SchoolInsight Data Security Practices

1/20/2025

It’s been widely reported that a popular SIS vendor experienced a security breach. Though we’re not associated with that vendor, and our system did not experience a breach, many of our customers have asked about our security practices. They have a legitimate interest in how vendors manage their data. To ease communication, we’re publishing this article outlining what we believe happened and how we secure your data.

Across EdTech, cyber crime is on the rise. Criminals are targeting vendors and school districts alike. As a small vendor, we consider a breach to be an existential threat to the company. So we take it very seriously, and have made significant investments to avoid breaches of our systems.

Before we discuss our practices, we’d like to review the incident as we understand it. From what we’ve read in the news, it sounds like the SIS vendor gave maintenance credentials to a third party, allowing them to access many customer systems and associated data in the performance of their role. Those credentials did not require multi factor authentication (MFA) and did not expire. Allegedly those credentials became compromised and were used by a cyber criminal to access, and eventually download, data stored in the system.

Before we discuss our general practices, we’d like to state that we do not give system credentials to third parties. Also all of our employees are required to use MFA to access our system. As a result, this attack vector is not one to which we’re likely vulnerable.

That doesn’t mean we can’t be the victim of a successful attack. Storing data on the internet has inherent risks. We do however take steps to reduce that risk as much as possible, but unfortunately it cannot be eliminated.

Here are some of the practices we have in place:

We adhere to widely accepted technical standards designed to prevent cybersecurity intrusions
We’ve implemented intrusion detection systems
We performed penetration testing to test our defenses
We use industry standard encryption practices, such as SSL
We store customer data in secure data centers within the United States
We’ve implemented a Disaster Recover Plan that includes regularly backing up system data
We have a Data Security Protocol and Incident Response Plan
We strictly limit employee access to production systems and never allow access by third parties or vendors
We conduct background checks on all employees and require them to adhere to our Confidentiality Policy
Our employees are required to utilize strong passwords and MFA when accessing the site and internal systems
Our employees undergo regular cyber security training
We don’t include PII in internal development, testing, or support versions of the site
As part of our Terms of Service and Privacy Policy school districts retain ownership of their data, meaning we can’t sell it
We don’t advertise to parents/students or use their data to sell targeted advertising

While we already conform to industry best-practices, we’re conducting an internal audit to identify any gaps.

In addition to the steps we take, we encourage each district to take actions to mitigate their own risk. These include:

Adopting their own strong password and MFA policies for employees
Disallowing the use of shared accounts
Restricting user permissions to only areas of the site required for their role
Restricting or removing accounts for third parties, vendors, or former employees
Storing only essential data inside the system
1. For example, many school districts have moved away from collecting social security numbers
Auditing integrations with third parties to ensure only essential data is shared

There is a natural trade-off between security and convenience. While these steps can make the site more complex or more challenging to use, they are necessary to ensure data security.

As always, if you have any questions or concerns, feel encouraged to reach out to our support team.

The Common Goal Team