Third-Party Management

Our process for vetting, contracting, and monitoring third-party vendors who process educational data.

Our Approach to Third-Party Risk Management

Impact Suite recognizes that protecting student data requires not only securing our own systems, but also ensuring that every third-party vendor who processes educational data maintains equivalent security and privacy standards. We implement comprehensive vendor management processes to evaluate, contract with, and monitor all subprocessors who have access to student data or personally identifiable information.

Key Principles:

  • Selective Partnership: We work only with industry-leading providers with proven security track records

  • Thorough Vetting: Comprehensive security assessments before engagement

  • Contractual Protection: All subprocessors sign Data Processing Agreements or Business Associate Agreements

  • Continuous Monitoring: Ongoing oversight of subprocessor compliance and security posture

  • Transparency: Educational agencies informed of subprocessors and changes


Contracting Processes for Employees and Subprocessors

Impact Suite has established comprehensive contracting processes to ensure all employees, contractors, and subprocessors are bound by written agreements to protect student data and comply with applicable privacy laws.


Employee and Contractor Agreements

All Impact Suite employees and contractors are required to sign written agreements that include specific provisions protecting PII, Student Data, and Protected Health Information (PHI).

Binding Contractual Obligations

All Personnel Sign Agreements Including:

Confidentiality Obligations:

  • Explicit requirements to maintain confidentiality of all PII, Student Data, and PHI accessed or processed during employment or engagement

  • Protection obligations extending beyond employment termination

  • Acknowledgment of the sensitivity and importance of educational data

  • Legal consequences for unauthorized disclosure

Data Protection Commitments:

  • Adherence to all applicable privacy laws including FERPA, COPPA, HIPAA, and state-specific student data privacy regulations

  • Compliance with Impact Suite security and privacy policies

  • Implementation of reasonable safeguards to protect data

  • Prohibition on unauthorized use, access, or disclosure

Acceptable Use Requirements:

  • Proper handling, access, and processing of sensitive data

  • Use of data only for authorized business purposes within scope of employment

  • Prohibition on personal use of educational data

  • Restrictions on data storage, transmission, and copying

  • No unauthorized sharing with third parties

Code of Conduct:

  • Ethical standards and professional behavior expectations regarding data handling

  • Integrity and honesty in all data-related activities

  • Respect for student and family privacy

  • Commitment to organizational compliance culture

Incident Reporting:

  • Mandatory reporting of suspected or actual security incidents or privacy breaches

  • Immediate notification to Security Officer or Compliance Officer

  • Cooperation with incident investigations

  • Protection and non-retaliation for good-faith reporting

Termination Obligations:

  • Immediate return or destruction of all confidential information upon separation

  • No retention of student data or PII on personal devices

  • Continuing confidentiality obligations after employment ends

  • Device wiping and account deactivation procedures

Agreement Execution and Management

Before Access: All agreements must be fully executed before employees or contractors receive access to systems containing PII or Student Data.

Maintained By: Agreements are maintained by our Compliance Officer, Kris Kofoed (kris.kofoed@impactsuite.com).

Secure Storage: Digital copies are securely stored and tracked through our compliance management system.

Compliance Monitoring: Agreement compliance is monitored as part of our ongoing security program and periodic access reviews.


Subprocessor Vetting and Due Diligence

Before engaging any subprocessor that will have access to or process Student Data or PII, Impact Suite conducts thorough due diligence to ensure they meet our security and compliance standards.

Vetting Process

Phase 1: Security Assessment

We evaluate potential subprocessors across multiple security domains:

Security Practices and Controls:

  • Review of documented security policies and procedures

  • Assessment of security program maturity

  • Evaluation of incident response capabilities

  • Review of disaster recovery and business continuity plans

Encryption Capabilities:

  • Verification of encryption at rest (AES-256 or equivalent)

  • Verification of encryption in transit (TLS 1.2/1.3 or higher)

  • Assessment of key management practices

  • Review of encryption implementation across all data types

Access Control Mechanisms:

  • Evaluation of authentication methods (MFA support, SSO capabilities)

  • Assessment of authorization models (RBAC, least privilege)

  • Review of account management processes

  • Verification of access logging and monitoring

Incident Response Procedures:

  • Review of written incident response plan

  • Assessment of detection capabilities

  • Evaluation of notification procedures and timelines

  • Review of past incidents and lessons learned

Phase 2: Compliance Verification

We verify regulatory compliance and industry certifications:

Certifications:

  • SOC 2 Type II certification (preferred)

  • ISO 27001 certification

  • HIPAA compliance attestations where applicable

  • Industry-specific certifications

Regulatory Compliance:

  • FERPA compliance capabilities and experience

  • COPPA compliance for services involving children

  • State-specific privacy law compliance

  • Documentation of compliance programs

Data Handling Practices:

  • Assessment of data minimization practices

  • Review of retention and deletion procedures

  • Evaluation of data segregation and isolation

  • Verification of secure disposal methods

Third-Party Management:

  • Review of subprocessor's own vendor management

  • Understanding of their subprocessor relationships

  • Flow-down of security requirements

  • Monitoring of their third parties

Phase 3: Infrastructure Evaluation

We assess the technical infrastructure and operational practices:

Data Storage:

  • Physical location of data centers

  • Data residency and sovereignty compliance

  • Geographic restrictions and controls

  • Ability to meet US-only storage requirements if needed

Backup and Recovery:

  • Backup frequency and retention

  • Geographic distribution of backups

  • Disaster recovery capabilities and testing

  • Recovery time and recovery point objectives

Network Security:

  • Network architecture and segmentation

  • Firewall and intrusion detection systems

  • DDoS protection capabilities

  • Vulnerability management programs

Physical Security:

  • Data center physical security controls

  • Environmental controls (power, cooling, fire suppression)

  • Access controls and monitoring

  • 24/7 security operations

Phase 4: Approval Process

Final approval requires multiple stakeholders:

Compliance Officer Review:

  • Kris Kofoed reviews all security assessments

  • Evaluates compliance with educational data privacy requirements

  • Assesses alignment with Impact Suite standards

  • Determines acceptability of risk

Technical Team Evaluation:

  • Engineering team reviews technical security measures

  • Assesses integration security

  • Evaluates operational compatibility

  • Identifies any technical concerns

Legal Review:

  • Review of contractual terms and conditions

  • Assessment of liability and indemnification provisions

  • Evaluation of data processing terms

  • Identification of unacceptable terms or gaps

Leadership Approval:

  • Final sign-off from executive team before engagement

  • Resource allocation decisions

  • Strategic alignment assessment

  • Authorization to proceed with contracting

Contractual Requirements for Subprocessors

All subprocessors must execute comprehensive written agreements before receiving any access to Student Data or PII. We utilize industry-standard templates with strong data protection provisions.

Data Processing Agreements (DPA)

Standard Template: Impact Suite utilizes the 1EdTech Data Privacy and Security Agreement (DPSA) template as our standard DPA framework for educational technology vendors.

The 1EdTech DPSA Ensures:

Clear Scope Definition:

  • Precise definition of data processing activities

  • Specification of data types and categories

  • Limitations on permitted data uses

  • Alignment with educational purposes only

Data Use Restrictions:

  • Prohibition on use for subprocessor's own purposes

  • No data mining or profiling beyond educational services

  • No targeted advertising using student data

  • No sale or rental of student information

  • No disclosure to third parties without authorization

Security Standards:

  • Alignment with industry frameworks (NIST Cybersecurity Framework, ISO 27001)

  • Encryption requirements (at rest and in transit)

  • Access control and authentication requirements

  • Incident response and breach notification obligations

Data Retention and Deletion:

  • Specified retention periods aligned with educational needs

  • Deletion requirements upon contract termination

  • Secure destruction following NIST 800-88 standards

  • Certification of deletion provided

Subprocessor Management:

  • Flow-down of data protection requirements to subprocessor's vendors

  • Notification and approval requirements for new subprocessors

  • Liability for subprocessor acts and omissions

  • Right to audit subprocessor's subprocessors

Audit Rights:

  • Right to audit subprocessor's security practices

  • Access to compliance documentation and certifications

  • Third-party audit rights with reasonable notice

  • Cooperation with regulatory audits

Breach Notification:

  • Immediate notification to Impact Suite upon discovery

  • Detailed incident information and impact assessment

  • Cooperation with investigation and remediation

  • Notification to affected parties as required

Business Associate Agreements (BAA)

For HIPAA-Covered Data: Subprocessors that will access, store, or process Protected Health Information (PHI) must execute HIPAA-compliant Business Associate Agreements.

Our BAAs Include:

Permissible Uses and Disclosures:

  • PHI use limited to providing contracted services

  • Disclosure restrictions and limitations

  • Specific authorization requirements

  • Prohibition on unauthorized uses

Required Safeguards:

  • Implementation of administrative safeguards per 45 CFR § 164.308

  • Implementation of physical safeguards per 45 CFR § 164.310

  • Implementation of technical safeguards per 45 CFR § 164.312

  • Documentation requirements per 45 CFR § 164.316

Breach Notification:

  • Notification to Impact Suite within 24 hours of discovery

  • Detailed breach information including affected individuals

  • Root cause analysis and remediation plans

  • Cooperation with regulatory notifications

Subcontractor Management:

  • Written authorization required before engaging subcontractors

  • Flow-down of BAA obligations

  • Business Associate Agreements with subcontractors

  • Liability for subcontractor compliance

Access and Audit Rights:

  • Right to audit PHI handling practices

  • Access to policies and procedures

  • Review of security assessments

  • Inspection of facilities when appropriate

Termination Provisions:

  • Return or destruction of all PHI upon termination

  • Certification of destruction

  • Retention only if required by law with continued protections

  • Survival of confidentiality obligations

Legal Compliance: All BAAs are based on legally-reviewed templates that comply with HIPAA Security Rule requirements and account for HITECH Act enforcement provisions.

Additional Contractual Protections

Our subprocessor agreements also incorporate:

Data Retention Limitations:

  • Maximum retention periods specified

  • Deletion upon expiration or termination

  • No retention for subprocessor purposes

  • Audit of retention compliance

Prohibited Uses:

  • Explicit prohibition on data use for advertising, marketing, or commercial purposes unrelated to services

  • No building of user profiles beyond educational purposes

  • No sale, rental, or disclosure for monetary gain

  • No combination with other data sources for non-educational purposes

Training Requirements:

  • Mandatory employee training on privacy and security

  • Training on FERPA, COPPA, HIPAA as applicable

  • Documentation of training completion

  • Annual refresher training

Insurance and Indemnification:

  • Minimum insurance coverage requirements (cyber liability, general liability)

  • Indemnification for subprocessor breaches or violations

  • Defense and hold harmless provisions

  • Additional insured status where appropriate

Compliance with State Laws:

  • Adherence to applicable state student privacy laws

  • Specific provisions for states with enhanced requirements (California, New York, Ohio)

  • Updates when state laws change

  • Cooperation with state regulatory requirements

Cooperation with Investigations:

  • Cooperation with regulatory investigations or audits

  • Provision of information and documentation as needed

  • Witness availability if required

  • No obstruction of compliance activities

Agreement Review and Oversight

All subprocessor agreements undergo rigorous review and ongoing management to ensure continued compliance and protection of student data.

Legal Review Process

All standard agreement templates undergo comprehensive legal review to ensure:

Legal Compliance:

  • Compliance with current federal privacy laws (FERPA, COPPA, HIPAA)

  • Compliance with state-specific student data privacy laws

  • Alignment with evolving regulatory requirements

  • Enforceability under applicable law

Adequate Protection:

  • Protection of Impact Suite's interests and obligations to educational agencies

  • Adequate protection of student data and PII

  • Appropriate allocation of liability and risk

  • Strong data protection provisions

Enforceability:

  • Clear and unambiguous terms

  • Reasonable and enforceable provisions

  • Proper jurisdiction and venue clauses

  • Dispute resolution mechanisms

Termination and Data Disposition:

  • Clear termination rights and procedures

  • Data return or destruction requirements upon termination

  • Timing and verification of data disposal

  • Survival of critical provisions post-termination

Compliance Officer Management

Kris Kofoed, Compliance Officer, oversees all aspects of subprocessor contracting:

Pre-Execution:

  • Reviews and approves all subprocessor agreements before execution

  • Ensures alignment with Impact Suite security and privacy standards

  • Identifies any unacceptable terms or missing provisions

  • Coordinates with legal counsel on complex terms

Agreement Repository:

  • Maintains current inventory of all subprocessor relationships

  • Tracks agreement execution dates and renewal dates

  • Manages amendments and updates

  • Ensures accessibility for audit purposes

Ongoing Monitoring:

  • Monitors subprocessor compliance with contractual obligations

  • Coordinates security assessments and certification reviews

  • Manages updates when regulatory requirements change

  • Addresses compliance issues or violations

Educational Agency Notification:

  • Ensures timely notification to educational agencies of new subprocessors

  • Provides subprocessor information upon request

  • Communicates material changes to subprocessor services

  • Maintains transparency with educational partners

Continuous Monitoring and Enforcement

Signing a contract is only the beginning. We maintain active oversight of all subprocessor relationships to ensure ongoing compliance with contractual obligations and security standards.

Ongoing Compliance Verification

Annual Reviews:

  • Review of subprocessor compliance with agreement terms

  • Verification that security controls remain effective

  • Assessment of any material changes to services or infrastructure

  • Evaluation of incident history and response

Security Assessment Updates:

  • Request and review current SOC 2 or ISO 27001 certifications

  • Review of penetration testing results when available

  • Monitoring for security breaches or incidents

  • Validation of continued compliance with security requirements

Certification Tracking:

  • Tracking of expiration dates for certifications

  • Proactive request for updated certifications

  • Gap analysis if certifications lapse

  • Escalation if certifications are not renewed

Incident Monitoring:

  • Monitoring for security incidents or breaches affecting subprocessors

  • Review of subprocessor incident reports

  • Assessment of impact on Impact Suite and educational agencies

  • Evaluation of subprocessor incident response effectiveness

Performance Monitoring

Service Availability:

  • Tracking uptime and service availability

  • Monitoring for service disruptions

  • Assessment of impact on educational agencies

  • Escalation of performance issues

Incident Response Effectiveness:

  • Evaluation of response to security incidents

  • Assessment of notification timeliness

  • Review of remediation effectiveness

  • Lessons learned integration

Support Responsiveness:

  • Monitoring support ticket response times

  • Assessment of issue resolution effectiveness

  • Evaluation of communication quality

  • Escalation of support issues

Adherence to SLAs:

  • Tracking against defined service level agreements

  • Reporting on SLA compliance

  • Remediation for SLA violations

  • Contract enforcement when necessary

Contract Updates

Subprocessor agreements are updated as needed to address:

Regulatory Changes:

  • New privacy laws or amendments to existing regulations

  • Updated guidance from federal or state regulators

  • Enhanced security requirements

  • New compliance obligations

Security Enhancement:

  • Emerging security threats and vulnerabilities

  • Industry best practice evolution

  • New security standards or frameworks

  • Technology changes requiring updated controls

Service Changes:

  • Material changes to subprocessor services or features

  • Changes to data processing activities

  • New integrations or capabilities

  • Infrastructure or architecture changes

Incident Response:

  • Lessons learned from security incidents

  • Enhanced security requirements based on incidents

  • Improved breach notification procedures

  • Strengthened remediation obligations

Enforcement and Remediation

In the event of subprocessor non-compliance:

Issue Identification:

  • Immediate notification to Compliance Officer

  • Documentation of the non-compliance

  • Impact assessment on student data protection

  • Risk evaluation

Investigation:

  • Root cause analysis of non-compliance

  • Determination of whether breach of contract occurred

  • Assessment of harm or potential harm

  • Evidence collection and documentation

Remediation Requirements:

  • Notification to subprocessor of non-compliance

  • Required corrective action plan with timelines

  • Enhanced monitoring during remediation period

  • Verification of effective remediation

Escalation:

  • Notification to executive leadership for significant issues

  • Legal involvement for contract breach

  • Notification to affected educational agencies

  • Consideration of contract termination

Termination: If compliance cannot be achieved:

  • Termination of subprocessor relationship

  • Transition to alternative provider

  • Data recovery and secure deletion from subprocessor

  • Notification to educational agencies

Documentation and Transparency with Educational Agencies

Impact Suite maintains comprehensive documentation of all subprocessor relationships and provides transparency to our educational agency partners.

Subprocessor Documentation

Maintained Documentation Includes:

Current Subprocessor List:

  • Name and description of each subprocessor

  • Services provided and data accessed

  • Location of data processing

  • Security certifications held

  • Available to educational agencies upon request

Executed Agreements:

  • Data Processing Agreements (DPAs)

  • Business Associate Agreements (BAAs)

  • Master service agreements

  • Statements of work

  • Amendments and updates

Security Assessments:

  • Initial security assessment results

  • Annual review documentation

  • Penetration testing summaries

  • Vulnerability assessment findings

Compliance Certifications:

  • SOC 2 Type II reports

  • ISO 27001 certificates

  • HIPAA compliance attestations

  • Other relevant certifications

Incident Documentation:

  • Security incident reports

  • Breach notifications

  • Remediation actions taken

  • Post-incident analysis

Educational Agency Notifications

Impact Suite notifies educational agencies:

New Subprocessors (30 Days Advance Notice):

  • Name and description of subprocessor

  • Services to be provided

  • Data that will be accessed or processed

  • Location of data processing

  • Security certifications

  • Right to object if concerns exist

Material Changes (30 Days Advance Notice):

  • Changes to subprocessor services affecting data handling

  • Changes to data processing locations

  • Changes to security posture or certifications

  • Ownership changes or acquisitions

Incident Notifications (Within 72 Hours):

  • Security incidents at subprocessors affecting educational agency data

  • Nature of the incident and data affected

  • Actions taken by subprocessor

  • Impact assessment and remediation plans

Annual Updates:

  • Current subprocessor list

  • Any changes during the year

  • Updated security certifications

  • Summary of any incidents and resolutions

Our Current Subprocessors

Impact Suite works with a carefully selected, limited number of subprocessors. For detailed information about each subprocessor, their services, and security measures, please visit our dedicated Subprocessors page.

Current Subprocessors:

  • Amazon Web Services (AWS) - Cloud infrastructure and hosting

  • Ednition - Student Information System integration services

View Complete Subprocessor Details →

Vendor Management Best Practices

Impact Suite's vendor management program incorporates industry best practices and evolves to meet emerging challenges.

Key Best Practices

Selective Engagement:

  • Work only with established, reputable vendors

  • Prefer vendors with education sector experience

  • Require strong security track records

  • Verify financial stability and viability

Defense in Depth:

  • Multiple layers of vendor security requirements

  • Both contractual and technical controls

  • Continuous monitoring not just initial vetting

  • Redundancy in critical services where feasible

Transparency:

  • Open communication with educational agencies about subprocessors

  • Proactive notification of changes

  • Availability of subprocessor security documentation

  • Willingness to discuss vendor selection rationale

Continuous Improvement:

  • Regular review and enhancement of vendor requirements

  • Incorporation of lessons learned from incidents

  • Adoption of emerging security standards

  • Benchmarking against peer organizations


Questions About Our Vendor Management?

For questions about our vendor management practices, specific subprocessors, or to discuss custom vendor requirements, please contact our Compliance Officer.

Primary Contact: Kris Kofoed, Compliance Officer kris.kofoed@impactsuite.com

Note: Our vendor management program is reviewed quarterly and updated to reflect evolving security requirements and best practices. All vendor relationships are documented and managed through our compliance management platform. </artifact>

‹ Training & Awareness

Incident Response ›