Privacy & Security Procedures
Revision Date: January 25, 2019
We strive to comply with, and assist Account Owners with complying with, applicable parts of all standards involving Student Data such as the:
- Family Educational Rights and Privacy Act (FERPA)
- Individuals with Disabilities Education Act (IDEA)
- Children’s Online Privacy Protection Rule (COPPA)
- Student Online Personal Information Protection Act (SOPIPA)
- Protection of Pupil Rights Amendment (PPRA)
- Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software (AB 1584)
- American recovery and reinvestment act (ARRA), Public Law 111-5
- 42 US Code, section 17932 for notification in case of breach
- Health Insurance Portability and Accountability Act (HIPAA)
- ISO 27002
- NIST 800-53
Many of the procedures outlined in this document were created using the best practices for complying with the above laws and regulations.
The Company is not required to retain data after an Account Owner terminates their account. All data associated with a terminated account will be scheduled for deletion.
Student Data Transfer
The Site provides a mechanism to transfer Student Data from one Account Owner to another Account Owner if both accounts are authorized to manage the data and the data will only be accessible by the receiving Account Owner once the transfer is complete.
Single Student Viewable
The Site provides the ability for Account Owners to view the data for a single student without showing any data for other students. This allows for an Account Owner to review a particular student’s data with a 3rd party when needed.
The Site secures and keeps private Student Data by using encryption when stored, and while in transit. Data is protected with 128-bit AES encryption at rest, and during transit using industry standard SHA-256 SSL certificates with RSA Encryption. User passwords are hashed and are never stored in plain text.
The Site does not require a user to log off and re-authenticate at any specific interval of time. If a user chooses to remain authenticated indefinitely, they may do so. Logging off after accessing The Site from a public or shared computer is recommended to prevent other users from accessing Student Data when not authorized.
We understand that the malicious activity of an employee or agent of the Company can have severe consequences on the integrity and confidentiality of data contained in the system. This being the case, the operation of The Site wouldn’t be possible without a few people having access to certain critical systems. This team is prohibited from using these permissions to view Student Data without an Account Owner’s permission, unless otherwise stated. The Company requires all employees and agents who have access to Student Data to pass a criminal background check and comply with all applicable provisions of the Company’s policies and procedures.
User Identity Tracking & Audit
Account data is only accessible by authorized personnel using their login credentials and unique access keys. All user connections to the software are authenticated via x.509 client certificates, and keys are tracked, secured, and rotated regularly. All security changes and database operations (create/read/update/delete) are audited for each user. Audit logs are retained as defined by the disaster protection & recovery section, and are stored in a secure remote location.
The Site employs encryption at rest for all Student Data in the database, which verifies the integrity of data every time it is accessed by an authorized user. Backups can be used to restore data in the event of data loss or corruption.
The Site databases and application services are hosted using high-performance cloud servers. Firewalls are in place to route network traffic securely, shield servers from attack, and prevent the loss of data. These firewalls block certain types of traffic that may be used to otherwise compromise a system and gain access. Additional information about specific security compliance is available upon request.
The Site enforces the use of strong passwords. They must be at least 8 characters in length, consist of at least one letter and at least one number, and not be a stand-alone dictionary word.
Facility & Workstation Security
Laptops, PCs, and other devices on premises at The Company are never logged into accounts with Student Data during the course of normal operation. With that said, the operation of The Site would not be possible without giving a few technical people temporary access to the accounts and databases. PCs and other devices on premises are protected with user logins and the data is only stored in memory temporarily to perform the specific task.
Disaster Protection & Recovery
We currently back up all data in snapshots and store this data in a secure remote location on a standard and recurring schedule. Restoring data requires a manual process with multiple levels of authentication. Audit logs are retained for multiple years.
We conduct annual reviews of current policies, procedures, and subcontractor agreements to ensure that they are up to date and reflect current standards. Security measures are reviewed bi-annually to verify that Student Data is secure.
Notification of Changes
Due to the rapidly evolving nature of the Internet, we may need to update the Procedures from time to time. Any updates to the Procedures will be posted on the Site and/or sent to you through email notifications. Your continued use of the Site and/or Services after we have posted such changes will constitute your acceptance to all changes.