TeachTown Security FAQ
Company Name:
TeachTown Inc.
What is the service or product you will be providing?
TeachTown provides educational software products for students with special needs.
What is the type or nature of the data that will be accessed, i.e. personal identity, financial, confidential, medical, etc.?
TeachTown systems collect a small amount personally identifiable information.
What are the specific data elements or fields of data you will be working with, i.e. first name, last name, address, birth date, SSN, phone, medical term, credit card number, etc.?
Data fields that fall under personally identifiable information are:
Student First Name
Student Last Name
Student Gender
Student Birth Date
Student demographic information (optional)
Teacher First Name
Teacher Last Name
Teacher Email
Teacher address information
What is the compliancy classification of the data, if known, i.e. SOX, PCI, HIPAA, FERPA, or GLBA?
HIPAA and FERPA apply as noted in our EULA and Terms of Use.
If the contract is terminated, how will ownership of the data be given back to __?
Upon customer request, data can be delivered in CSV format. Data can also be permanently deleted from TeachTown servers.
What format/structure will the data be in?
CSV format.
Do you perform all of these services in house?
Is any service or product subcontracted out?
Do you depend on any third party for your service?
We use a commercial data center - hyperfive.com - to host and secure our servers.

How do users log into the system directly?
Users can log in either via our secure web site at www.teachtown.com or via our client applications on devices such as iPad and ChromeBook. In all cases login is done over secure SSL/HTTPS connection with the user's email and password.
What other methods of login are supported?
TeachTown supports the SAML Single Sign-on (SSO) protocol which may be used at the customer's discretion. TeachTown also supports Single-Sign On via clever.com integration.
What Rostering technologies are supported for the creation of teacher and student accounts?
TeachTown supports the OneRoster protocol which is an international developed by the IMS Global Learning Consortium. A standard OneRoster zip file containing teacher/student/organization information may be uploaded to our servers via secure SFTP. TeachTown also supports bulk import of accounts via CSV upload features available on our web site.
Can teacher and student accounts be created directly?
Yes. TeachTown supports direct sign-up on our web site for teachers, and automatic association with the correct district account via teacher email.

Server Infrastructure
Describe the infrastructure of the service or product you are offering, i.e. Cloud based, on premises server, Co-location services.
A combination of Cloud based and Co-location services.
If on premises, describe the architecture of the system, i.e. stand-alone server, domain-joined server, appliance, software?
No servers and data are hosted on company premises.
Who is responsible for backups of the product?
Daily scheduled backups are run by our Co-location service. Independent off-site daily backups are run in parallel.
What are your backup methodologies and procedures? Including, but not limited to: restore process, length of retention, frequency of backup, media, locations, tested restore schedules, etc.
We use Microsoft SQL Server as our relational database, making use of their backup and restore processes. Full backups happen nightly and are kept for six months. Server image snapshots are made every 15 minutes and kept for a few days.
How often and what process do you use to test the backup and restore methodology?
As part of our development process we pull backups and restore them to a functioning server about once per week. SQL Server backup files are restored using SQL Server, and correct functioning of the database is tested.
Do you have a Disaster Recovery Plan?
Yes. Our data is backed up to more than one location. Our code is backed up to several locations. If it were necessary we could rebuild our servers in a matter of a few hours. However, it is extremely unlikely we would need to do that. We can restore a server image snapshot from within the last fifteen minutes.
Explain your disaster recovery procedures and processes.
In brief, we would request new server instances from our co-location service and install code and restored data to them. These can then be rotated into operation via our DNS records. Our content can be re-published to a cloud-based content service for consumption by our client applications in less than an hour.
In the event of a data loss, how will data be restored?
Data is restored via our most current SQL backup or server image: typically not older than fifteen minutes.
What format or structure will the data be in after restore?
All data is restored to it's original form in our SQL Server instance.
Describe the locations of your operation centers and/or data centers and their role/function, i.e. Primary site, Failover site, NOC.
All of our servers are hosted by hyperfive.com located in Kansas. Hyperfive provides high redundancy, server image snaphsots, secure fire wall, and various safeguards against denial of service and other attacks.
Describe your facilities and security and audit ratings, i.e. Tier 1-4, LEED, NIST, ISO, SSAE16 (SOC), etc.
What security strategies do you employ to keep the data integrity and security from compromise?
We rely upon our co-location service hyperfive.com for security and audit ratings. Upon request they can provide their yearly SOC Report.

Client Devices
Do client devices access your product or service?
Yes. Our client devices are our web-based applications that operate in a browser, and devices such as iPad and ChromeBook.
What model or platform are the client devices, i.e. iOS-Apple, Android, Windows, etc.?
Any HTML5-compliant browser can run our client applications on Mac / Windows / iOS / Android. Additionally, we ship native apps to the Apple App Store for iPad, and to the Chrome Web Store for ChromeBook.
How do clients access sensitive data?
Client applications can only connect via secure SSL to our servers after security credentials have been entered by the customer (email and password).
Is data stored on the device in any way?
Minimal customer personally identifiable information is stored on clients. Data is transmitted via secure SSL to our servers and removed from the client.
How is the data protected in storage and transit?
Storage of data on devices relies upon the security measures taken by Apple to protect iPads, and Google to protect ChromeBooks. Any temporary storage of data in the browser is safeguarded by the security measures of modern HTML-compliant browsers. All of these measures are very secure using modern encryption technology. All data is transferred over secure SSL / HTTPS protocol using our valid SSL certicate and Certificate Authority.
How is the client device secured, i.e. password, biometric, security card, physical restraint, etc.?
All customer access to devices is secured by password. In some cases, we integrate with standard protocols such as OAuth and SAML to achieve Single Sign On capabilities.
Is the data encrypted at any point in the process?
Data is encrypted in transit always, and is encrypted within clients as per their security protocols.
Is the data in clear text at any point in the process?
Some data can be viewed in clear text within a browser - in local storage -, but that is only accessible via the logged in user.
Describe your encryption methods and standards, i.e. SSL, SFTP, Cypher, Key Length, etc.
We use SSL for all data transfer. Our SSL certificate including cyphers and key length are maintained at current industry standards.
What is the procedure for dealing with a lost or stolen device?
This procedure is in the hands of the customer. As long as the customer has not left themselves logged in, no one will be able to access data. It is also always possible for a customer to reset their password via email.

Technologies Used
Do you use Flash Technology?
No. There are no Flash components in use in any TeachTown product.