- paul h schwartzAsked on February 26, 2017 at 10:27 PM
Our college, Lansing Community College, is considering using your jotform.com. We would put FERPA-protected information in your control. I have a few questions:
Will you protect our data to FERPA standards (administrative, physical and technical safeguards (based on Reasonable Methods to ensure the security of our FERPA info—outlined below)?
Do you provide the safeguards in-house or contract them to a third-party?
Is our data stored in the United States?
Have you had any past FERPA or data management violations?
Director of Information Security
Lansing Community College
TLC 421D Maildrop 9000
400 North Capitol Avenue
Lansing, Michigan 48933
Reasonable Methods of Protecting FERPA information:
-Limitations on the use of the data—the data is for our use only, it’s not to be sold, shared, or accessed beyond normal system maintenance by the cloud provider, or to comply with Federal legal requirements. Organization should allow internal access to PII from education records only to individuals with a need to know, and organization should take steps to maintain the confidentiality of the PII by using appropriate disclosure avoidance techniques.
-A right to audit—we must maintain the right to conduct audits or other monitoring activities of your authorized representative’s policies, procedures, and systems.
-Employee Policies--Cloud provider has appropriate disciplinary policies for employees that violate FERPA. This can include termination in appropriate instances. The provider should conduct background investigations of employees who will have access to PII from education records. The provider should train its employees about FERPA and how to protect PII from education records.
-A sound data security program--The plan should detail the organization’s policies and procedures to protect privacy and data security, one that protects both data at rest and data in transmission, including the ongoing management of data collection, processing, storage, maintenance, use, and destruction. The organization should designate an individual to oversee the privacy and security of the PII from the education records it maintains.
- CharlieAnswered on February 27, 2017 at 03:43 AM
We are not FERPA compliant or have any FERPA certificates, but you can use the form builder to be in a FERPA compliant way.
With regards to security, here are some information shared to us by our founder:
- We have bug bounty programs where we pay outside parties for
reporting vulnerabilities in our system.
- Our servers are protected by private networks and constantly updated
- Our system administrators have a collective 40+ years of industry experience.
- Our development team is encouraged to follow best security practices.
- All data transfer are made of 256-bit SSL secure connection.
- Our servers are located in SSAE16 Audited facilities.
- Data Center in USA
9651 Hornbaker Road Manassas, VA 20109, United States
- Data Center - Germany
Kleyerstr. 75-87, 60326 Frankfurt am Main, Germany
We also have other features that allows you to have added security on your submission data:
- First is the encryption feature, you can check this feature on this guide: https://www.jotform.com/help/344-Encrypted-Forms-and-How-to-Use-Them
- Another is you can enable the file uploads to be only downloaded when the account is logged in. Below is a screenshot to where to access that feature.
I hope that helps.