Security Content | SLP Toolkit

Revision Date: Jun 23, 2024

The security of your data is very important to all of us at SLP Toolkit, LLC, an Arizona limited liability company (“Company,” “we,” “our,” or “us”). We have established this security procedures document (“the Procedures”) to explain some of the execution details associated with our Sites and Services (as defined in the Terms of Use and the Terms of Service policies).

Security Covered In This Policy

This policy covers the security of data that we store for our users, meaning the things we do to prevent access by parties who are not authorized to access the data. It does not cover the privacy of your data, meaning the use or disclosure of data we collect. Privacy is covered in our Privacy Policy.

Existing Standards

We strive to comply with, and assist Account Owners to comply with, applicable parts of all standards involving data security:

Family Educational Rights and Privacy Act (FERPA)

The most applicable federal standard concerning student data is the Family Education Rights and Privacy Act (FERPA). It lays out some of the most basic things a school official like SLP Toolkit needs to do. We’ve compiled our responsibilities (and yours as an organization) into an easy-to-digest document for your convenience. You can download it with the link Here.

Health Insurance Portability and Accountability Act (HIPAA)

SLP Toolkit is not a covered entity under HIPAA, and is not a business associate of any covered entity under HIPAA. As a result, The Company is not required to comply with HIPAA standards. If you or your organization are a covered entity under HIPAA, and are required to sign business associates agreements with all 3rd party vendors and contractors, please send an email to privacy@slptoolkit.com requesting additional information about a business associate agreement.

Children’s Online Privacy Protection Rule (COPPA)

Our Services are directed towards adults who are of the legal age to access them in their respective jurisdictions and who reside in the United States. If you believe we might have any information from or about a user who is ineligible to use the Services, please contact us at privacy@slptoolkit.com

State based laws, rules, & regulations

In the ever-changing world of privacy regulation, each state attempts to do things the right way. You can find more information in our knowledge base specific to your state here.

Others

  1. Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software (AB 1584)

  2. American recovery and reinvestment act (ARRA), Public Law 111-5

  3. 42 US Code, section 17932 for notification in case of breach

  4. ISO 27002

  5. NIST 800-53

  6. Individuals with Disabilities Education Act (IDEA)

  7. Student Online Personal Information Protection Act (SOPIPA)

  8. Protection of Pupil Rights Amendment (PPRA)

Many of the procedures outlined in this document were created using the best practices for complying with the above laws and regulations.

Data Encryption

The Site secures all data by using encryption when at rest (stored in a database), and while in transit. Data is protected with 128-bit AES encryption at rest, and during transit using industry standard SHA-256 SSL certificates with RSA Encryption. User passwords are hashed and are never stored in plain text.

The Site uses double-encryption for all student data, utilizing both database level encryption and user level encryption with separate private keys. Student data includes details like name, grade, assessments, goals, notes, and any other associated information entered while using our Site and Services (“Student Data”).

Databases, along with their redundant online backups, offline backups, audit logs, and all other associated data are stored on servers located in the United States.

Two Factor Authentication & Passwords

The Site enforces the use of strong passwords. They must be at least 8 characters in length, consist of at least one letter and at least one number, and not be a stand-alone dictionary word. Two factor authentication (2FA) will be required with your user email anytime you log in from a new browser or device. It will also be required every 30 days for continued access on the same browser.

Automatic Logoff

The Site requires a user to re-authenticate every 30 days, and users will be subject to a 2FA challenge at this time as well. Logging off after accessing The Site from a public or shared computer is recommended to prevent other users from accessing Student Data when not authorized.

User Identity Tracking & Audit

Account data is only accessible by authorized personnel using their login credentials and unique access keys. All user connections to the software are authenticated via x.509 client certificates, and keys are tracked, secured, and rotated regularly. All security changes and database operations (create/read/update/delete) are audited for each user. Audit logs are retained as defined by the disaster protection & recovery section, and are stored in a secure remote location.

Data Integrity

The Site employs encryption at rest for all data, which verifies the integrity of data every time it is accessed by an authorized user. Backups can be used to restore data in the event of data loss or corruption. These backups are not accessible for users, or during the normal course of business for employees.

Firewall

The Site databases and application services are hosted using high-performance cloud servers. Firewalls are in place to route network traffic securely, shield servers from attack, and prevent the loss of data. These firewalls block certain types of traffic that may be used to otherwise compromise a system and gain access. Additional information about specific security compliance is available upon request.

Access Authorization

We understand that the malicious activity of an employee or agent of the Company can have severe consequences on the integrity and confidentiality of data contained in the system. This being the case, the operation of The Site wouldn’t be possible without a few people having access to certain critical systems. This team is prohibited from using these permissions to view Student Data without an Account Owner’s permission, unless otherwise stated. The Company requires all employees and agents who have access to Student Data to pass a criminal background check and comply with all applicable provisions of the Company’s policies and procedures.

Facility & Workstation Security

Laptops, PCs, and other devices on premises at The Company are never logged into accounts with Student Data during the course of normal operation. With that said, the operation of The Site would not be possible without giving a few technical people temporary access to the accounts and databases. PCs and other devices on premises are protected with user logins and the data is only stored in memory temporarily to perform the specific task.

Disaster Protection & Recovery

We currently back up all data in snapshots and store this data in a secure remote location on a standard and recurring schedule. Restoring data requires a manual process with multiple levels of authentication. Audit logs are retained for a minimum of 6 months.

3rd Parties

Data & Web Hosting

We use a combination of Heroku, Hasura, Firebase/Firestore, MongoDB Atlas, and AWS to host our various apps and keep data secure. All data is stored on servers in the United States, so it stays subject to the laws in the US. These services all work together so we can deliver our apps reliably to your computers, iPads, and phones every day.

Hasura Security (Kit for Teams)

Firebase/Firestore Privacy and Security (Kit)

Heroku compliance center (SLP Toolkit)

​Mongo DB Atlas trust center (SLP Toolkit)​

AWS Privacy (SLP Toolkit, Kit, and Kit for Teams)​

Payment Processing

We use Stripe to process credit cards and track subscriptions for our individual SLP Toolkit and Kit users. Stripe is compliant with PCI standards, and we let them handle the security and privacy for our users’ credit card info.

Click here to read Stripe privacy & security docs

Others

We use a number of other services to collect data about our apps and our users so we can monitor and improve the applications. Data is never sent or sold to other 3rd parties or advertisers.

Amplitude.com is used to review user behavior and post info to app users.

Intercom.com is used to provide you support and our knowledge base.

Mailchimp.com is used to send out our newsletter and other emails.

Periodic Evaluations

We conduct annual reviews of current policies, procedures, and subcontractor agreements to ensure that they are up to date and reflect current standards. Security measures are reviewed bi-annually to verify that all data is secure.

Notification of Changes

Due to the rapidly evolving nature of the Internet, we may need to update the Procedures from time to time. Any updates to the Procedures will be posted on the Site and/or sent to you through email notifications. We encourage you to review the Procedures regularly for any changes. Your continued use of the Site and/or Services after we have posted such changes will constitute your acceptance to all changes and you will be subject to the terms of the then-current Procedures.

If you would like to receive emails concerning all changes to the Procedures, our terms of use, and privacy policies, you can opt into the email list found here. Note that it is necessary to double opt-in to this list to ensure that only valid email addresses are added to the list.