Join us for an upcoming webinar: How AI is Transforming, Innovating, and Simplifying Higher Education
Register now Close
Close
Menu

Security and Privacy Compliance

Platform Security and Privacy

The Signal Vine platform is 100% compliant with federal communications and data privacy regulations. It’s designed to protect your student data from threats by applying industry-standard security controls at every step. The platform meets FERPA standards and is used by the US Department of Education, the military, and hundreds of higher education institutions. Your data is safe with Signal Vine.

Read full policies

TCPA

The FCC enacted the Telephone Consumer Protection Act (TCPA) to crack down on unsolicited marketing messages. The Signal Vine Text Messaging Platform was designed from the beginning to fully comply with TCPA regulations.
An important clause from the policy for most of our customers is: “For non-commercial, informational texts (such as those sent by or on behalf of tax-exempt non-profit organizations, those for political purposes, and other noncommercial purposes, such as school closings), your consent may be oral.” Text messages must include information about:

  • Who is sending the message: Simply identify yourself and your organization in your first message to students to fulfill this requirement.
  • A physical address: Signal Vine provides your organization with local long-form phone numbers, which comply with this requirement.
  • A method to “unsubscribe”: Any student who texts back “stop” or “cancel” will automatically be opted out of future text messages.

Ask your Customer Success Representative for help crafting opt-in or opt-out language.

Read the TCPA policy

FERPA

The Signal Vine Text Messaging Platform is fully compliant with the US Department of Education’s Family Education Rights and Privacy Act (FERPA). The platform logs all message history, encrypts communications, and securely protects all data. Most organizations that use the text messaging platform only include “directory” information in their text messages, such as students’ names. Under FERPA, you are not required to obtain consent from students and parents before disclosing directory information.

Read the FERPA policy

COPPA

The Federal Trade Commission’s Children’s Online Privacy Protection Rule (COPPA) requires parental consent before communicating with students under the age of 13. Most of Signal Vine’s customers do not work with or communicate with students under the age of 13. For those who wish to communicate with students younger than 13, proof of written parental consent is required. Your Customer Success Representative can help you draft language for a parental consent form if needed.

Read the COPPA policy

Privacy and Security Details

Application Infrastructure

The Text Messaging Platform is a distributed, fault-tolerant, cloud-based application that can scale vertically and horizontally. Backend components disconnected from the platform are responsible for sending and receiving SMS messages (via 3rd party providers). The platform only allows HTTPS connections from users. It’s a client of our REST API and provides a user interface for reading and writing program data.
The platform is hosted on a virtual private cloud in Amazon Web Services. None of the servers running the platform are directly accessible to the internet and are protected by a Bastion Host that serves as a firewall to protect our VPC. When employees need access to servers, they use private key encryption to tunnel through the Bastion Host to reach the servers behind them.
Signal Vine relies on AWS elastic load balancers and elastic IP to provide high availability to the platform. Amazon Route 53 provides DNS.
The platform is protected by AWS Shield Standard, which is a managed DDoS protection service that safeguards the Signal Vine web application.
AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency that would affect users accessing our service. The platform is stored in five data centers distributed throughout the Northern Virginia AWS region.
All services (web servers, database, search) have redundancies for high availability.
The platform is accessed over SSL with 128-bit encryption and authentication. The platform servers do not accept non-encrypted requests.

Encryption

Database backups and password data are encrypted at rest. Different encryption schemes are used. Passwords are encrypted using a Bcrypt algorithm and SHA-256 encryption.
Data is only sent using 128-bit authentication. All data is encrypted and delivered by HTTPS. Signal Vine does not support insecure connections to the platform.

Data Security

All data is partitioned by account and program, which provides row-level security to authorized users. The design of the platform enforces restricted access levels and does not allow unauthorized access to data. Each user is assigned a partition key and can only access data in the partition to which they are assigned.
User passwords are encrypted using a Bcrypt hashing function and a single use salt, which is not stored. The platform backs up data nightly and ships transaction logs to allow for a point in time recovery to within 15 minutes of when the database goes down. The database is not accessible directly via the internet. It is only accessible via a private network interface connected to the data center.
As noted above, the platform is hosted on a group of separate, secure application servers. All servers can only be accessed using key-based authentication (a 2048-bit RSA key pair). Signal Vine employs access control policies to secure appropriate access and ensure that personally identifiable information (PII) and all data is protected by encryption. Signal Vine employs highly restrictive network access and a rigorous data backup protocol. In addition, an activity log is monitored when data is exported.
Compliance with State and Federal data privacy regulation is ensured through periodic peer review of compliance laws and ops/coding practices, procedures, and implementation.

Application Security and Case Management

Customers control staff access to student profile and message data by assigning security roles to users. There are currently three supported roles:

  • Account Administrator. Access to view and manage all programs, groups, and students in an account. Account Administrators can invite users to the platform and can view and revoke all account users’ access to the platform. They have  all permissions available to users at a lower access level.
  • Program Administrator. Access to view and manage specific programs and their associated students within an account.  Program Administrators can invite users to the platform (with Program Administrator permissions or lower). They can view and revoke access to any user with access to the programs they administer. They have all permissions available to users at a lower access level.
  • Counselor. Access to one or more groups within one or more programs. Counselors can only view messages and manage the data associated with students belonging to the Counselors’ assigned groups.