SchoolFront Information Security FAQ
1. How do I know that the information I store in and access via SchoolFront Services is secure?
SchoolFront is governed by an “evergreen” Information Security Policy (ISP) informed by routine risk analysis, industry best practices, and legal standards for the housing and management of legally protected information (PI). SchoolFront’s ISP meets the criteria for compliance required for “Business Associates” under the HIPAA Security and HIPAA Privacy Rules and legislation governing the appropriate storage and handling of student and teacher personally identifiable information (PII) by “3rd-Party Contractors,” including (but not limited to) NYS Education Law 2-d.
The SchoolFront ISP requires the implementation and maintenance of strict:
Administrative Safeguards
Technical Safeguard
Physical Safeguards
For more information about the SchoolFront ISP or to request access to the full policy, please CONTACT US.
2. Does SchoolFront comply with the requirements of “3rd Party Contractors” under New York State Education Law § 2-d?
Yes. SchoolFront is fully-compliant with the requirements of New York State Education Law § 2-d as well as with other state and federal legislation governing the handling of protected information. The SchoolFront Team maintains a compliant Information Security Policy (ISP) and generally anticipates the inclusion of a “Parents Bill of Rights” in our service contracts with Educational Agencies covered by NYS Education Law § 2-d.
3. Where is my information stored when I use SchoolFront Services?
Production SchoolFront systems are housed in a highly-secure and redundant self-contained “Class A” data center in Rochester, New York that provisions:
Security
Access Control
Power Protection
Environmental Control
Fire Detection/Suppression
Raised Flooring
Production Cabling
Monitoring
Locked Cabinets/Cages
4. What are SchoolFront’s standard data backup and retention policies?
Our Standard Data Backup Policy
Onsite encrypted database log backups are taken every hour, 24 hours a day and 7 days a week.
Onsite encrypted full backups are taken nightly and copied to a secondary server.
Encrypted VM backups of entire servers are taken nightly and synchronized offsite (i.e. for disaster recovery purposes).
File backups are taken nightly to secondary server.
Encrypted file backups are taken nightly to cloud server.
Our Standard Data Retention Policy
Complete data backups, including those run hourly, are retained for 3 months.
After 3 months and up to 6 months daily full backups are retained.
After 6 months and up to 12 months Sunday full backups are retained.
After 12 months, only backups conducted 1 Sunday per month are retained.