Subprocessors

Third-party vendors we work with, their security certifications, and how we ensure compliance.

Our Subprocessor Management Approach

Impact Suite works with a limited number of carefully vetted subprocessors to provide infrastructure, integrations, and specialized services. All subprocessors are required to maintain security and privacy standards that meet or exceed our own requirements and comply with applicable data protection laws including FERPA, COPPA, and HIPAA.

Our Commitment:

  • Selective Partnership: We work only with industry-leading providers with proven security track records

  • Contractual Protection: All subprocessors sign Data Processing Agreements or Business Associate Agreements

  • Security Verification: Regular review of subprocessor security certifications and audit reports

  • Change Notification: Educational agencies receive 30-day advance notice of new subprocessors or changes

  • Right to Object: Educational agencies may object to new subprocessors that don't meet their requirements


Current Subprocessors

Subprocessor 1:

Amazon Web Services (AWS)

Service Provided: Cloud Infrastructure & Hosting

What They Process: AWS provides the underlying cloud infrastructure for Impact Suite's platform, including:

  • Database hosting (Amazon RDS - PostgreSQL)

  • File storage (Amazon S3)

  • Application hosting (Amazon EC2)

  • Monitoring and logging (Amazon CloudWatch)

  • All student data, PII, and PHI stored in our platform

Data Location: United States (continental US data centers only)

Security & Compliance:

  • SOC 2 Type II certified

  • ISO 27001 certified

  • FedRAMP authorized

  • HIPAA Business Associate Agreement in place

  • FERPA-compliant cloud services

  • NIST 800-88 certified media destruction processes

Why We Chose AWS: AWS is the industry-leading cloud provider with the most comprehensive security certifications and compliance programs. Their infrastructure provides the reliability, scalability, and security necessary for educational technology applications handling sensitive student data.

Documentation:

Subprocessor 2:

Ednition

Service Provided: Student Information System (SIS) Integration Services

What They Process: Ednition provides SIS integration services through their RosterStream and Extended Data Domains products:

  • Student roster data (name, ID, grade, school)

  • Staff roster data (name, ID, role, school)

  • Class schedules and teacher assignments

  • Guardian contact information

  • Enrollment and demographic data

Data is transmitted via secure SFTP or API connections and only includes information necessary for rostering and platform functionality.

Data Location: United States

Security & Compliance:

  • Compliance with educational data privacy requirements

  • Secure SFTP and API data transmission

  • Data encryption in transit and at rest

  • Regular security assessments

  • FERPA-compliant data handling

Why We Chose Ednition: Ednition specializes in educational data integration and has deep expertise in working with various Student Information Systems. Their RosterStream platform is purpose-built for K-12 data integration with built-in privacy and security controls designed specifically for educational environments.

Documentation:


What Our Subprocessors Are Required To Do

Data Protection Obligations All subprocessors must:

  • Process data only for providing contracted services

  • Implement appropriate technical and organizational security measures

  • Maintain confidentiality of all educational agency data

  • Not use data for their own purposes or marketing

Compliance Requirements All subprocessors must:

  • Comply with FERPA, COPPA, HIPAA, and applicable state laws

  • Maintain relevant security certifications (SOC 2, ISO 27001)

  • Conduct regular security assessments

  • Provide evidence of compliance upon request

Incident Response All subprocessors must:

  • Notify Impact Suite immediately of any security incidents

  • Cooperate in incident investigation and remediation

  • Maintain incident response plans

  • Document and report security events

Data Deletion All subprocessors must:

  • Delete educational agency data upon contract termination

  • Provide certification of data deletion

  • Follow NIST 800-88 sanitization standards

  • Not retain data beyond service provision


How We Evaluate Subprocessors

Before engaging any subprocessor that will have access to student data or PII, Impact Suite conducts thorough due diligence:

Security Assessment:

  • Review of security practices and controls

  • Verification of encryption capabilities (at rest and in transit)

  • Assessment of access control mechanisms

  • Evaluation of incident response procedures

  • Review of disaster recovery and business continuity plans

Compliance Verification:

  • Review of relevant certifications (SOC 2, ISO 27001, HIPAA)

  • Verification of FERPA and COPPA compliance capabilities

  • Assessment of data handling and retention practices

  • Review of subprocessor's own third-party management processes

  • Evaluation of training programs for personnel

Infrastructure Evaluation:

  • Data storage locations and residency

  • Backup and disaster recovery capabilities

  • Network security architecture

  • Physical security controls

  • Redundancy and availability measures

Contractual Review:

  • Data Processing Agreement execution

  • Business Associate Agreement for HIPAA (when applicable)

  • Insurance and indemnification provisions

  • Terms of service and acceptable use policies

  • Service level agreements

Approval Process: All potential subprocessors are reviewed and approved by our Compliance Officer before engagement. Educational agencies are notified before new subprocessors are added.


Changes to Subprocessors

30-Day Notice: Impact Suite will notify educational agencies at least thirty (30) days in advance of:

  • Adding new subprocessors

  • Material changes to existing subprocessor services

  • Changes to subprocessor data processing activities

  • Changes to data storage locations

Right to Object: Educational agencies have the right to object to new subprocessors or changes if they reasonably believe the subprocessor cannot meet required security or compliance standards. We will work collaboratively to address concerns or identify alternative solutions.

How You'll Be Notified:

  • Email to designated compliance officer

  • Updates posted to this page

  • Notice in quarterly compliance reviews

  • Annual contract renewal communications


Ongoing Subprocessor Monitoring

Impact Suite maintains continuous oversight of all subprocessor relationships:

Regular Reviews:

  • Annual review of subprocessor compliance with agreement terms

  • Quarterly review of security certifications and audit reports

  • Monitoring of security incidents or compliance issues

  • Review of any material changes to subprocessor services

Security Verification:

  • Request and review current SOC 2 and other security certifications

  • Monitor for security breaches or incidents affecting subprocessors

  • Review penetration test results when available

  • Validate compliance with contractual security requirements

Performance Monitoring:

  • Service availability and uptime tracking

  • Incident response effectiveness

  • Support responsiveness

  • Adherence to service level agreements


Subprocessor Security Incidents

In the unlikely event of a security incident at a subprocessor that affects educational agency data:

Notification:

  • Subprocessor is contractually required to notify Impact Suite immediately

  • Impact Suite will notify affected educational agencies within 72 hours

  • Notification includes incident details, affected data, and remediation steps

Coordination:

  • Impact Suite coordinates with subprocessor on incident response

  • We ensure appropriate remediation measures are implemented

  • We verify that vulnerabilities are addressed

  • We evaluate whether continued partnership is appropriate

Transparency:

  • Educational agencies receive regular updates during incident response

  • Post-incident summary provided after resolution

  • Information about preventive measures implemented


Educational Agency Rights Regarding Subprocessors

Educational agencies maintain important rights regarding our use of subprocessors:

Information Rights:

  • Right to know which subprocessors we use (this page)

  • Right to receive current subprocessor list upon request

  • Right to review subprocessor security certifications

  • Right to information about subprocessor data handling

Approval Rights:

  • Right to receive 30-day notice of new subprocessors

  • Right to object to new subprocessors that don't meet requirements

  • Right to negotiate alternative solutions

  • Right to terminate agreement if unacceptable subprocessor

Audit Rights:

  • Right to request subprocessor security documentation

  • Right to require subprocessor compliance verification

  • Right to participate in subprocessor security assessments

  • Right to request independent audits (subject to reasonable confidentiality)


Questions About Our Subprocessors?

If you have questions about our subprocessors, their security practices, or data handling procedures, please contact our Compliance Officer:

Kris Kofoed Compliance Officer kris.kofoed@impactsuite.com

We're happy to provide additional information, discuss specific subprocessor requirements, or arrange calls with subprocessor security teams when appropriate.

‹ What Data We Collect

Insurance Coverage ›