FinalForms Security, Data Privacy and Compliance

Military Grade Physical Controls + Enterprise Grade Security = Piece of Mind

FinalForms is hosted in entirety on our infrastructure on Amazon Web Services (AWS) EC2 and S3 instances. We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security.

The Amazon Web Services infrastructure is designed and managed according to the highest standards for security and data protection, including SOC 1, 2, 3, PCI DSS Level 1, ISO 27001, FIPS 140-2, and more, as well as military-grade physical controls. Enterprise-grade security ensures data stays secure with SSL encryption. To provide continuous availability, FinalForms is deployed on multiple data centers. Every piece of data is automatically copied to multiple locations for redundancy – ensuring data is always available.

Our technology partnership with Amazon Web Services enables us to meet our commitment to securing customer data.

Frequently, FinalForms is used to store sensitive student health & demographic information on behalf of various school systems. Knowing this from the outset, we have thoroughly researched and then crafted a rock-solid solution from the ground up, rigorously vetting at every layer, that meets national educational industry standards.

In this document we give a detailed account of the steps we've taken at each layer to meet, not just the medical information standards, but a multitude of other regulation programs.

 

Physical Security

We host the entirety of our infrastructure on Amazon Web Services (AWS) EC2 and S3 instances. We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security. Among its long list of physical security benefits the highlights are:

  • Amazon has unmatched experience in designing, constructing, and operating large-scale data centers.
  • AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.
  • Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.
  • Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.
  • All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
  • Worldwide facilities have been audited and granted many certifications.
  • Linked is the AWS SOC 3 Report.

We have several policies of our own in place that ensure the highest level of security is taken when handling client information outside of our web application.

  • Developer machines do not store sensitive information locally.
  • Client information is never stored physically without consent from a client administrator.

 

Technical Security

As mentioned before, we host our infrastructure on Amazon Web Services (AWS). Amazon is widely considered to be the leader for infrastructure as a service (IaaS) providers. They are compliant with a wide range of regulations and provide granular control over your network. Here are just a few of the many security benefits they provide:

  • Host Operating System Security: 
    • AWS employees with a business need are required to use their individual cryptographically b SSH keys to gain access to the host.
    • All access is logged and routinely audited.
    • When an AWS employee no longer has a business need to administer EC2 hosts, their privileges on and access to the hosts are revoked.
  • Guest Operating System Security: 
    • We have complete control over our virtual instances.
    • AWS administrators do not have access to our instances, and cannot log into the guest OS.
  • Firewall 
    • Amazon provides a complete firewall solution.
    • This mandatory inbound firewall is configured in a default deny mode and the we must explicitly open any ports to allow inbound traffic.
  • Denial Of Service (DoS) Security: 
    • Standard DDoS mitigation techniques such as SYN floods and connection limiting are in use.
    • Amazon maintains internal bandwidth which exceeds its provider-supplied Internet bandwidth.
  • Man In the Middle (MITM) Security: 
    • All of the AWS APIs are available via SSL-protected endpoints which provides server authentication.
  • Spoofing Security: 
    • The Amazon-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
  • Port Scanning Security: 
    • Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed.

 

Outside of the AWS provided features, we implemented and ensure:

  • Separate databases are created for each client.
  • All administrative activity involving our servers is performed over an encrypted connection.
  • Client information is not stored digitally outside of the secure AWS infrastructure.
  • Verbose logging is enabled wherever possible, leaving clear audit trails.
  • Backups are run periodically and regularly tested for success in recovery situations.
  • Intrusion detection systems alert administrators of suspicious activity.

 

Administrative Privacy

The FinalForms workforce, itself, has been structured to minimize contact with student data. FinalForms requires comprehensive, industry standard, background checks on all employees and/or contractors regardless of their respective role within the business. Data is only ever accessed without school staff present in secure development settings via SSH or through the FinalForms administrative interface, both encrypted connections.

Linked is our Privacy Policy and Terms of Service.

FinalForms Security FAQs

Here is a list of 5 popular questions from school district tech directors:

1. Because your platform stores and transmits personally-identifiable information on minors, can you provide in detail, the controls that are in place for network security and privacy?

FinalForms web servers are hosted on Amazon Web Service (AWS) and the databases on Amazon Relational Database Service (RDS) allowing us to utilize many of their available security features.We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security.Remote password authentication is disabled on our servers.Access is only allowed by public/private key authentication and only available to FinalForms developers. Inbound connections are restricted to public services using amazon's built in firewalls. Database access is limited to only internal authorized hosts and connections require credentials.

2. Is the software and data hosting outsourced or provided FinalForms?

Physical servers hosted on Amazon Web Services (AWS) and database software on Amazon Relational Database Service (RDS). The software was written and is maintained by FinalForms.

3. Is data encrypted in transmission and at rest?

Web site connections require HTTPS encryption and remote server connections are fully encrypted. Disk encryption is not an option currently offered by Amazon because they do not expose the attached disks it uses for data storage. Sensitive pieces of information (such as passwords) are encrypted within the database itself.

4.What network & physical security elements are in place?

We host the entirety of our infrastructure on Amazon Web Services. Among its long list of physical security benefits available online are:

Amazon has unmatched experience in designing, constructing, and operating large-scale data centers. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Worldwide facilities have been audited and granted many certifications. AWS has a publicly available SOC 3 Report.

We have several privacy policies of our own in place that ensure the highest level of security is taken when handling client information outside of our web application.

Client information is never stored physically without consent from a client administrator.

5. Do you have formal information security and data privacy programs in place?

We have policies on how client data is to be handled securely and enforce these policies using software configurations wherever possible.

- - - - - 

More information on AWS Compliance can be found here
http://aws.amazon.com/compliance/

- - - - - 

What Governs Your Data Collection Processes?

We are sensitive to all security and privacy concerns.  In fact, security and privacy are our top priorities in providing our services to hundreds of school districts throughout the United States.  We often receive questions about whether our service is subject to certain federal privacy laws.  An explanation of the applicability of those laws to our service is set forth below.

The Health Insurance Portability and Accountability Act (“HIPAA”), 29 U.S.C. §1181, generally does not apply to our elementary or secondary school clients because such schools either: (1) are not  HIPAA covered entities; or (2) are HIPAA covered entities but maintain health information only on students in records that are, by definition, “education records” under the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. §1232g, and, therefore, are not subject to the “Privacy Rule” established by HIPAA. 

The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”).  Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan.  Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.  Even a school that employs a health care provider who conducts one or more covered transactions electronically is not required to comply with the HIPAA Privacy Rule if it maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA.  Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage.  45 CFR §160.103.  

FinalForms is not a health care clearinghouse and does not conduct covered transactions under HIPAA.  FinalForms simply replaces the paper documentation, or the less capable online systems of our school clients, for whom HIPAA does not apply.

Here are a few more points regarding FinalForms:

1. All data collected is requested or required by your school district, your district’s athletic department, your State's Department of Education, or your State's Revised Code. 

2. All users with access to student data are provisioned by the school district, with specific levels of access. 

Notes about 1 & 2: The information collected via FinalForms by your school district includes the same data as was previously collected on paper.  Your school district may provide access to the exact personnel with the exact permissions that existed with any previous system, paper or online, and it will positively be even more secure!

3. If you would like to read about other security practices, you can learn more here: https://www.finalforms.org/security

Finally, both the footer of http://www.finalforms.com, as well as your district's installation of FinalForms, include links to our Terms of Service and Privacy Policy, linked below as well. 

TERMS OF SERVICE  
FinalForms TOS

PRIVACY POLICY  
FinalForms Privacy Policy

Here are a few links to government websites regarding both HIPAA and FERPA:  
http://www.hhs.gov/hipaa/for-professionals/faq/513/does-hipaa-apply-to-an-elementary-school/index.html 
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/parents.html