TalkingPoints Security Overview
Effective May 2, 2024
Please also reference our updated Privacy Policy
Overview
Educators and families trust TalkingPoints with important and sensitive information. Our security approach consists of five critical components that allow us to maintain data security and integrity for entry, transfer, storage, and access.
- Corporate governance
- Physical security
- Environmental security
- Software security
- Regulatory compliance
Each of these will be described in more detail.
Corporate governance
TalkingPoints works with industry-leading advisors to review and guide our policies and procedures.
- All TalkingPoints employees and contractors sign agreements that require them to preserve and protect the confidentiality of sensitive information they may access while doing their jobs.
- All TalkingPoints employees are scrutinized by mandatory background checks.
- Employees are required to enable two-factor authentication in every internal and external service where two-factor authentication is made available and practical.
- All computers and mobile devices issued by TalkingPoints, as well as any software that runs on those machines, are password-protected and encrypted where possible.
- All employees receive privacy and security training at least annually.
Physical security
TalkingPoints strictly controls physical access to user information.
- All TalkingPoints premises require key entry.
- Personally identifiable information is not stored onsite.
- All work computers and laptops provided to TalkingPoints personnel have encrypted disks.
Environmental security
TalkingPoints uses Google Cloud Platform (GCP) and other third-party services in the GCP environment to host and operate our databases.
GCP is an industry-leading cloud service platform that provides nondescript facilities, professional security staff, controlled access, video surveillance, intrusion detection, and other security features. All data is separated from outside connections, and access is limited to select members of the current TalkingPoints team.
- TalkingPoints stores its data within an GCP region that is FedRAMP compliant.
- TalkingPoints’s main database and all backups are encrypted at rest.
- The GCP cloud infrastructure has been designed and managed in compliance with regulations, standards, and best practices, including HIPPA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP, DIACAP and FISMA, ITAR, FIPS 140-2, CSA, and MPAA.
Learn more about Amazon’s security policies here.
Software security
TalkingPoints’s infrastructure is built on industry-tested technology and security practices.
- TalkingPoints uses encryption, firewall, and network security software.
- TalkingPoints uses single sign-on (SSO).
- Low-level auditing software is supported for all external providers (GCP, Atlas) to record potentially malicious actions that may take place.
- TalkingPoints runs periodic penetration tests, then logs and resolves discovered issues.
- All TalkingPoints clients use TLS/SSL when communicating with our servers.
- TalkingPoints has a host-based intrusion detection system to detect unauthorized access to production hosts.
- Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.
If we learn of a security breach, TalkingPoints will notify affected users as required by applicable laws and may post a notice on our services as required by applicable laws. We will then investigate the breach and make any necessary technical enhancements to resolve the security vulnerability. More specifics regarding compliance with state-specific laws are in TalkingPoints Data Privacy & Security Standard Contract Terms.
TalkingPoints has designated a Security Incident Response team consisting of the Heads of Product, Operations, Engineering and Data departments. In the event of a data breach, this team will coordinate the response with internal TalkingPoints teams. The Security Incident Response Team can be reached at security@talkingpts.org.
Regulatory compliance
TalkingPoints works with policy advisors to ensure that our product and practices remain compliant with relevant mandates and regulations.
-
- TalkingPoints meets COPPA legislative requirements.
- TalkingPoints helps schools comply with federal FERPA regulations.