anomalous activity.
Integrations
Chronus supports a variety of integrations with popular business software such as: Zoom, Google Meet, Microsoft Teams, Slack, Google Calendar, Apple Calendar, Microsoft Exchange, and Microsoft 365.
Infrastructure
Anti-DDoS
Chronus uses Amazon Web Services Shield for Distributed Denial of Service (DDoS) attack protection and AWS CloudWatch to monitor and alert on events related to its AWS infrastructure.
Amazon Web Services
Chronus is hosted on Amazon Web Services (AWS) and supports three regions: U.S. East, Europe, and Australia. Additionally, for U.S. federal and DoD customers, Chronus utilizes AWS GovCloud to host the Chronus mentor application.
BC/DR
Chronus has a formal business continuity plan for extended service outages caused by unforeseen or unavoidable disasters in an effort to restore services to the widest extent possible in a reasonable time frame. Chronus has documented a set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. Chronus conducts Disaster Recovery (DR) simulations every six months.
Corporate Security
Email Protection
Chronus uses Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic.
Employee Training
Employee security awareness is a key component of any security program. Employees are trained at least once per year on security principles and best practices. This includes, but is not limited to, spotting and reporting phishing emails, avoiding password reuse, utiliziing software only from trusted sources, etc.
Incident Response
Chronus has formal incident response policies and procedures in place to deal with different types of incidents.