Comprehensive Security Overview

Security Framework & Approach

Impact Suite's security program is built on the NIST Cybersecurity Framework, providing a comprehensive, risk-based approach to protecting student data and educational agency information. Our program is managed by dedicated security and compliance professionals and undergoes regular third-party assessments to ensure effectiveness.

Key Metrics (Stats Row):

• 24/7 Monitoring

• 99.9% Uptime SLA

• Annual Penetration Testing

• Quarterly Compliance Reviews

How We Implement Security

Our security implementation follows industry best practices and is managed through our Thoropass compliance platform, ensuring consistent application of controls and continuous monitoring of our security posture.

Governance Structure

Kris Kofoed, Compliance Officer Oversees the entire security and compliance program, manages policy development and updates, coordinates security assessments and audits, and serves as primary compliance contact.

Zach Johnson, VP of Product & Safety Officer Manages technical security implementation, leads incident response activities, oversees vulnerability management, and ensures secure development practices.

Thane Tyler, Director of Engineering Implements security controls, maintains infrastructure security, conducts security testing, and responds to security incidents.

Process & Procedures

Policy Management: Comprehensive security and privacy policies documented in Thoropass, reviewed quarterly, and updated as needed.

Risk Assessment: Annual comprehensive risk assessments, continuous risk monitoring, and vulnerability management.

Compliance Monitoring: Automated control monitoring through Thoropass, regular compliance audits, and quarterly executive reviews.

Continuous Improvement: Regular security assessments, implementation of lessons learned, and adoption of emerging best practices.

Implementing Contract Requirements Throughout the Lifecycle

Impact Suite maintains a comprehensive compliance framework to ensure ongoing adherence to all contractual data security and privacy requirements from contract inception through termination.

Organizational Structure

Dedicated Compliance Leadership:

• Kris Kofoed (kris.kofoed@impactsuite.com) serves as our Compliance Officer

• Oversees all data privacy and security compliance activities

• Primary liaison for educational agencies on compliance matters

• Coordinates cross-functional compliance initiatives

• Manages contract-specific requirements

Compliance Management Framework

Thoropass Platform: Impact Suite utilizes Thoropass, an enterprise compliance management platform, to:

• Maintain continuous compliance monitoring across technical and organizational controls

• Track policy implementation and evidence collection

• Automate compliance workflows and attestations

• Document security controls mapped to FERPA, HIPAA, and NIST CSF

• Generate audit-ready compliance reports for educational agency review

Ongoing Review and Maintenance

Quarterly Security Reviews: Our security team conducts comprehensive quarterly meetings to

• Review current security practices against contractual obligations

• Assess emerging threats and update controls accordingly

• Evaluate new educational agency requirements

• Prioritize security enhancements and remediation efforts

Annual Policy Updates: All security and privacy policies undergo formal annual review and update to:

• Incorporate regulatory changes and new legal requirements

• Reflect infrastructure and operational changes

• Address lessons learned from security assessments and incidents

• Align with updated NIST Cybersecurity Framework guidance

Continuous Monitoring: Real-time compliance monitoring through:

• Automated security controls validation via Thoropass

• 24/7 threat detection and incident response capabilities

• Regular vulnerability scanning and penetration testing

• Infrastructure security monitoring through AWS security services

Contract-Specific Implementation

For each educational agency contract, Impact Suite provides:

Initial Assessment: Conducts comprehensive review of contract requirements, identifying specific data elements, security controls, and reporting obligations unique to the engagement.

Configuration Management: Implements contract-specific configurations including:

• Data access controls aligned with LEA requirements

• Customized retention schedules per state and local policies

• Specific encryption requirements beyond standard practices

• Tailored incident notification procedures

Documentation: Maintains detailed records of:

• Data Processing Agreements specific to each LEA

• Subprocessor listings and their security commitments

• Compliance evidence and audit trails

• Security incident logs and remediation actions

Periodic Compliance Reporting: Provides educational agencies with:

• Annual compliance attestations

• Security assessment results upon request

• Updated subprocessor lists

• Material changes to security practices

Adaptability and Continuous Improvement

Impact Suite recognizes that data security and privacy requirements evolve. Our implementation approach includes:

• Proactive monitoring of regulatory changes affecting educational technology

• Participation in industry working groups and standards development

• Regular customer feedback integration into security practices

• Investment in security infrastructure and tooling aligned with current best practices

Data Encryption & Protection

Encryption at Rest

AES-256 Encryption All databases storing student data, personally identifiable information, and protected health information are encrypted using AES-256 encryption.

AWS RDS Encryption PostgreSQL databases hosted on Amazon RDS with AWS-managed encryption keys providing hardware-level encryption.

Encrypted File Storage Amazon S3 buckets storing uploaded documents, images, and files are encrypted with server-side encryption.

Encrypted Backups All backup data is encrypted and stored in geographically distributed locations for resilience.

Separate Encryption Keys Different data types use separate encryption keys for enhanced security segmentation.

Encryption in Transit

TLS 1.2/1.3 All data transmission uses Transport Layer Security (TLS) 1.2 or 1.3, including:

• Browser-to-server communications

• API calls and data synchronization

• Database connections with certificate verification

• Third-party integrations

Certificate-Based Authentication Database connections use SSL certificate verification to prevent man-in-the-middle attacks.

HTTPS Everywhere All web traffic is encrypted with modern cipher suites and perfect forward secrecy.

Secure API Integration Third-party integrations use encrypted channels with authentication tokens and API key management via OAuth 2.0.

NIST Cybersecurity Framework Alignment

Our security program is organized around the five core functions of the NIST Cybersecurity Framework, demonstrating a mature, comprehensive approach to cybersecurity risk management.

IDENTIFY - Asset & Risk Management

What We Do:

• Complete inventory of systems and data

• Regular risk assessments

• Clear governance structure

• Understanding of threats and vulnerabilities

• Asset management and business environment documentation

• Supply chain risk assessment

Specific Practices:

• Comprehensive data inventory (see Data Inventory page)

• Technology asset tracking and management

• Annual risk assessments

• Threat modeling for applications and infrastructure

• Third-party risk evaluation

• Business impact analysis

Maturity Level: 5-6 (Mostly Implemented)

PROTECT - Security Controls

What We Do:

• Access control and authentication (MFA, RBAC)

• Data encryption at rest and in transit

• Security awareness training

• Secure development practices

• Vulnerability management

• Data security throughout lifecycle

Specific Practices:

• Multi-factor authentication for admin accounts

• Role-based access control with least privilege

• AES-256 encryption at rest, TLS 1.2/1.3 in transit

• Annual security training (FERPA, COPPA, HIPAA)

• Background checks for employees with data access

• Regular vulnerability scanning and patching

• Secure coding standards and code review

Maturity Level: 6 (Mostly Implemented)

DETECT - Monitoring & Detection

What We Do:

• 24/7 automated monitoring (AWS CloudWatch)

• Centralized security logging

• Anomaly detection

• Regular vulnerability scanning

• Security event alerting

• Continuous monitoring capabilities

Specific Practices:

• Real-time infrastructure monitoring

• Authentication and access logging

• Database activity monitoring

• Application error tracking

• Automated alerting for security events

• Log analysis and correlation

• Quarterly vulnerability assessments

Maturity Level: 5 (Partially to Mostly Implemented)

RESPOND - Incident Management

What We Do:

• Documented incident response plan

• Dedicated response team

• 72-hour notification timeline

• Post-incident reviews

• Annual response testing

• Communication procedures

Specific Practices:

• Written incident response plan (tested annually)

• Cross-functional response team with defined roles

• Incident classification and escalation procedures

• Evidence preservation and forensic analysis

• Stakeholder notification procedures

• Incident tracking and documentation

• Post-incident analysis and improvement

Maturity Level: 6 (Mostly Implemented)

RECOVER - Resilience & Recovery

What We Do:

• Daily automated backups (30-day retention)

• Business continuity planning

• 99.9% uptime architecture

• Disaster recovery procedures

• Lessons learned implementation

• Recovery planning

Specific Practices:

• Automated daily backups to geographically distributed locations

• High availability infrastructure with redundancy

• Documented disaster recovery procedures

• Recovery time and point objectives defined

• Post-incident improvement implementation

• Regular backup testing and validation

Maturity Level: 5-6 (Mostly Implemented)

Access Control & Identity Management

Authentication

Multi-Factor Authentication (MFA) Required for all administrative access to prevent unauthorized access even if passwords are compromised.

Single Sign-On (SSO) SAML 2.0 support enabling educational agencies to use their existing identity providers.

Strong Password Requirements Complexity enforcement, minimum length requirements, and password rotation policies.

Session Management Automatic timeout after periods of inactivity, session invalidation upon password changes, and concurrent session limits.

Authorization

Role-Based Access Control (RBAC) Granular permissions system ensuring users only access data necessary for their role:

• District administrators

• School administrators

• Counselors and support staff

• Teachers and instructional staff

Least Privilege Principle Users granted minimum access necessary to perform their job functions.

Dynamic Access Controls Access based on school assignments, team memberships, and hierarchical relationships.

Regular Access Reviews Quarterly review of user access rights and recertification of permissions.

Immediate Revocation Access immediately revoked upon termination or role change.

Network Security

VPN Access VPN required for remote administrative access with certificate-based authentication.

IP Whitelisting Capabilities for restricting administrative access to specific IP ranges when required by educational agencies.

Network Segmentation Isolation of production, staging, and development environments.

Firewall Rules Multi-layer firewall protection restricting unnecessary network access.

Continuous Security Monitoring

Impact Suite maintains 24/7 automated monitoring of our infrastructure and applications to detect and respond to security events in real-time.

What We Monitor

System Performance & Availability:

• Infrastructure health and availability metrics

• Application performance and error rates

• Database performance and query patterns

• Network traffic and bandwidth utilization

Security Events:

• Authentication attempts (successful and failed)

• Access patterns and anomalies

• Database queries and data access

• Administrative actions and configuration changes

• API usage and integration activities

Application Activity:

• User behavior and access patterns

• Data modifications and exports

• Feature usage and system interactions

• Error rates and application failures

Alerting & Response

Real-Time Alerts: Critical security events trigger immediate alerts to security personnel via multiple channels.

Automated Escalation: Severity-based escalation procedures ensure appropriate personnel are notified based on incident criticality.

On-Call Rotation: 24/7 on-call coverage for incident response ensuring rapid response to security events.

Centralized Logging: Comprehensive audit trails and logs maintained for forensic analysis with tamper-proof storage.

Regular Review & Tuning: Monitoring capabilities regularly reviewed and tuned to reduce false positives and improve detection accuracy.

Security Testing & Validation

Vulnerability Management

Regular Scanning: Automated vulnerability scanning of infrastructure and applications on a regular schedule.

Dependency Scanning: Application dependency scanning for known vulnerabilities in third-party libraries and components.

Prioritized Remediation: Vulnerabilities prioritized based on risk (severity, exploitability, exposure) with defined remediation timelines.

Critical Patches: Critical security patches applied within 30 days of identification or release.

Penetration Testing

Annual Testing: Third-party penetration testing conducted annually by certified ethical hackers.

Comprehensive Scope: Testing of infrastructure, applications, APIs, and integrations.

Remediation Verification: All high and critical findings remediated and re-tested to verify fixes.

Documentation: Test results and remediation efforts documented and available to educational agencies upon request.

Security Assessments

Quarterly Reviews: Internal security reviews conducted quarterly by our security team.

Annual Risk Assessments: Comprehensive annual risk assessments identifying and prioritizing security risks.

Policy Audits: Regular audit of policy and procedure compliance.

Continuous Monitoring: Automated control monitoring via Thoropass compliance platform.

Cloud Infrastructure Security

Impact Suite leverages Amazon Web Services (AWS) for cloud infrastructure, providing enterprise-grade security with industry-leading certifications.

AWS Security Features

HIPAA-Compliant Hosting: AWS infrastructure with dedicated security controls meeting HIPAA Business Associate Agreement requirements.

Enterprise Data Centers: Physical security measures including 24/7 monitoring, biometric access controls, and redundant power and climate systems.

Virtual Private Cloud (VPC): Network isolation separating Impact Suite infrastructure from public internet with controlled ingress and egress.

Security Groups & Network ACLs: Multi-layer firewall protection at instance and subnet levels.

US-Based Data Residency: All student data stored in continental US data centers ensuring compliance with federal data sovereignty requirements.

99.9% Uptime SLA: Redundant systems and failover capabilities supporting high availability and business continuity.

AWS Certifications & Compliance

SOC 2 Type II Certified Annual third-party audits of AWS security controls.

ISO 27001 Certified International standard for information security management.

FedRAMP Authorized Federal Risk and Authorization Management Program compliance.

NIST 800-88 Compliance Certified processes for physical media sanitization and destruction.

Database Security

PostgreSQL Security:

• SSL verification ensuring secure database connections

• Certificate-based authentication preventing unauthorized access

• Database encryption with row-level security controls

• Automated backup procedures with point-in-time recovery

Database Activity Monitoring: Logging and monitoring of all database activities for security and compliance.

Continuous Improvement Roadmap

We're committed to continuously enhancing our security posture. Our roadmap includes:

Near-Term (0-6 months)

Enhanced Threat Detection: AWS GuardDuty implementation for advanced threat detection and automated response to security findings.

SIEM Enhancement: Enhanced Security Information and Event Management (SIEM) capabilities for security event correlation and analysis.

Automated Security Testing: Integration of automated security testing into CI/CD pipeline for continuous security validation.

SOC 2 Preparation: Completing preparation activities for SOC 2 Type II certification audit.

Medium-Term (6-12 months)

Behavioral Analytics: Advanced behavioral analytics for anomaly detection and insider threat identification.

Security Orchestration: Security orchestration and automated response (SOAR) capabilities for faster incident response.

Business Continuity Enhancement: Enhanced business continuity and disaster recovery automation.

Customer Dashboards: Real-time security posture dashboards available to educational agencies.

Long-Term (12-24 months)

SOC 2 Type II Certification: Completion of SOC 2 Type II certification demonstrating mature security controls.

Threat Intelligence: Advanced threat intelligence integration for proactive threat detection.

Customer-Specific Encryption: Customer-specific encryption key management for cryptographic erasure capabilities.

Real-Time Security Reporting: Real-time security posture reporting and compliance dashboards for educational agencies.

Current Compliance & Certifications

Impact Suite maintains compliance with multiple regulatory frameworks and industry standards.

Regulatory Compliance

FERPA Compliance Family Educational Rights and Privacy Act compliance with educational record protection per 34 CFR Part 99.

HIPAA Compliance Health Insurance Portability and Accountability Act compliance for Protected Health Information with appropriate administrative, physical, and technical safeguards.

COPPA Compliance Children's Online Privacy Protection Act compliance for users under 13 years of age.

State Privacy Laws Alignment with state-specific privacy laws including:

• California Student Privacy Rights Act (SOPIPA)

• New York Education Law 2-d

• Ohio Student Data Privacy requirements

Industry Standards

NIST Cybersecurity Framework Security program organized around NIST CSF v1.1 core functions.

AWS Security Best Practices Compliance with AWS security best practices and Well-Architected Framework.

SOC 2 Type II (In Progress) Currently working toward SOC 2 Type II certification demonstrating operational effectiveness of security controls.

Related Documentation

Links:

• [View Data Inventory] - See what data we protect

• [View Incident Response] - How we respond to threats

• [View Training Program] - How we educate our team

• [View Subprocessors] - Third-party security standards

• [Download Security Questionnaire] - Request our detailed responses

• [Schedule Security Consultation] - Discuss your specific requirements

Questions About Our Security Program?

Our security and compliance team is available to answer questions about our security practices, discuss your specific requirements, or provide additional documentation.

Primary Contact: Kris Kofoed, Compliance Officer kris.kofoed@impactsuite.com

Technical Security Contact: Zach Johnson, VP of Product & Safety Officer zach@impactsuite.com

CTA: [Schedule a Security Consultation] [Request Security Documentation]

Note: This page is updated quarterly to reflect current security practices and capabilities. For contract-specific questions or custom security requirements, please contact our Compliance Officer.