Access management

• SchoolBI adheres to the principles of least privilege and role-based permissions when provisioning access; workers are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.
• SchoolBI employs multi-factor authentication for access to internal systems. 
• SchoolBI requires personnel to use an approved password manager.

Encryption

• SchoolBI encrypts data using industry-standard protocols.
• Data in transit is encrypted using.
• Data at rest is encrypted.
• Key management is in place for encryption keys for production services.

Endpoint security

• All workstations issued to SchoolBI personnel are configured by SchoolBI to comply with our standards for security.
• These standards require all workstations to be properly configured, updated, and tracked and monitored by SchoolBI’s endpoint management solutions.
• SchoolBI’s default configuration sets up workstations to encrypt data at rest, have strong passwords, and lock when idle.
• Workstations run up-to-date monitoring software to report potential malware.

Network security and server hardening

• SchoolBI logs, monitors, and audits all system calls, and has alerting in place for calls that indicate a potential intrusion or exfiltration attempt.

System monitoring, logging, and alerting

• SchoolBI monitors infrastructure of servers and workstations to gain a comprehensive view of the security state.
• Administrative access, use of privileged commands, and system calls on all servers in SchoolBI’s production network are logged and monitored.
• Analysis of logs is automated to detect potential issues and alert responsible personnel.

Penetration testing

• In addition to our compliance audits, SchoolBI engages independent entities to conduct application-level and infrastructure-level penetration tests at least twice per year.
• Results of these tests are prioritized, and remediated in a timely manner, and shared with senior management.
• Customers may receive executive summaries of these activities by requesting them from their success team representative.

Research & disclosure

• SchoolBI is committed to working with security experts across the world to stay up to date with the latest security techniques.
• To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. If you believe you have discovered a problem or have any questions, please contact us at security@schoolbi.com.

Disaster recovery and business continuity plan

• SchoolBI utilizes services deployed by its hosting provider to distribute production operations across separate availability zones. These distributed zones protect SchoolBI’s service from loss of connectivity, power infrastructure, and other common location-specific failures.
• SchoolBI performs daily backups and replication for its core databases across these zones and supports restore capability to protect the availability of SchoolBI service in the event of a site disaster affecting any of these locations.
• Full backups are saved at least once per day and transactions are saved continuously.
• SchoolBI tests backup and restore capabilities annually to ensure successful disaster recovery.

Responding to security incidents

• SchoolBI has established policies and procedures for responding to potential security incidents.
• All security incidents are managed by SchoolBI’s dedicated Incident Response Team. The policies define the types of events that must be managed via the incident response process and classifies them based on severity.
• In the event of an incident, affected customers will be informed via email from our customer success team. Incident response procedures are tested and updated at least annually.

Data Privacy

SchoolBI data privacy controls are designed to honor our obligations around how we collect, process, use and share personal data, as well as our processes to support data retention and disclosure in compliance with legitimate business purposes.

Data sharing and processing

• SchoolBI follows GDPR and CCPA guidelines to ensure data protection obligations to our customers. This includes only collecting, processing, and storing customer data in compliance with these obligations and providing you the right to access or delete it at any time.
• SchoolBI provides controls for deleting customer data when it is no longer needed for a legitimate business purpose, and also provides users the option to opt-out of tracking cookies on our website.
• SchoolBI also requires our data processing vendors to certify the use of customer data for no other purposes than the provision of services.

Data disposal

• As a customer, you can request data deletion at any time during the subscription period. After a period of inactivity, the data is removed by default.
• SchoolBI’s hosting providers maintain industry-standard security practices for ensuring the removal of data from storage media.

Data disposal

• SchoolBI has established agreements that require subprocessors to adhere to confidentiality commitments and take appropriate steps to ensure our security posture is maintained.
• SchoolBI monitors these sub-processing vendors by conducting reviews of their controls before use and at least annually.