FinalForms Blog

AWS+FinalForms+Customer Shared Responsibility Model

Written by Macklin Chaffee | May 6, 2019 6:42:00 PM

Audited for accuracy as of May, 2023.

Security and compliance are shared responsibilities between AWS, FinalForms, and the School District (Customer). This model helps relieve FinalForms’ operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In turn, FinalForms has responsibility and management of the operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud. FinalForms carefully considers the services provisioned as responsibilities vary depending on the nature of the services, the integration of those services into the IT environment, and applicable laws and regulations. The Shared Responsibility Model is designed to provide FinalForms with flexibility and control over technology and the School District with flexibility and control over authorized user access.

There is no FERPA certification for a service provider such as FinalForms. In order to meet the FERPA requirements applicable to our operating model, FinalForms aligns our FERPA risk management program, detailed below. 

For more on this subject, please visit: https://d0.awsstatic.com/whitepapers/compliance/AWS_FERPA_Whitepaper.pdf


It is ultimately the responsibility of the School District to authorize users with appropriate access.

  • An Authorized User may supply data to FinalForms, as required by his/her School District. 
  • Authorized Users using the service provided by FinalForms are responsible for ensuring that they meet the qualifications for the status of Authorized User, as determined by their School District.
  • Authorized Users are responsible for ensuring the accuracy and completeness of all information supplied to FinalForms.
  • An Authorized User may access and correct personally identifiable information through use of the Service at any time. FinalForms may retain the data supplied by Authorized Users for as long as required by their School District and/or applicable law, or as authorized by the Authorized User.
  • An Authorized User is solely responsible for maintaining the confidentiality of his/her user identification and password.
  • An Authorized User is solely responsible for all activities that occur in connection with his/her Account.

More information about FinalForms:

  • FinalForms does not require an Authorized User to supply it with data.
  • FinalForms does not provide or sell any data to third parties.
  • FinalForms will not make publicly available the individual data an Authorized User supplies it by using the Service.
  • FinalForms will not use any behavioral information to provide targeted advertising to Authorized Users.
  • FinalForms will not collect, use, or share behavioral information for any purpose beyond authorized educational or school purposes, or as authorized by the Authorized User.
  • FinalForms does not limit a School District’s use of the data that an Authorized User supplies FinalForms through use of the Service.
  • FinalForms has auditing and logging capabilities which allow internal security analysts to examine detailed activity logs or reports to see who had access, IP address entry, what data was accessed, what data was modified, when it was modified, etc. This usage data may be tracked, logged, stored, and accesses in compliance with applicable law or educational institution policy. 
  • FERPA does not require particular methods of data destruction. However, other applicable laws or local privacy regulations may require specific secure data disposal methods. Customers should check with their legal counsel to fully understand their data destruction requirements.

Shared responsibilities:


 

Learn more about 'What Governs Your Data Collection Processes'.