IMPACT SUITE

Trust Center

Impact Suite is built from the ground up with security as a foundational principle. Our platform employs multiple layers of protection to ensure that sensitive student information remains secure, private, and compliant with all applicable regulations.

IMPACT SUITE

Trust Center

Impact Suite is built from the ground up with security as a foundational principle. Our platform employs multiple layers of protection to ensure that sensitive student information remains secure, private, and compliant with all applicable regulations.

Trust Center

Impact Suite is built from the ground up with security as a foundational principle. Our platform employs multiple layers of protection to ensure that sensitive student information remains secure, private, and compliant with all applicable regulations.

Infrastructure Security

Cloud-First Architecture

Impact Suite leverages Amazon Web Services (AWS) infrastructure, which provides:

  • HIPAA-compliant hosting with dedicated security controls

  • Enterprise-grade certified data centers with physical security measures

  • 99.9% uptime guarantee with redundant systems and failover capabilities

  • US-based data residency ensuring compliance with federal data sovereignty requirements

Network Security

  • Virtual Private Cloud (VPC) isolation separating Impact Suite infrastructure from public internet

  • Security groups and Network ACLs providing firewall protection at multiple levels

  • SSL/TLS termination at load balancer level for secure connection handling

Data Protection

Encryption Standards

  • AES-256 encryption at rest for all stored data including:

  • Student records and personal information

  • Assessment results and behavioral data

  • File uploads and documents

  • System logs and audit trails

  • TLS 1.2/1.3 encryption in transit for all data movement:

    • Browser-to-server communications

    • API calls and data synchronization

    • Database connections with certificate verification

    • Third-party integrations

Database Security

  • PostgreSQL with SSL verification ensuring secure database connections

  • Certificate-based authentication preventing unauthorized database access

  • Database encryption with separate encryption keys for different data types

  • Regular backup encryption with geographically distributed storage

Access Control & Authentication

Multi-Factor Authentication (MFA)

  • Required for all administrative accounts including district administrators and support staff

  • TOTP (Time-based One-Time Password) support

Role-Based Access Control (RBAC)

  • Role hierarchies ensuring appropriate access levels:

    • District administrators

    • School administrators

    • Counselors and support staff

    • Teachers and instructional staff

  • Principle of least privilege - users only see data necessary for their role

  • Dynamic access controls based on school assignments and team memberships

Session Management

  • Secure session handling with encrypted session tokens

  • Automatic timeout after periods of inactivity

  • Concurrent session limits to prevent unauthorized account sharing

  • Session invalidation upon password changes or security incidents

Compliance & Regulatory Standards

FERPA Compliance

  • Educational record protection in accordance with 34 CFR Part 99

  • Parent/student access rights with secure processes for obtaining data access

  • Consent management for data sharing beyond educational purposes

  • Directory information controls allowing opt-out of public information sharing

  • Audit trails for all data access and modifications

HIPAA Compliance

  • Protected Health Information (PHI) handling for health-related student data

  • Business Associate Agreements (BAAs) with all subprocessors

  • Minimum necessary standard - access limited to required information only

  • Breach notification procedures in compliance with federal timelines

  • Administrative, physical, and technical safeguards as required by HIPAA Security Rule

Additional Compliance Standards

  • COPPA compliance for users under 13 years of age

  • State-specific privacy laws including California Student Privacy Rights Act

  • GDPR considerations for international students or family members

Third-Party Security Management

Subprocessor Oversight

All third-party services undergo rigorous security evaluation:

  • Security questionnaires covering technical, administrative, and physical controls

  • Contractual data protection agreements with liability and breach notification clauses

  • Regular security assessments and compliance monitoring

  • Incident response coordination for multi-vendor security events

SIS Integration Security

  • Secure API connections using OAuth 2.0 and API keys

  • Data synchronization encryption for student roster and grade information

  • Automated data validation to prevent corruption or unauthorized changes

  • Rollback capabilities for data integrity issues

Monitoring & Incident Response

Incident Response Procedures

  • 24/7 automated monitoring for security threats and anomalies

  • Intrusion detection systems with real-time alerting

  • Log analysis and correlation using machine learning for pattern recognition

  • Vulnerability scanning and automated security assessments

  • Performance monitoring to detect potential security impacts

Incident Response Procedures

  • Dedicated security team with rapid response times

  • Breach notification procedures meeting federal and state requirements

  • Recovery and remediation plans tested quarterly

  • Post-incident analysis and security improvements

Data Governance & Lifecycle Management

Data Minimization

  • Collection limited to educational necessity with clear purpose statements

  • Regular data audits to identify and remove unnecessary information

  • User consent tracking for optional data collection

  • Automated data expiration for temporary information

Retention & Deletion

  • Configurable retention policies based on district requirements

  • Automated deletion schedules for compliance with state and federal laws

  • Secure data destruction with cryptographic erasure methods

  • Certificate of destruction provided for audit purposes

Security Certifications & Audits

Current Certifications

  • AWS Security Best Practices - Infrastructure compliance validation

  • Regular penetration testing by certified ethical hackers

  • Third-party security assessments conducted annually

  • Ongoing compliance framework development for industry standards

Ongoing Security Improvements

  • Quarterly security reviews with development and operations teams

  • Annual security training for all staff members

  • Annual security policy updates based on emerging threats

  • Continuous security tool evaluation and implementation

Student Data Categories Protected

Personally Identifiable Information (PII)

  • Full name, student ID numbers, and demographic information

  • Contact information including addresses, phone numbers, and email addresses

  • Family information including parent/guardian contacts and relationships

  • Photographs and biometric data (if applicable)

Educational Records

  • Academic transcripts, grades, and test scores

  • Attendance records and disciplinary information

  • Special education records and accommodation plans

  • Counseling and intervention documentation

Health Information

  • Medical alerts and health conditions

  • Medication information and administration records

  • Mental health assessments and treatment plans

  • Emergency contact and medical contact information

Behavioral Data

  • Threat assessment results and safety plans

  • Behavioral intervention documentation

  • Crisis response and incident reports

  • Risk assessment scores and recommendations

Transparency & Accountability

Data Processing Transparency

  • Clear privacy policies explaining all data collection and use

  • Data processing agreements with detailed security requirements

  • Regular privacy impact assessments for new features and integrations

  • Public security documentation available for review

Accountability Measures

  • Dedicated Data Protection Officer responsible for privacy compliance

  • Regular compliance audits with detailed reporting

  • Incident disclosure policies with transparent communication

  • Customer security support including technical documentation and training

Contact Information

For security questions, incident reporting, or compliance documentation:

  • Security Team: security@impactsuite.com

  • Data Protection Officer: privacy@impactsuite.com