Question 1

What cloud hosting provider does CBT Nuggets use for data storage and backup?

Accepted Answer

CBT Nuggets uses the AWS US-East-1 region for primary storage. Data stored in S3 is replicated across multiple AWS availability zones for administrative efficiency and resiliency.

Question 2

Does CBT Nuggets encrypt data in transit and at rest?

Accepted Answer

Yes. We use SSE-KMS to encrypt S3 buckets that maintain end-user PII. Data is encrypted in transit between end-user devices and CBT Nuggets services, between internal services, and over public networks. Our system uses industry-standard encryption — AES-256 for data at rest and TLS for data in transit.

Question 3

What are CBT Nuggets' password requirements?

Accepted Answer

External application users: 8 or more characters with at least one letter and one number. Login is rate-limited to 10 attempts per 15-minute window; exceeding the limit blocks the IP for 12 hours. Internal network users: 12 or more characters with at least one uppercase letter, lowercase letter, number, and non-alphanumeric character, plus required multi-factor authentication.

Question 4

Does CBT Nuggets support SSO?

Accepted Answer

Yes. We support SSO via Microsoft Entra and Okta using SAML 2.0.

Question 5

What operational procedures and responsibilities does CBT Nuggets adhere to?

Accepted Answer

Access Control & Authorization, Personal Data Incident Response & Notification, Security Program, Data Privacy and Security Training & Awareness, Threat and Vulnerability Management and Security Testing, Change Management, and Secure Development.

Question 6

What is CBT Nuggets' software development and security review process?

Accepted Answer

We follow an industry-standard SDLC with security and quality assurance at every phase: requirements gathering, design review, implementation, testing, and deployment. Security and QA are integrated into the release process, including automated user acceptance testing. Testing is conducted on production systems under real-world conditions for comprehensive assessment. Security reviews — both ongoing peer reviews and system-level checks — protect our source code throughout the development cycle.

Question 7

Does CBT Nuggets engage in annual penetration testing?

Accepted Answer

Yes. We engage a third-party service provider for penetration testing at least annually. We do not share pen-test reports directly with customers due to our status as a U.S. government contractor; reports are available under NDA via the gated Trust Center for active customers.

Question 8

Is CBT Nuggets PCI compliant?

Accepted Answer

Yes. CBT Nuggets complies with the most recent version of PCI DSS, including completion of mandatory internal and external quarterly scans. Our latest Attestation of Compliance is dated August 1, 2025; the public AoC is available via the Trust Center.

Question 9

What are CBT Nuggets' change management and audit log review processes?

Accepted Answer

Change management follows a documented process: request submission, approval, testing, and controlled implementation to ensure system stability and security. Audit logs run automated anomaly analysis that generates alerts for suspicious activity; we conduct manual reviews based on these alerts and through periodic sampling to ensure compliance.

Question 10

How does CBT Nuggets engage in risk assessment?

Accepted Answer

We conduct comprehensive risk assessments annually with quarterly reviews of critical systems. Our methodology aligns with industry-recognized frameworks; findings are documented and remediation tracked. Third-party services provide 24/7 monitoring with defined incident response procedures: detection, classification, containment, eradication, and final review.

Question 11

Does CBT Nuggets customize or negotiate its Privacy Policy?

Accepted Answer

No. Because CBT Nuggets provides commercial off-the-shelf subscription access to our online training resources, we collect, process, and store end-user information uniformly for all customers. The terms of our Privacy Policy are non-negotiable; end-user acceptance is a prerequisite for accessing our COTS services.

Question 12

What categories of personal data does CBT Nuggets process?

Accepted Answer

Please review the "Information We Collect" section of our Privacy Policy for the authoritative list. The training platform itself processes the bare minimum needed to deliver service — primarily the end user's first and last name, business email address, and IP address — alongside training engagement data (course progress, completions, time on platform). Marketing and lead-capture surfaces additionally collect company name and phone (when provided), and the billing flow processes payment information through our PCI-DSS-attested processor. Where customers connect SSO via Entra or Okta, we receive the SAML claims they configure (typically email and a display name). All categories are governed by the same Privacy Policy.

Question 13

Where does CBT Nuggets process and store customer personal data?

Accepted Answer

Per the "Where We Keep Your Data" section of the Privacy Policy: data is transferred to and stored at a destination outside the European Economic Area. Servers are located in the United States; data may be processed in the United States, Mexico, Australia, the United Kingdom, and other countries with adequacy decisions or appropriate safeguards in place. Primary storage is AWS US-East-1, replicated across multiple availability zones.

Question 14

What are the appropriate safeguards CBT Nuggets has adopted?

Accepted Answer

We comply with our obligations under the UK and EU GDPR in our Controller-to-Controller data processing role and with applicable U.S. data privacy legislation, including the California Consumer Privacy Act as updated by the California Privacy Rights Act. We enter into written Data Processing Agreements with any engaged processor, ensuring data protection standards no less protective than our own. We additionally adhere to the operational procedures and responsibilities listed in the Security FAQ above. Finally, we engage in data minimization — collecting only what is necessary for service delivery.

Question 15

What personal data does CBT Nuggets disclose?

Accepted Answer

See the "Information We Disclose" section of our Privacy Policy. We will not rent, sell, share, or otherwise disclose personal data to third parties for their direct marketing purposes. Our relationship with customers is Controller-to-Controller as defined under EU/UK GDPR. As a Controller per Article 15 of the EU GDPR, we leverage third-party processors as necessary for service delivery in these categories: website hosting (data centers, databases, internal dev tools), administration services (billing, accounting, payments, CRM, data enrichment, customer accounts, communications), service delivery (practice exams, virtual labs, certifications, video encoding, content delivery, customer service), mailing list (opted-in marketing and transactional communications), website interaction technologies (cookies, web beacons, pixels), and contractor services (engineering, content creation, sales and marketing).

Question 16

Does CBT Nuggets enter into Data Processing Agreements with customers?

Accepted Answer

No. Because we provide commercial off-the-shelf membership access to our training resources, we collect, process, and store end-user information uniformly for all customers. Our customer relationship is Controller-to-Controller as defined under EU/UK GDPR, and our Terms and Membership Agreements incorporate our Privacy Policy — which is our commitment to learners regarding data processing in lieu of any DPA.

Question 17

Does CBT Nuggets enter into Standard Contractual Clauses (SCCs) with customers?

Accepted Answer

No. Per Article 49 of the GDPR, the limited end-user data we collect (first name, last name, business email, IP address) falls under exception 1(c). Transfer is necessary for customers to enter into a contract with CBT Nuggets and necessary for CBT Nuggets to deliver services for the benefit of customer employees. We participate in the EU-US, UK-US, and Swiss-US Data Privacy Framework as detailed in our Privacy Policy.

Question 18

Does CBT Nuggets conduct DPIAs or TIAs with customers?

Accepted Answer

Per the European Commission, a DPIA is required when processing is likely to result in high risk to individual rights and freedoms. CBT Nuggets does not collect or process sensitive data on a large scale, and the data we process is not likely to result in such risk. A TIA is unnecessary in our circumstance — TIA compliance derives from Clause 14 of the new SCCs published by the European Commission in June 2021; we are not contracting with SCCs and do not rely on them for service provision.

Question 19

Which compliance frameworks does CBT Nuggets adhere to?

Accepted Answer

PCI DSS (latest AoC dated August 2025), GDPR (EU and UK, Controller-to-Controller role), CCPA as updated by CPRA (California), and the EU-US, UK-US, and Swiss-US Data Privacy Framework. Our accessibility commitment aligns with WCAG 2.2 Level A/AA. We are a U.S. government contractor.

Question 20

Does CBT Nuggets share its penetration test reports with customers?

Accepted Answer

Pen-test reports are available under NDA to active customers via the gated Trust Center. We do not share reports broadly due to our status as a U.S. government contractor.

Question 21

What is CBT Nuggets' approach to change control?

Accepted Answer

Our change-control process ensures all modifications prioritize system integrity and service continuity. We follow a structured approach emphasizing application functionality and logic assurance, with documented request submission, approval, testing, and controlled implementation phases.

Question 22

What is CBT Nuggets' EIN/TIN, and what entity type is it?

Accepted Answer

EIN/TIN: 20-4728860. CBT Nuggets, LLC is a Delaware limited liability company formed April 19, 2006 (Registration Number 4144368). Tax residency, Delaware Good Standing, and Modified Sole Source documents are available via the Trust Center for procurement purposes.

Question 23

Does CBT Nuggets dba Adept follow WCAG guidelines?

Accepted Answer

Yes. CBT Nuggets is committed to making its website usable by all people, including those with disabilities, by meeting or exceeding the requirements of the Web Content Accessibility Guidelines 2.2 Level A/AA (WCAG 2.2 A/AA).

Question 24

Does CBT Nuggets dba Adept have a VPAT?

Accepted Answer

Yes. The latest Voluntary Product Accessibility Template (VPAT v2.5, covering Section 508, EN 301 549, and WCAG 2.2) is available via the Trust Center for procurement reviewers.

Question 25

Where can I get more information about CBT Nuggets' accessibility compliance posture?

Accepted Answer

See the public Accessibility statement at /accessibility for a summary, and the Trust Center for the full VPAT and Accessibility Statement documents.

Security, privacy, and compliance at CBT Nuggets

The top procurement questions, answered on one page

Security

Data privacy

Compliance & audits

Accessibility

Business conduct and corporate responsibility

Categories of third-party processors

Website Hosting

Administration Services

Service Delivery

Mailing List

Website Interaction Technologies

Contractor Services

Signed artifacts and policies

Security

Compliance

Privacy

Accessibility

Business Continuity

Procurement

Need pen-test reports, architecture diagrams, or a legal conversation?

See how CBT Nuggets fits your team's compliance posture