FinalForms Security, Data Privacy and Compliance
FinalForms Security Documentation
March 28, 2018
Military Grade Physical Controls + Enterprise Grade Security = Piece of Mind
FinalForms is hosted in entirety on our infrastructure on Amazon Web Services (AWS) EC2 and S3 instances. We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security.
The Amazon Web Services infrastructure is designed and managed according to the highest standards for security and data protection, including SOC 1, 2, 3, PCI DSS Level 1, ISO 27001, FIPS 140-2, and more, as well as military-grade physical controls. Enterprise-grade security ensures data stays secure with SSL encryption. To provide continuous availability, FinalForms is deployed on multiple data centers. Every piece of data is automatically copied to multiple locations for redundancy – ensuring data is always available.
Our technology partnership with Amazon Web Services enables us to meet our commitment to securing customer data.
Frequently, FinalForms is used to store sensitive student health & demographic information on behalf of various school systems. Knowing this from the outset, we have thoroughly researched and then crafted a rock-solid solution from the ground up, rigorously vetting at every layer, that meets national educational industry standards.
In this document we give a detailed account of the steps we've taken at each layer to meet, not just the medical information standards, but a multitude of other regulation programs.
We host the entirety of our infrastructure on Amazon Web Services (AWS) EC2 and S3 instances. We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security. Among its long list of physical security benefits the highlights are:
- Amazon has unmatched experience in designing, constructing, and operating large-scale data centers.
- AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.
- Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.
- Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.
- All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
- Worldwide facilities have been audited and granted many certifications.
- Linked is the AWS SOC 3 Report.
We have several policies of our own in place that ensure the highest level of security is taken when handling client information outside of our web application.
- Developer machines do not store sensitive information locally.
- Client information is never stored physically without consent from a client administrator.
As mentioned before, we host our infrastructure on Amazon Web Services (AWS). Amazon is widely considered to be the leader for infrastructure as a service (IaaS) providers. They are compliant with a wide range of regulations and provide granular control over your network. Here are just a few of the many security benefits they provide:
- Host Operating System Security:
- AWS employees with a business need are required to use their individual cryptographically b SSH keys to gain access to the host.
- All access is logged and routinely audited.
- When an AWS employee no longer has a business need to administer EC2 hosts, their privileges on and access to the hosts are revoked.
- Guest Operating System Security:
- We have complete control over our virtual instances.
- AWS administrators do not have access to our instances, and cannot log into the guest OS.
- Amazon provides a complete firewall solution.
- This mandatory inbound firewall is configured in a default deny mode and the we must explicitly open any ports to allow inbound traffic.
- Denial Of Service (DoS) Security:
- Standard DDoS mitigation techniques such as SYN floods and connection limiting are in use.
- Amazon maintains internal bandwidth which exceeds its provider-supplied Internet bandwidth.
- Man In the Middle (MITM) Security:
- All of the AWS APIs are available via SSL-protected endpoints which provides server authentication.
- Spoofing Security:
- The Amazon-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
- Port Scanning Security:
- Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed.
Outside of the AWS provided features, we implemented and ensure:
- Separate databases are created for each client.
- All administrative activity involving our servers is performed over an encrypted connection.
- Client information is not stored digitally outside of the secure AWS infrastructure.
- Verbose logging is enabled wherever possible, leaving clear audit trails.
- Backups are run periodically and regularly tested for success in recovery situations.
- Intrusion detection systems alert administrators of suspicious activity.
The FinalForms workforce, itself, has been structured to minimize contact with student data. FinalForms requires comprehensive, industry standard, background checks on all employees and/or contractors regardless of their respective role within the business. Data is only ever accessed without school staff present in secure development settings via SSH or through the FinalForms administrative interface, both encrypted connections.
FinalForms Security Documentation