Vetted by
Rob
Friedrichs,
Solutions Architect
at None
Security Rubric Results
- N/A
- UNMET
- PARTIAL
- MEETS
Documentation & Company Information
Data
Systems Management
Third Party Assessment
| Rubric Area | Expectations | ||
|---|---|---|---|
| Documentation & Company Information | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
DOC01 - Have you undergone an external audit?
ANSWER: Has undergone an external audit and can share the audit results or certificate
User Notes:
SOC2 Type 1
SOC2 Type 1
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC02 - Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)
ANSWER: Conforms with a specific industry standard and can show evidence of conformance
User Notes:
"Conforms" with exceptions to AWS Foundational Security Benchmarks, CIS AWS Foundations Benchmark v1.4.0
"Conforms" with exceptions to AWS Foundational Security Benchmarks, CIS AWS Foundations Benchmark v1.4.0
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC03 - Does your organization have a documented data privacy policy?
ANSWER: The documented policy is presented to users and their personal data is only used to provide the service
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
DOC04 - Do you have a documented, and currently implemented, employee onboarding and off boarding policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC05 - Do you have a well documented Disaster Recovery Plan (DRP) that is tested annually?
ANSWER: No
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
DOC06 - Do you have a documented and currently followed change management process (CMP)?
ANSWER: Has a fully documented process & process is followed and includes a change log
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DOC07 - Have you had a reportable breach in the last 5 years?
ANSWER: No reportable breaches in the last 5 years
User Notes:
A minor internal incident in which one school's students were mistakenly added to the wrong school before being reversed. Schools were notified but no sensitive data was exposed
A minor internal incident in which one school's students were mistakenly added to the wrong school before being reversed. Schools were notified but no sensitive data was exposed
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC08 - Do you have a dedicated Information Security staff or office?
ANSWER: Has a fully dedicated Information Security staff or office
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC09 - Do you follow dev ops practices?
ANSWER: Follows devsec ops practices
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC10 - Can you share the organization chart, mission statement, and policies for your information security unit?
ANSWER: Is willing to share some but not all of the requested information (see notes to clarify what information is shared)
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
DOC11 - Are information security principles designed into the product lifecycle?
ANSWER: Information security principles are designed into the product lifecycle and tested against security requirements at each functional code revision
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC12 - Do you have a documented information security policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC13 - Do you have a formal incident response plan?
ANSWER: Yes but plan does not state or require updates or training
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
DOC14 - Do you carry cyber-risk insurance?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC15 - Do you have either an internal incident response team or retain an external team?
ANSWER: Organization uses only an internal or external response team but not both
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
DOC16 - What is your capability to respond to incidents?
ANSWER: Yes, 24x7x365
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Data | Meets | Partially Meets | Doesn't Meet |
|
DA01 - Does the environment provide for dedicated single-tenant capabilities?
ANSWER: No
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
User Notes
User Notes
DA02 - Is data encrypted in transport? (e.g. system-to-client, system-to-system)
ANSWER: Yes
User Notes:
HTTPS is terminated by Cloudfront and forwards to servers internally via HTTP
HTTPS is terminated by Cloudfront and forwards to servers internally via HTTP
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DA03 - Is sensitive data encrypted, using secure protocols/algorithms, in storage? (e.g. disk encryption, at-rest, files, and within a running database)
ANSWER: All data encrypted at rest
User Notes:
We do not use "field-level" encryption within the database
We do not use "field-level" encryption within the database
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DA04 - Do you have a media handling process, that is documented and currently implemented, including end-of-life, repurposing, and data sanitization procedures?
ANSWER: Yes, has all of the above
User Notes:
Second-hand via AWS
Second-hand via AWS
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA05 - Will data regulated by PCI DSS reside in the vended product?
ANSWER: Not Applicable
|
NOT APPLICABLE | ||
|
DA06 - Are you able to accommodate storing each institution's data within their desired geographic region?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DA07 - Does the hosting provider have a SOC 2 Type 2 report available?
ANSWER: Has a review of controls but not SOC 2
User Notes:
Has Soc2 Type 1
Has Soc2 Type 1
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
| Systems Management | Meets | Partially Meets | Doesn't Meet |
|
SM01 - Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM02 - Will the institution be notified of major changes to your environment that could impact the institution's security posture?
ANSWER: Yes, prior to the change
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM03 - Are you utilizing a stateful packet inspection (SPI) firewall?
ANSWER: Not Applicable
User Notes:
We use AWS WAF
We use AWS WAF
|
NOT APPLICABLE | ||
|
User Notes
User Notes
SM04 - Do you use an automated IDS/IPS system to monitor for intrusions?
ANSWER: Yes
User Notes:
We use AWS GuardDuty
We use AWS GuardDuty
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM05 - Do you require direct connectivity to the Institution's network for support/administration or access into any existing systems for integration purposes?
ANSWER: Not Applicable
User Notes:
No direct connectivity is required
No direct connectivity is required
|
NOT APPLICABLE | ||
|
SM06 - Do you support access control (e.g. RBAC, ABAC, PBAC) for end-users?
ANSWER: Provides separation of at a minimum students, teachers / faculty and teaching assistants
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM07 - Do you support access control (RBAC, ABAC, or PBAC) for system administrators?
ANSWER: Yes, it is fully customizable and can provide evidence
User Notes:
AWS Identity Center
AWS Identity Center
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM08 - Do you control and audit employee access to customer data?
ANSWER: Controlled, but not audited
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
SM09 - Does the system provide data input validation?
ANSWER: Yes, follows OWASP guidelines
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM10 - Are you using a web application firewall (WAF)?
ANSWER: Utilizes a web application firewall (WAF) and alerts are actioned
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM11 - Do you subject your code to static code analysis and/or static application security testing prior to release?
ANSWER: Yes
User Notes:
Using Snyk and/or SonarQube.
Using Snyk and/or SonarQube.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM12 - Do you enforce MFA for vendor administrative access?
ANSWER: No MFA but has strong password controls that aligns with NIST recommendations
User Notes:
MFA is required for access to AWS, but not for access to software itself
MFA is required for access to AWS, but not for access to software itself
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
SM13 - Does your solution support single sign-on (SSO) protocols for user and administrator authentication? (e.g. InCommon)
ANSWER: Does provide a institution approved SSO for institutional users and administrators
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SM14 - Are audit logs available to the institution that include AT LEAST all of the following; login, logout, actions performed, timestamp, and source IP address?
ANSWER: Audit logs are not available
User Notes:
We do not record source IP address per data privacy requirements. Actions performed by teqeachers are recorded and available directly in the software itself. Logouts are tracked but not reliable as most users simply exit their browsers without formally logging out. Successful logins are tracked: logs are availably only by formal request
We do not record source IP address per data privacy requirements. Actions performed by teqeachers are recorded and available directly in the software itself. Logouts are tracked but not reliable as most users simply exit their browsers without formally logging out. Successful logins are tracked: logs are availably only by formal request
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
SM15 - Can your system auto provision accounts through SSO?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM16 - Do you support differentiation between email address and user identifier?
ANSWER: Yes, and enforces it
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Third Party Assessment | Meets | Partially Meets | Doesn't Meet |
|
TP01 - Will institution data be shared with or hosted by any third parties?
ANSWER: Purposeful sharing to benefit learner and/or institution which is disclosed to institution for review and approval
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
TP02 - Do you perform security assessments provided of third party companies with which you share data? (i.e. hosting providers, cloud services, PaaS, IaaS, SaaS, etc.)
ANSWER: No
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
TP03 - Have your systems and applications had a third party security assessment completed in the last year?
ANSWER: Yes, has a 3rd party assessment and can provide high level results and gives organization's name
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
Vetting Context
Policies Cited
The following urls were cited as a basis for this information.
- Privacy Policy https://www.carnegielearning.com/privacy-policy/
Geographical Context
(Laws and regulations can vary across regions)
Virginia
United States
The views and opinions expressed in this information are those of the authors and do not necessarily reflect the official policy or position of 1EdTech. The information provided is intended to surface trends about the policies and procedures of systems leveraged by the educational community. It should not be considered legal advice.
Disclaimer:
The 1EdTech TrustEd Apps Security Practices Rubric provides a
self-assessment tool for a supplier to evaluate their product,
according to the
1EdTech TrustEd Apps Security Practices Rubric Specification v1.0.
This information is to be a starting point for institutional
security review processes and is not intended to serve as a full
security review. Find out more
here.
© Copyright 2026 1EdTech Global Learning Consortium Inc. All Rights Reserved.
App Vetting Rubric Version: 2