Our comprehensive security program helps protect sensitive data at every step.
Our success depends on building highly secure product and infrastructure. Our desire is to help schools, teachers, parents, and application partners create a secure learning environment where students can thrive.
We know it’s not enough to just write secure code—for security to be effective, it has to be ingrained in our culture and embedded in every part of the business. That’s why security is part of everyone’s job at Clever: 100% of our people receive security training. To lead this program, we hire security experts who have extensive security experience for market-leading cloud services and are passionate about creating safe digital learning ecosystems.
Our comprehensive security-by-design approach helps to protect sensitive data at every step—whether it’s a district’s first data transfer or one-millionth login.
Helping schools secure their data
We know data protection is a key priority for our district customers, and we understand how challenging it can be for districts to effectively manage risk and ensure high data protection standards across all of the district’s unique technology partners. At Clever, we’re not only committed to meeting those standards—we have an outstanding security track record and are regularly investing in new tools, technologies, and enhancements to stay ahead of risks.
School districts turn to Clever to help manage and safeguard Student Data shared with technology partners. Instead of maintaining and troubleshooting custom scripts with dozens of application providers, districts can easily create and update student accounts in education software and control how much data is shared through Clever. Instead of managing multiple transmissions to application providers, districts can rely on the Clever API to transmit Student Data with strong security requirements.
With Clever, districts have one security-focused platform for sharing data with authorized applications, a platform that’s regularly tested and optimized for data security.
Full encryption in transit and at rest
Clever helps districts secure student information by encrypting it in transit and at rest. We use modern cryptographic algorithms like AES256-GCM and follow key management best practices with strict user access control and multifactor authentication.
Secure development lifecycle
From initial design concept to final testing, our security protocols inform every aspect of product and infrastructure development. All development projects, including new products and features, require a security review process. It includes threat modeling and code review for any major change.
Cloud-hosted infrastructure is a more secure infrastructure
Increasingly, districts are adopting cloud infrastructure instead of on-premise models for one key reason: security. Most education software providers also have adopted cloud services to host their products for districts, as have healthcare providers, financial institutions, and government agencies. While on-premise systems need to be maintained, updated, configured, and secured individually, cloud services typically offer key benefits that provide stronger data security management and practices.
- Cloud service providers have greater security expertise running servers in the cloud across thousands of customers over many years.
- Cloud service providers are experienced in navigating and managing a broad array of security requirements, including most stringent security standards, such as HIPAA, COPPA, GDPR, and SOC.
- Cloud service providers have a much more substantial investment in both network and physical security than on-premise systems could typically provide.
Clever’s infrastructure runs on Amazon Web Services (AWS), an industry leader in cloud services and data security. Ernst & Young LLP performs the AWS System and Organization Controls audit and issues reports that demonstrate how AWS achieves these key compliance controls and objectives. The AWS SOC 2 and other reports are available on the AWS compliance site.
Comprehensive independent third-party security evaluation
Our team continually monitors for suspicious activity and employs automated threat detection alerting and response processes. We engage top third-party security firms who perform regular audits and external code reviews, and we make these audits available upon request.
In addition, we work with HackerOne to run a bug bounty program. The bug bounty program engages security researchers and independent security professionals (“Bug Bounty Participants“) to proactively test our platform and report any issues that we then assess and mitigate. Clever authorizes and encourages the responsible and ethical discovery and reporting of vulnerabilities on all of Clever’s products. Security researchers can participate by sending an email to firstname.lastname@example.org with the email address they use for their HackerOne account, and we will add you to our private program. If Bug Bounty Participants make a good faith effort to conduct research and disclose vulnerabilities in accordance with our disclosure rules (found here), Clever will not recommend or pursue law enforcement or civil lawsuits related to such activities. If a Bug Bounty Participant is interested in publication of the vulnerability, Clever will permit publication after the earlier of (a) Clever’s confirmation of remediation of the vulnerability and (b) nine (9) months have passed since disclosure of the vulnerability to Clever’s security team.
If you have any questions about Clever’s security program, please send an email to email@example.com.
Read more about Clever’s security practices.