Is jotform.com FERPA compliant?

  • Profile Image
    paul h schwartz 
    Asked on February 26, 2017 at 10:27 PM

     

    Our college, Lansing Community College, is considering using your jotform.com.  We would put FERPA-protected information in your control.  I have a few questions: 


    Will you protect our data to FERPA standards (administrative, physical and technical safeguards (based on Reasonable Methods to ensure the security of our FERPA info—outlined below)?


    Do you provide the safeguards in-house or contract them to a third-party?


    Is our data stored in the United States?


    Have you had any past FERPA or data management violations?


    thanks


    paul

     

     

     

     

     

     

    Mr Paul H. Schwartz

     

    Director of Information Security

     

    Lansing Community College

     

    TLC 421D Maildrop 9000

     

    400 North Capitol Avenue

     

    Lansing, Michigan 48933

     

    5174835264

     

    schwarp1@lcc.edu

     

     

     

    ---------------------------------

     

    Reasonable Methods of Protecting FERPA information:

     

    -Limitations on the use of the data—the data is for our use only, it’s not to be sold, shared, or accessed beyond normal system maintenance by the cloud provider, or to comply with Federal legal requirements.  Organization should allow internal access to PII from education records only to individuals with a need to know, and organization should take steps to maintain the confidentiality of the PII by using appropriate disclosure avoidance techniques.

     

    -A right to audit—we must maintain the right to conduct audits or other monitoring activities of your authorized representative’s policies, procedures, and systems.

     

    -Employee Policies--Cloud provider has appropriate disciplinary policies for employees that violate FERPA. This can include termination in appropriate instances. The provider should conduct background investigations of employees who will have access to PII from education records. The provider should train its employees about FERPA and how to protect PII from education records.

     

    -A sound data security program--The plan should detail the organization’s policies and procedures to protect privacy and data security, one that protects both data at rest and data in transmission, including the ongoing management of data collection, processing, storage, maintenance, use, and destruction.  The organization should designate an individual to oversee the privacy and security of the PII from the education records it maintains.

     

    https://www2.ed.gov/policy/gen/guid/fpco/pdf/reasonablemtd_agreement.pdf

     

    http://ptac.ed.gov/sites/default/files/cloud-computing.pdf

     

  • Profile Image
    Charlie
    Answered on February 27, 2017 at 03:43 AM

    Hi,

    We are not FERPA compliant or have any FERPA certificates, but you can use the form builder to be in a FERPA compliant way. 

    With regards to security, here are some information shared to us by our founder:

    - We have bug bounty programs where we pay outside parties for

    reporting vulnerabilities in our system.

    - Our servers are protected by private networks and constantly updated

    and patched.

    - Our system administrators have a collective 40+ years of industry experience.

    - Our development team is encouraged to follow best security practices.

    - All data transfer are made of 256-bit SSL secure connection.

    - Our servers are located in SSAE16 Audited facilities.

     

    Please also check our Terms and Privacy Policy pages. For our data centers, we have one in USA and one in Germany. Below are their physical locations: 

    - Data Center in USA

    Serverify L-WDC-01 

    9651 Hornbaker Road Manassas, VA 20109, United States 

     

    - Data Center -  Germany

    Serverify L-FRA-10 

    Kleyerstr. 75-87, 60326 Frankfurt am Main, Germany 

     

    We also have other features that allows you to have added security on your submission data:

    - First is the encryption feature, you can check this feature on this guide: https://www.jotform.com/help/344-Encrypted-Forms-and-How-to-Use-Them 

    - Another is you can enable the file uploads to be only downloaded when the account is logged in. Below is a screenshot to where to access that feature. 

     

    I hope that helps.