Data Privacy and Security

ClassRanked – IT & Security FAQ

1. How is user data secured?

All data is encrypted:

  • In transit: via TLS 1.2+ to prevent interception during communication.
  • At rest: via AES-256 encryption within our cloud environment.

Data isolation is enforced across institutions—no data leakage or crossover between schools. Access to production data is strictly controlled, requires VPN and MFA, and is audit-logged.

2. Is ClassRanked FERPA-compliant?

Yes. We are built to comply with FERPA. We don’t collect unnecessary PII and only process student data needed for survey delivery and reporting. No data is repurposed or monetized. Institutions retain full ownership of their data.

3. Do you support SSO?

Yes. ClassRanked supports SAML 2.0-based Single Sign-On (SSO). We work with:

  • Azure Active Directory
  • Okta
  • Shibboleth
  • Other SAML-compliant IdPs

We support user provisioning and role assignment via metadata or pre-shared user sync files. Authentication is centralized and respects institutional password and MFA policies.

4. Who has access to our data?

  • Internally, only a handful of senior engineers have production access.
  • Access is gated by IAM roles, MFA, VPN restrictions, and logging.
  • No temporary employee, contractor, or vendor has access unless explicitly granted in writing by the client.

Role-based access controls (RBAC) define what users can see: students, instructors, and admins only access their scoped data.

5. What happens to our data if we leave?

Data remains your property. Upon contract termination or request:

  • A full data export (CSV or JSON) can be provided.
  • All records are permanently deleted from our systems within 30 days.
  • Backups containing your data are deleted per our standard data lifecycle policies (typically within 90 days).

6. Do you have an incident response plan?

Yes. We maintain a formal Incident Response Plan which includes:

  • Real-time threat monitoring and anomaly detection
  • Isolation and mitigation procedures
  • Timeline-based communication with institutional stakeholders
  • Root cause analysis and remediation reviews

To date, we have had zero security breaches.

7. What compliance standards do you follow?

While we are not currently SOC 2 certified, we operate under the guidelines of:

  • FERPA
  • HECVAT compliant and ready to provide our completed documentation to any institution upon request
  • NIST 800-53 and NIST Cybersecurity Framework
  • AWS Well-Architected Security Pillars

We conduct internal audits and apply strict change management processes to limit risk.

8. Do you share data with third parties?

No. We do not share, sell, or resell your data. We only transmit data to third parties when:

  • Explicitly authorized by your institution
  • Necessary to fulfill an integration (e.g., LMS sync)
  • Covered under a data protection agreement

We sign DPAs as required.

9. How often is the system tested or audited?

  • Infrastructure and application layer security is reviewed quarterly.
  • All dependencies are regularly scanned for vulnerabilities.
  • Patches are applied continuously.
  • Penetration tests and external audits can be scoped as part of contract negotiations.

10. What service-level protections are in place?

  • 99.9% uptime, with real-time monitoring and on-call escalation.
  • Hosted on AWS, in a VPC with tightly restricted security groups and auto-scaling.
  • Daily backups with geographic redundancy.
  • Application is stateless and resilient to container failures.

11. How do you protect against misuse or abuse?

  • All actions in the system (e.g., login attempts, data views, admin changes) are logged and can be audited.
  • Rate-limiting, anomaly detection, and CAPTCHA are in place to prevent brute force or automation abuse.
  • Admins have visibility into user sessions and can disable accounts if needed.

Still need help? Contact Us Contact Us

Related Articles