Keeping your data secure

We take a comprehensive approach to keeping the information of every district partner safe. This page highlights the measures we have in place to help us deliver on this commitment, including ISO-27001 — the industry’s top data privacy certification.

K12 Insight is ISO 27001 certified, offering you and all of its school district partners the highest level of assurance in our security practices.

The rigorous ISO 27001 certification process includes an intensive audit by an accredited third party to certify that K12 Insight operates professionally, values security highly, and complies with this internationally recognized top-tier standard. This certification also provides additional clarity regarding the evaluation of the quality, breadth, and strength of our organization’s security practices.

Usernames and passwords

K12 Insight provides each user in your organization with a unique, secure username and password that must be entered each time a user logs on. We follow industry best practices for storing confidential data. Passwords are encrypted with SHA-256 Cryptographic Hash Algorithm in the database before they are saved, and a session “cookie” is issued to record this encrypted authentication information only for the duration of a specific session. The session “cookie” does not include either user ID or User Password.

Privacy

We have a comprehensive Privacy Policy that provides a transparent view of how we handle your data — including how we use your data, who we share it with, and how long we retain it.

Data ownership

Our customers own all data input into the K12 Insight software systems. Data may be exported from our system in any of the available formats at any point for external use.

Data residency

All data is stored on servers located in the United States.

Closed accounts

K12 Insight standard practice is to de-identify data (de-identification is the process used to prevent someone’s personal identity from being revealed) after 90 days following account termination. Upon an explicit written request, K12 Insight will de-identify / delete data within 30 days of account termination. De-identified data is used only for internal business purposes— to track trends in product usage.

Commitment

The security of your data is of utmost importance to you and to us. We understand it needs to be confidential, accurate, and always available.

Hosting

K12 Insight data is hosted in the US in highly rated data centers, a standard that ensures 24/7 availability, redundancy, and operational sustainability.

Data center certification

Our hosting data centers are SOC 2 Tier III certified. This extremely stringent rating indicates 99.9% availability for our application users, survey takers and users submitting dialogues.

Data center compliance

All of the data centers we use have been audited to meet SSAE 16, SAS 70, SOC 2, SOC 3, PCI DSS and HIPAA compliances. Certificates and/or reports for these compliances are available upon request.

Data center security

All data center operations are protected 24/7/365 by 6-level security.

Mobile app

We follow industry best standards to develop, deploy, authenticate, maintain and transmit data. Any third-party libraries used in the code are thoroughly tested prior to launch. Informed consent is obtained from the end-user before collecting or processing information. We do not access or auto-store any information. User consent is always obtained to provide services which absolutely require device permissions or enhance user experience. Currently, K12 Insight’s mobile app asks for permission before accessing certain functions or applications, such as your camera, photos, microphone, contacts and Touch/Face ID prior to use.

Data encryption in transit and at rest

We encrypt Data in Transit as well as Data at Rest. We use 256-bit SSL encryption during data transmission, thus ensuring the secure transfer of confidential data. We also encrypt all customer data at rest.

Firewalls

K12 Insight follows the Minimum Security Baseline (MSB) for system hardening and uses a strong firewall for data protection. We follow industry best practices, including ensuring unwanted services are disabled on the firewall, default passwords are changed upon installation, and the firmware version is up-to-date.

Access management

Access is permitted only to designated IT administrators, and only from specific IP addresses.

System uptime

We have an SLA of 99.9% uptime for our services.

Planned maintenance

Planned downtime is limited to a maximum of 8 hours per year, allowing for the performance of regular maintenance. All users are informed of the date and time of this maintenance at least one week in advance.

Failover configuration

We have a failover in place for all critical hardware and software components, as well as for the entire site. An individual hardware mechanism is available as a failover for every component. We also have an offline failover system for complete failover in cold state when a daily backup copy is being restored.

Data backup and frequency

Due to constant changes to the data, we perform backups at different frequencies. These include daily, weekly, and monthly backups. Transaction and incremental backups are performed on a regular basis. On a monthly basis, a regular recovery testing plan is carried out to ensure backups and restoration processes run smoothly.

Documentation

Backup documentation regarding how system, application, and data backups are performed is reviewed every 3 months. Further reviews are completed whenever new hardware or applications are added.

System patching

Important patches and updates are installed periodically on all of our systems. All servers are reviewed at regular intervals to make sure they are up to date. Before any patch is uploaded on production servers, it is uploaded on a local environment where a specialized team of QA testers verify and certify that uploading the patch will have no adverse effect on any of the applications, systems, or components. The patch management server monitors the need for any critical patches, which are uploaded within 3 days, following ample testing. Additionally, our Microsoft subscription provides us with advice about relevant patches and updates, which we regularly review and implement as needed.

Scans

We use third-party scanning tools and maintain an in-house security team for regular audits.

Penetration testing

We perform penetration system testing every 6 months and before every new release to eliminate any vulnerable areas in our network.

Employee screening

We perform background screening on all employees, to the extent possible within local laws.

Training

We provide all the essential security and technology use training for all employees.

Service providers

We screen our service providers and they are bound by contract to confidentiality and security obligations if they deal with any user data.

Administrative access

Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.

Audit logging

We regularly maintain and monitor audit logs on all our services and systems.

Coding practices

Our engineers use the best coding practices and industry-standard secure guidelines that align with the OWASP Top 10. All development is done in-house.

Deployment

We deploy code regularly when any bugs are noticed in the production environment.

In case of a security breach

We have implemented substantial and elaborate security measures to protect your sensitive information. Unique usernames and passwords must be entered each time a person logs on. The site is hosted in a secure server environment that uses a firewall and other technology to prevent access from outside intruders. Internally, we use security logs, train our employees, and limit access to only essential personnel. When transmitting sensitive Information, we use encryption technology. We also encrypt Data at Rest. All our technology and processes are not, however, guarantees of security. If we do notice a security breach, we will notify the affected users via email so that they can take preventive actions. Due to the best practices in place, we have not had a single breach in the history of the company.

User responsibilities

K12 Insight allows account administrators to create and manage sub-accounts and determine permission levels, eliminating risky password sharing, confusion and inefficiency, while maintaining data privacy. There will be times when sharing data with people inside and outside of your organization is essential to facilitating workflow; controlling access to sensitive information is the only way to ensure it is secure.

Please ensure that you use the enhanced security option while managing your project on K12 Insight software systems. Please keep your user name and password secret and let us know immediately if you suspect that our security has been breached by emailing us at privacy@k12Insight.com.

If you have specific questions, please contact us.