Overview

The FocalPointK12 platform is hosted on a Microsoft Azure cloud environment in a high availability configuration. The Azure cloud platform provides several industry standard security certifications and disaster recovery policies as part of the architecture. A full description of the Microsoft Trust Center and Microsoft’s Security, Privacy and Compliance are available upon customer request.

Microsoft Azure Trust Center & Security Certifications

Microsoft Azure is a cloud computing platform that features a growing collection of integrated cloud services—analytics, computing, database, mobile, networking, storage, and web.

Microsoft has made an industry-leading commitment to the protection and privacy of the data. They were the first cloud provider recognized by the European Union’s data protection authorities for their commitment to rigorous EU privacy laws. Microsoft was also the first major cloud provider to adopt the new international cloud privacy standard, ISO 27018.

Microsoft and the EU-U.S. Privacy Shield

Microsoft and its controlled U.S. subsidiaries (Microsoft) comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Microsoft has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

FocalPointK12 and the EU-U.S. Privacy Shield

FocalPointK12 is committed to providing compliance with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce as it relates to personal information transferred from the European Union and Switzerland to the United States. FocalPointK12 is in the process of updating its Privacy Statement and corresponding policies and procedures to support compliance with the UE-U.S. Privacy Shield Framework and is in the process of certifying with the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, please visit www.privacyshield.gov.

Microsoft Azure Cloud Security Certifications

Infrastructure Security

The FocalpointK12 platform implements the highest levels of security to ensure the confidentiality, integrity, and high-availability of all customer data. Critical to the effectiveness of our redundant, high-performance SaaS architecture is our multi-layer security systems and strict information security policies, which all work together to ensure your data remains private, secure and always available.

Multi-layer Security for your applications

We know that security and data integrity are crucial and that’s why FocalPointK12 has implemented a comprehensive security infrastructure with state-of-the-art security measures and controls to ensure optimal protection against physical, network, server, application and data vulnerabilities. In keeping with the highest security standards, the FocalPointK12 Azure Cloud Platform’s state-of-the-art security measures and SSAE16 SOC 1, SOC 2, and SOC 3 certified data centers all have passed the same rigorous security audits as conducted for the top Fortune 500 financial services organizations.

Physical Security

To deny unauthorized access to facilities and equipment and to protect property from damage or harm, the FocalPointK12 platform is hosted in first-class Microsoft Azure Cloud hosting facilities where:

• All areas are monitored and recorded using CCTV
• All access points are controlled
• Facilities are unmarked and staffed 24x7 by security officers
• All visitors are biometric–screened upon entry and escorted to authorized locations
• All facilities utilize power systems with built-in redundancy, full Uninterruptible Power Supply (UPS) systems with up to N+1 level or greater, and backup generator systems in the event of a local utility failure

Network Security

To prevent and monitor for the misuse and abuse of our computer networks and network-accessible resources, FocalPointK12 has implemented the following network security measures:

• Industry-leading firewalls and intrusion detection and prevention systems
• 24X7X365 system monitoring and management
• Regularly scheduled application of patches and upgrades
• Around the clock network and firewall monitoring
• Continuous firewall log analysis to keep abreast of traffic patterns and identify any unusual activity
• Routine network vulnerability testing

All data centers adhere to the following information security certifications and standards:

• ISO 27002
• ISO 27001
• PCI DSS Service Provider Level 1 Certification,
• SSAE16 SOC 1, SOC 2, and SOC 3
• S. Commerce Department Safe Harbor Certification
• Content Protection and Security Standard (CPS)

Server Security

To ensure the security and availability of all servers, FocalPointK12 implements the following server security policies and procedures:

• All operating systems are hardened to remove all unnecessary software
• All services and patches are routinely reviewed and applied
• All devices adhere to strict password policies to ensure strong password protection
• Server–level vulnerability testing is conducted at routine intervals
• All servers are configured with built-in redundancy components, RAID 1 for the OS and RAID 5 for data on a storage area network utilizing high-performance fiber channel

Application Security

To reduce the chances of unauthorized application access, FocalPointK12 has implemented the following application security measures:

• Users must authenticate themselves with a username and password in order to gain access to their data
• All requests sent to FocalPointK12 must be encrypted using industry-standard Secure Socket Layer (SSL) encryption technology, ensuring secure, encrypted communication between the users’ web browsers and the FocalPointK12 web servers
• During initial authentication, the user identification token is digitally signed with a signing key unique to the customer’s application instance, allowing subsequent signature verification on every request
• Customers alone have the ability to manage users, application access and application-specific rights. Predefined application roles enable system and application administrators to quickly set up users and assign appropriate access rights for any given application.
• Microsoft Azure Trust Center conducts continuous application vulnerability and penetration testing using an industry-leading web application vulnerability testing provider, ensuring that your application and network environment is secured from outside attack.

Additional Server & Application Monitoring

In addition to the security measures, FocalPointK12 takes security and uptime monitoring further to ensure the security and availability of all customer instances:

• Servers and customer application instances are monitored 24x7x365 as part of our commitment to application performance and a quality customer experience
• Alert thresholds are set and monitored for numerous conditions that would impact performance, availability, and potential abuse or misuse

Logs and performance counters are regularly analyzed to identify patterns of suspicious activity