FinalForms Data Privacy and Security Policies: Compliant, Audited, and Trusted

Macklin Chaffee on January 18, 2018

Audited for accuracy as of May, 2023

At FinalForms, we prioritize the security and privacy of student data. Our platform is designed to comply with federal regulations, including FERPA, ensuring that personally identifiable information (PII) is protected.

We host our services on Amazon Web Services (AWS), utilizing their advanced security features and military-grade physical controls to safeguard data. All data transmitted through our platform is encrypted using HTTPS, and sensitive information is further encrypted at rest. Access to data is strictly controlled, with only authorized personnel undergoing comprehensive background checks permitted to handle student information.

FinalForms does not collect, maintain, use, or share PII beyond what is necessary for purposes authorized by the school district or the user. We do not sell or disclose PII for behavioral targeting of advertisements. Our internal privacy policies ensure the highest level of security when handling client information.

The following polices and information are compiled based on our compliance with CoSN (CoSN K-12 CVAT) , NIST (NIST CSF 2.0), The Education Cooperative (SDPA), and other organizational standards.

Our Policies

Q&A Based on Historical Inquiry

Data Collection

What data does the provider collect?
What, if any, data is collected by third parties (e.g., via cookies, plug-ins, ad networks, web beacons etc.)?

FinalForms only collects data specifically required, requested, and approved by the School District.
FinalForms does not sell any data in any format, period.
FinalForms does not currently hold any, or enter into any, partnerships that let other applications leech data.
FinalForms does not allow third-party cookies, include advertisements, engage in ad networks, or utilize web beacons.

Network Operations Center Management and Security

Does the provider perform regular penetration testing, vulnerability management, and intrusion prevention?
Are all network devices located in secure facilities and under controlled circumstances (e.g. ID cards, entry logs)?
Developers access data via key-based SSH.
Are backups performed and tested regularly and stored off-site?
How are these backups secured? Disposed of?
Are software vulnerabilities patched routinely or automatically on all servers?

FinalForms understands the legal and ethical issues surrounding data security. FinalForms employs FERPA and HIPAA compliant, military grade Amazon Web Servers. AWS provides the industry's most reliable, redundant, and secure servers.

AWS performs backups nightly and stores backups offsite.
FinalForms developers access data via key-based SSH.
FinalForms rigorously maintains up-to-date frameworks and languages.
FinalForms routinely monitors and evaluates its service at every level of the stack.

Data Storage and Data Access

Where will the information be stored and how is data "at rest" protected (i.e. data in the data center)?
Will any data be stored outside the United States?
Is all or some data at rest encrypted (e.g. just passwords, passwords and sensitive data, all data) and what encryption method is used?
How will the information be stored?
If the cloud application is multitenant (several districts on one server/instance) hosting, how is data and access separated from other School Districts?
FERPA requires that records for a school be maintained separately, and not be mingled with data from other school systems or users.
Are the physical server(s) in a secured, locked and monitored environment to prevent unauthorized entry and/or theft?
How does the provider protect data in transit? e.g. SSL, hashing?
Who has access to information stored or processed by the provider?
Under FERPA, individuals employed by the provider may only access school records when necessary to provide the service to the School System.
Does the provider perform background checks on personnel with administrative access to servers, applications and school district data?
Does the provider subcontract any functions, such as analytics?
What is the provider's process for authenticating callers and resetting access controls, as well as establishing and deleting accounts?
If student or other sensitive data is transferred/uploaded to the provider, are all uploads via SFTP or HTTPS?

FinalForms uses FERPA and HIPAA compliant, military grade Amazon Technology. While there is no FERPA certification for a service provider such as FinalForms. In order to meet the FERPA requirements applicable to our operating model, FinalForms aligns our FERPA risk management program, available here.

All data is stored within the US.
FinalForms resides on multi-tenant architecture. Each school's custom application exists on a unique, secure database.
AWS hosting facilities meet the highest standards of physical security, redundancy, and monitoring.
All requests and access to data are executed through HTTPS, SFTP, or SSH.
Data is encrypted at rest, leveraging AES-256 encryption.
Within FinalForms, only Executives, Senior Developers, and Senior Support Staff have access to student data. All FinalForms personnel complete a rigorous, industry standard, background check prior to gaining access to any portion of the FinalForms application.
FinalForms does not subcontract with any third parties outside of our hosting provider, AWS.
FinalForms holds personal information, including email addresses as confidential. Unauthenticated inquiries from students, parents, or staff are immediately denied.
Authorized Parents/Guardians may, at any time, inspect, review, update, or correct form data which they believe to be inaccurate or obsolete. Authorized Administrators may access time-stamped form data change logs based on Parent/Guardian updates at any time for any purpose deemed necessary by the educational institution in accordance with applicable law.

Multi-Factor Authentication (MFA)

1. How does FinalForms secure access to its critical systems, backups, and administrative accounts?

At FinalForms, Multi-Factor Authentication (MFA) is a cornerstone of our security framework. To protect sensitive student data and ensure the integrity of our systems, MFA is implemented across all critical access points:

Remote Network Access: MFA is mandatory for all remote network connections, adding an essential layer of security to safeguard against unauthorized access.
Remote Remote Email Access: Access to email systems is secured with MFA, ensuring that communications and sensitive information remain protected even in offsite environments.
Admin/Privileged User Accounts: All administrative and privileged user accounts require MFA to prevent unauthorized actions and maintain strict access controls to sensitive data.
Access to Backups: MFA is enforced for accessing encrypted backups stored within AWS, ensuring only authorized personnel can manage or retrieve stored data.

Data and Metadata Retention

How does the provider assure the proper management and disposal of data?
- The provider should only keep data as long as necessary to perform the services to the School.
How will the provider delete data?
- Is data deleted on a specific schedule or only on termination of contract? Can your School request that information be deleted? What is the protocol for such a request?
You should be able to request a copy of the information maintained by the provider at any time.
All data disclosed to the provider or collected by the provider must be disposed of by reasonable means to protect against unauthorized access or use.
Upon termination of the contract, the provider should return all records or data and properly delete any copies still in its possession.

FinalForms retains data, per federal and state requirements, for the school district, unless a data purge or deletion is requested by the school district. Data deletions and purges are complete, permanent, and non-reversible.
School Districts may request a copy of their database at any time. The database will be encrypted and passed to the client via SFTP.

Development and Change Management Process

Does the provider follow standardized and documented procedures for coding, configuration management, patch installation, and change management for all servers involved in delivery of contracted services?
Are practices regularly audited?
Does the provider notify the School System about any changes that will affect the security, storage, usage, or disposal of any information received or collected directly from the School?

FinalForms strictly follows secure procedures when deploying new versions of the application. The deployment process includes audits and logs.
FinalForms painstakingly designed the process for zero downtime, which has proven to be flawless since inception in 2012.
As FinalForms serves all School Districts directly, notifications regarding changes in data management practices are sent to all appropriate authorized users and contacts.

Availability

Does the provider offer a guaranteed service level?
What is the backup-and-restore process in case of a disaster?
What is the provider's protection against denial-of-service attack?

FinalForms not only guarantees industry best 99.99% uptime, but provides record of 99.99+% uptime since inception, in 2012.
The FinalForms disaster recovery plan remains in place at all times in order to rapidly respond to seen and unforeseen data disasters. Daily redundant, remote backups guarantee 24 hour protection against disaster scenarios, including DDoS attacks.
FinalForms web service seamlessly scales to handle an indefinite loads.

Audits and Standards

Does the provider provide the School System the ability to audit the security and privacy of records?
Have the provider's security operations been reviewed or audited by an outside group?
Does the provider comply with a security standard such as the International Organization for Standardization (ISO), the Payment Card Industry Data Security Standards (PCI DSS)?

FinalForms may provide extensive documentation regarding privacy and/or security inquiries. The FinalForms CTO responds directly, within 24 hours, to any privacy and/or security questions not answered by immediately available FinalForms personnel or publicly available documentation.
FinalForms has passed multiple third party audits, including ISO and PCI Compliance.

Test and Development Environments

Will "live" student data be used in non-production (e.g. test or development, training) environment?
Are these environments secure to the same standard as production data?

FinalForms provisions test databases using applicable student data for best results during tests and interface development. These local databases reside on the secure computers and are inaccessible remotely.

Data Breach, Incident Investigation and Response

What happens if your online service provider has a data breach?
Do you have the ability to perform security incident investigations or e-discovery? If not, will the provider assist you? For example, does the provider log end user, administrative and maintenance activity and are these logs available to the School System for incident investigation?

In the event of an unauthorized release, disclosure or acquisition of Student Data that compromises the security, confidentiality or integrity of the Student Data maintained by FinalForms, FinalForms shall provide notification to LEA within seventy-two (72) hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident.

FinalForms follows this process, as outlined in the TEC SDPA Agreement:

(1) The security breach notification described above shall include, at a minimum, the following information to the extent known by FinalForms and as it becomes available:

i. The name and contact information of the reporting LEA subject to this section.

ii. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.

iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice.

iv. Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; and

v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided.

(2) FinalForms agrees to adhere to all federal and state requirements with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.

(3) FinalForms further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary of said written incident response plan.

(4) LEA shall provide notice and facts surrounding the breach to the affected students, parents or guardians.

(5) In the event of a breach originating from LEA’s use of the Service, FinalForms shall cooperate with LEA to the extent necessary to expeditiously secure Student Data.