Clever Security Overview



Similar documents
KeyLock Solutions Security and Privacy Protection Practices

White Paper How Noah Mobile uses Microsoft Azure Core Services

The Anti-Corruption Compliance Platform

Question 5: We inquire into whether the new dependent is the first child, as this give the advisor more context and avenues to assist the client.

Famly ApS: Overview of Security Processes

Anypoint Platform Cloud Security and Compliance. Whitepaper

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Our Key Security Features Are:

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Security Considerations

Building Energy Security Framework

Clever School District Whitepaper

BMC s Security Strategy for ITSM in the SaaS Environment

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

IBX Business Network Platform Information Security Controls Document Classification [Public]

Apteligent White Paper. Security and Information Polices

Complying with PCI Data Security

Copyright Telerad Tech RADSpa. HIPAA Compliance

Security Overview Enterprise-Class Secure Mobile File Sharing

Security Whitepaper. NetTec NSI Philosophy. Best Practices

twilio cloud communications SECURITY ARCHITECTURE

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Intel Enhanced Data Security Assessment Form

HIPAA Privacy & Security White Paper

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Paxata Security Overview

Security and Data Protection for Online Document Management Software

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Client Security Risk Assessment Questionnaire

OrgChart Now Information Security Overview. OfficeWork Software LLC

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

Live Guide System Architecture and Security TECHNICAL ARTICLE

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

A Rackspace White Paper Spring 2010

Cloud Security and Managing Use Risks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Compliance and Industry Regulations

Delivering peace of mind in digital optimization: Clicktale's security standards and practices

PCI Requirements Coverage Summary Table

Amazon Web Services: Risk and Compliance January 2011

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Security Practices, Architecture and Technologies

CONTENTS. Security Policy

GoodData Corporation Security White Paper

The Education Fellowship Finance Centralisation IT Security Strategy

Salesforce & HIPAA Compliance

WALKME WHITEPAPER. WalkMe Architecture

Becoming PCI Compliant

PCI Requirements Coverage Summary Table

Privacy + Security + Integrity

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

HEC Security & Compliance

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Rackspace Private Cloud Security

How Reflection Software Facilitates PCI DSS Compliance

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

FormFire Application and IT Security. White Paper

Understanding Sage CRM Cloud

CHIS, Inc. Privacy General Guidelines

ESET Secure Authentication

THE BLUENOSE SECURITY FRAMEWORK

BANKING SECURITY and COMPLIANCE

A Sumo Logic White Paper. Sumo Logic Security Model. Secure by Design

Catapult PCI Compliance

Tenzing Security Services and Best Practices

Secure and control how your business shares files using Hightail

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Appendix D-1 to Aproove Saas Contract : Security and solution hosting provider specs.

White Paper. BD Assurity Linc Software Security. Overview

API-Security Gateway Dirk Krafzig

StratusLIVE for Fundraisers Cloud Operations

True Key by Intel Security

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Compliance and Security Challenges with Remote Administration

Security & Infra-Structure Overview

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

The CIO s Guide to HIPAA Compliant Text Messaging

PCI DSS Requirements - Security Controls and Processes

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Microsoft Azure. White Paper Security, Privacy, and Compliance in

Projectplace: A Secure Project Collaboration Solution

A Decision Maker s Guide to Securing an IT Infrastructure

ACL ANALYTICS. Installation and Activation Guide

PII Compliance Guidelines

Transcription:

Clever Security Overview

Clever Security White Paper Contents 3 Introduction Software Security 3 Transport Layer Security 3 Authenticated API Calls 3 Secure OAuth 2.0 Bearer Tokens 4 Third Party Penetration Testing and Code Review Facility Security 5 Facility Security Infrastructure 5 Certifications and Accreditations 5 SAS70 Type II 5 PCI DSS Layer I 5 ISO 27001 5 FISMA Data Access Grants 6 Full School District Data Access Controls 6 Conclusion 2014 Clever, Inc. All Rights Reserved. 2

Introduction Clever is a service for transferring student information, in a private and highly secure manner, between authorized parties - generally, from a school to a vendor. Clever helps schools protect student data by replacing manual processes, such as emailed CSV files, which are often insecure and insufficient for compliance with the Family Educational Rights and Privacy Act (FERPA). By comparison, Clever is engineered to be a private,reliable, and highly secure alternative for schools to control the transmission of student data. Clever is fully compliant with all federal student privacy mandates (such as FERPA), and complies with local state privacy mandates in all 50 states (such as California SOPIPA and Louisiana HB-1076). To gain familiarity with Clever, API examples are available on the Clever website at: https://clever.com/developers/docs. Software Security Clever uses bank-grade security infrastructure at the software and network level, to ensure that student data is always encrypted and transmitted securely. This includes use of TLS / SSL protocols, API call-level authentication, and API bearer tokens with 200 bits of entropy. Transport Layer Security Clever requires that all data transfer via its website and API use the Transport Layer Security (TLS) cryptographic protocol over a HTTPS connection. This means that unique session keys are used to encrypt and decrypt data transmissions and to validate transmission integrity. Clever servers prefer perfect forward secrecy (using ECDHE) to encrypt data using 256 bit Advanced Encryption Standard (AES) which surpasses the standard adopted by the consumer banking industry and the US Government for the secure transmission of classified data. Authenticated API Calls Clever mandates that all API calls be authenticated individually, meaning that authorized API credentials must be provided each time student data is accessed. For authentication, Clever uses OAuth 2.0 authentication occurring over TLS/SSL protocols. Secure OAuth 2.0 API Bearer Tokens Clever isolates and controls data access through the use of API bearer tokens, generating a unique and secure token for each application at each district. This API token infrastructure 2014 Clever, Inc. All Rights Reserved. 3

ensures that individual school districts maintain full discretion and control over the entire data access process, and can easily limit, expand, or revoke those permissions at any time. Two-Factor Authentication Clever offers (and recommends) a two-factor authentication mechanism for user account access, requiring authorized team members to first log in using their email address and password, then enter a six-digit access code that refreshes every 30 seconds from a linked mobile device. Data Isolation Clever employs district-level data isolation throughout the information transmission pipeline, from data ingestion all the way through to application sync. Individual district-level data sets are normalized and processed in single use, highly secure, and contained environments. Our production environment is completely inaccessible from the Internet, and all access to it is logged and secured using multiple factor authentication. Access to the data for districts and partner applications is secured by district and application-specific credentials. Third Party Penetration Testing and Code Review Clever relies on Matasano Security (www.matasano.com), one of the nation s largest online security firms, for comprehensive commercial penetration testing and code review. Matasano employs leading internet security experts, who attempt to breach the Clever security system through a series of increasingly advanced techniques. Matasano security experts have never been able to breach Clever. Following the penetration test, Matasano works with the Clever team to conduct full code review, hardening existing security systems to meet or exceed consumer banking standards. Clever also maintains an active responsible disclosure program, reachable at security@clever.com. 2014 Clever, Inc. All Rights Reserved. 4

Facility Security Clever s data centers are operated by partners with extensive experience in designing, constructing, and operating large-scale data centers. Its data centers are all housed inside the continental United States, in nondescript facilities with extensive setbacks, military-grade permitter control berms, and natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion section systems, biometric employee authentication standards, and other electronic means. Authorized staff must pass multi-factor authentication no fewer than three times to access data center floors. Data Center Certifications and Accreditations SOC 1/SSAE 16/ISAE 3402 The SOC 1 report audit attests that the Company s control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402). SOC 2 (formerly SAS70). Includes detailed controls and operates along with an independent auditor opinion about the effective operation of these controls. These controls meet the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Service Principles, including leading practice controls relevant to security, availability, processing, integrity, confidentiality, and privacy applicable to service organizations. PCI DSS Level 1. Company has been independently validated to comply with the PCI Data Security Standard as a hosting provider. ISO 27001. Company has achieved ISO 27001 certification of the Information Security Management System (ISMS) covering infrastructure, data centers, and services. FISMA Company enables government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). Company has been awarded an approval to operate at the FISMA Low level. It has also completed the control implementation and successfully passed the independent security testing and evaluation required to operate at the FISMA-Moderate level. 2014 Clever, Inc. All Rights Reserved. 5

Data Access Grants Once a school or district begins using Clever, student data will not be available to any vendor until the school has, for each vendor, explicitly granted access in writing. Once a school or district grants permission for a vendor to sync data, the data may be accessed via the API using the vendor s secure API Bearer Token. Vendors syncing data from Clever have agreed to store, transmit, and display student data only via secure and FERPA compliant methods. Clever reserves the right to withhold student data from vendors it believes unable to handle student information securely. Conclusion At Clever, security is paramount. The Clever API represents a new way of transferring student data securely, using a combination of encryption, software security, hardware security, and access permissions to carefully safeguard student information. This security-minded approach allows partners to sync student information while remaining in full compliance with federal mandates such as FERPA and state mandates such as SOPIPA. For more information about Clever security, please contact security@clever.com. PGP Key ID: F1916C63 Fingerprint: BC63 7176 42A7 B1F7 345A DD35 C015 E1ED F191 6C63 For more information about using Clever in your school district, please contact info@clever.com. To find out how to integrate Clever in to your application, please contact bd@clever.com. 2014 Clever, Inc. All Rights Reserved. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information