SOC II Type 2

We maintain SOC II Type 2 compliance as recognition of our adherence to strict internal controls related to security, system availability, processing integrity, confidentiality, and privacy. On an annual basis, we undergo a rigorous audit process performed by a certified, independent firm.

General Data Protection Regulation (GDPR)

We are compliant with the European Union's General Data Protection Regulation (GDPR). For more information, please read our privacy statement.

California Consumer Privacy Act (CCPA)

We are compliant with the California Consumer Privacy Act of 2018. For more information, please read our privacy statement.

Role-Based Access

The ability to perform system actions, or view application or employee information is controlled through our internal role-based security model, which adheres to the least-privilege access philosophy. Only those users who have been expressly granted security rights will be able to perform the specified action.

Secure Coding

Our developers follow a formalized structure to ensure secure coding techniques are applied at every phase of the system development lifecycle:

• Adhere to guidelines of OWASP Top 10 vulnerabilities
• Perform unit testing, undergo a mandatory security code review, and submit to quality assurance analysis prior to production implementation
• Receive all necessary change management approvals, along with documenting step-by-step instructions for production implementation and rollback
• Participate in ongoing secure code training covering emerging threats, common attack vectors, and new security flaws.

Data Storage

TuitionManager development and testing environments are separate from production. Customer data is stored in a customer-specific databases, with unique authentication credentials and access controls, eliminating the possibility of cross-client data access.

Vulnerability Scans

We regularly scan source code and systems for vulnerabilities and take the necessary remediation steps immediately.

Single Sign-On (SSO)

We encourage customers to manage user authentication by connecting their identity management system to TuitionManager using SAML 2.0. This allows for multi-factor authentication and advanced passwords rules specific to your organization, which can override or replace TuitionManager defaults.

Passwords

In addition to SSO, TuitionManager offers a local authentication method. Passwords associated with these local employee accounts are stored in a salted, irreversible hash format. While our password policy contains configurable options for customers, our rules and recommendations are based on current NIST guidelines:

• Prefer passphrases to passwords, with 15 or more characters optimal
• Password expiration for good cause only
• Complexity not required
• Limit authentication attempts / account lockouts enabled

Data Center

TuitionManager is hosted with Rackspace, which provides world-class security and privacy features. Rackspace maintains an extensive list of security certifications including ISO 27001 & 27001, SSAE16, and SOC 2. For more information regarding Rackspace security, please visit https://www.rackspace.com/security.

Network

Access to our production systems is tightly-controlled through strict authentication rules and multi-factor authentication. We also utilize intrusion detection & intrusion prevention systems, firewalls, and advanced email filtering to actively monitor potential security threats.

Access & Authentication

TuitionManager support staff are required to access the network over a secured VPN using multi-factor authentication. Audit logs store history on all sessions, including failed connection attempts and all issued commands.

Reliability & Availability

TuitionManager maintains a publicly available system status webpage, which includes details related to system availability, scheduled maintenance, service incident history, and relevant security events.

Backup & Disaster Recovery

All customer data is backed up nightly and stored in our secure data centers. We have a documented disaster recovery program that is tested on an annual basis.

Data Encryption

Data is encrypted during transit over SFTP with PGP, on our website with TLS/SSL, and at rest using recognized encryption protocols.

Virus Protection

We perform continuous, automatic monitoring for (and deletion of) viruses on all infrastructure components including servers and employee computers. Virus scan definitions are updated on a daily basis.

Patching

We regularly patch and update all infrastructure components based on the latest available stable builds, in accordance with our internal patch policy.