At TuitionManager, we take every aspect of data security very seriously, and we are continually improving our tools and methodologies
to protect the data of our customers.
- We maintain a comprehensive security program used by all employees and contractors, including annual training
- We follow the NIST Cybersecurity Framework, the nationally-recognized
leader for cybersecurity standards and best practices
- We employ security experts who are committed to professional development through industry-standard certifications
- IT staff are active members in ISACA and
SOC II Type 2
We maintain SOC II Type 2 compliance as recognition of our adherence to strict internal controls related to security, system availability, processing integrity,
confidentiality, and privacy. On an annual basis, we undergo a rigorous audit process performed by a certified, independent firm.
General Data Protection Regulation (GDPR)
We are compliant with the European Union's General Data Protection Regulation (GDPR). For more information, please read our privacy statement
California Consumer Privacy Act (CCPA)
We are compliant with the California Consumer Privacy Act of 2018. For more information, please read our privacy statement
The ability to perform system actions, or view application or employee information is controlled through our internal role-based security model, which
adheres to the least-privilege access philosophy. Only those users who have been expressly granted security rights will be able to perform the
Our developers follow a formalized structure to ensure secure coding techniques are applied at every phase of the system development lifecycle:
- Adhere to guidelines of OWASP Top 10 vulnerabilities
- Perform unit testing, undergo a mandatory security code review, and submit to quality assurance analysis prior to production implementation
- Receive all necessary change management approvals, along with documenting step-by-step instructions for production implementation and rollback
- Participate in ongoing secure code training covering emerging threats, common attack vectors, and new security flaws.
TuitionManager development and testing environments are separate from production. Customer data is stored in a customer-specific databases,
with unique authentication credentials and access controls, eliminating the possibility of cross-client data access.
We regularly scan source code and systems for vulnerabilities and take the necessary remediation steps immediately.
Single Sign-On (SSO)
We encourage customers to manage user authentication by connecting their identity management system to TuitionManager using SAML 2.0.
This allows for multi-factor authentication and advanced passwords rules specific to your organization, which can override or replace TuitionManager defaults.
In addition to SSO, TuitionManager offers a local authentication method. Passwords associated with these local employee accounts are stored in a salted,
irreversible hash format. While our password policy contains configurable options for customers, our rules and recommendations are based on
current NIST guidelines:
- Prefer passphrases to passwords, with 15 or more characters optimal
- Password expiration for good cause only
- Complexity not required
- Limit authentication attempts / account lockouts enabled
TuitionManager is hosted with Rackspace, which provides world-class security and privacy features. Rackspace maintains an extensive list of
security certifications including ISO 27001 & 27001, SSAE16, and SOC 2. For more information regarding Rackspace security, please visit
Access to our production systems is tightly-controlled through strict authentication rules and multi-factor authentication. We also utilize intrusion detection &
intrusion prevention systems, firewalls, and advanced email filtering to actively monitor potential security threats.
Access & Authentication
TuitionManager support staff are required to access the network over a secured VPN using multi-factor authentication. Audit logs store history on all sessions,
including failed connection attempts and all issued commands.
Reliability & Availability
TuitionManager maintains a publicly available system status webpage
which includes details related to system availability, scheduled maintenance, service incident history, and relevant security events.
Backup & Disaster Recovery
All customer data is backed up nightly and stored in our secure data centers. We have a documented disaster recovery program that is tested on an annual basis.
Data is encrypted during transit over SFTP with PGP, on our website with TLS/SSL, and at rest using recognized encryption protocols.
We perform continuous, automatic monitoring for (and deletion of) viruses on all infrastructure components including servers and employee computers.
Virus scan definitions are updated on a daily basis.
We regularly patch and update all infrastructure components based on the latest available stable builds, in accordance with our internal patch policy.