Skip to main content

TrustEd Apps Profile for PowerSchool SIS

Vetted by Rich Gay, Chief Information Security Officer at PowerSchool Group LLC on 2024-07-24

Security Rubric Results

  • N/A
  • UNMET
  • PARTIAL
  • MEETS
Documentation & Company Information
Data
Systems Management
Third Party Assessment
Rubric Area Expectations
Documentation & Company Information Meets Partially Meets Doesn't Meet
User Notes DOC01 - Have you undergone an external audit?
ANSWER: Has undergone an external audit and can share the audit results or certificate
User Notes:
PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC02 - Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)
ANSWER: Conforms with a specific industry standard and can show evidence of conformance
User Notes:
PowerSchool independently verifies its security posture and business continuity framework to internationally recognized standards for information security management system (ISMS) and has been accredited with ISO/IEC 27001:2022 certification.
PowerSchool independently verifies its security posture and business continuity framework to internationally recognized standards for information security management system (ISMS) and has been accredited with ISO/IEC 27001:2022 certification.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC03 - Does your organization have a documented data privacy policy?
ANSWER: Yes
User Notes:
Please see the following link to read our policy: https://www.powerschool.com/privacy/
Please see the following link to read our policy: https://www.powerschool.com/privacy/
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC04 - Do you have a documented, and currently implemented, employee onboarding and off boarding policy?
ANSWER: Yes
User Notes:
We have established processes to ensure effective onboarding and offboarding procedures, which include conducting background checks for new hires and ensuring that access to systems and facilities is promptly granted or revoked as needed. These procedures are designed to maintain security and compliance throughout an employee's tenure with the company.
We have established processes to ensure effective onboarding and offboarding procedures, which include conducting background checks for new hires and ensuring that access to systems and facilities is promptly granted or revoked as needed. These procedures are designed to maintain security and compliance throughout an employee's tenure with the company.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC05 - Do you have a well documented Disaster Recovery Plan (DRP) that is tested annually?
ANSWER: Yes
User Notes:
Business continuity and disaster recovery plans are developed and updated on an annual basis and include the range of disaster scenarios and steps the business will take in such event to ensure the timely resumptions of critical business operations. For security reasons, BCP plans are considered confidential and internal to PowerSchool.
Business continuity and disaster recovery plans are developed and updated on an annual basis and include the range of disaster scenarios and steps the business will take in such event to ensure the timely resumptions of critical business operations. For security reasons, BCP plans are considered confidential and internal to PowerSchool.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC06 - Do you have a documented and currently followed change management process (CMP)?
ANSWER: Has a fully documented process & process is followed and includes a change log
User Notes:
Change management procedures include the following elements:
Changes are approved prior to being deployed. The ability to approve changes are limited to specific job roles.
All scheduled change requests must be submitted in advance so that there is sufficient time to review the request, determine and review potential failures, and make the decision to allow or delay the request.
Requests should include provisions for reverting the changes should they introduce bugs, instability or other issues.
Change Management Procedures contain provisions for handling emergency changes. The emergency change provisions should define the broad conditions under which and emergency change may be made, who can approve the change and require that it be documented once completed.
Change management procedures include the following elements: Changes are approved prior to being deployed. The ability to approve changes are limited to specific job roles. All scheduled change requests must be submitted in advance so that there is sufficient time to review the request, determine and review potential failures, and make the decision to allow or delay the request. Requests should include provisions for reverting the changes should they introduce bugs, instability or other issues. Change Management Procedures contain provisions for handling emergency changes. The emergency change provisions should define the broad conditions under which and emergency change may be made, who can approve the change and require that it be documented once completed.
Answer Meets Expectations Unselected Option: Unselected Option:
DOC07 - Have you had a reportable breach in the last 5 years?
ANSWER: No reportable breaches in the last 5 years
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC08 - Do you have a dedicated Information Security staff or office?
ANSWER: Has a fully dedicated Information Security staff or office
User Notes:
PowerSchool Information Security is organized under and reports to PowerSchool’s Chief
Information Security Officer (CISO). The team is organized into several groups:
24x7 Security Operations Center team dedicated to monitoring infrastructure and
application security and responding to security incidents.

Security analyst team dedicated to managing risk and compliance within the organization.

Security engineers dedicated to application and infrastructure security.

Additionally, PowerSchool has security personnel in Corporate IT and Cloud Operations dedicated to the security of PowerSchool corporate and product infrastructure and tooling. Leadership of these teams are accountable to PowerSchool CISO.
PowerSchool Information Security is organized under and reports to PowerSchool’s Chief Information Security Officer (CISO). The team is organized into several groups: 24x7 Security Operations Center team dedicated to monitoring infrastructure and application security and responding to security incidents. Security analyst team dedicated to managing risk and compliance within the organization. Security engineers dedicated to application and infrastructure security. Additionally, PowerSchool has security personnel in Corporate IT and Cloud Operations dedicated to the security of PowerSchool corporate and product infrastructure and tooling. Leadership of these teams are accountable to PowerSchool CISO.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC09 - Do you follow dev ops practices?
ANSWER: Follows devsec ops practices
User Notes:
PowerSchool has a dedicated software and system development team and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
PowerSchool has a dedicated software and system development team and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC10 - Can you share the organization chart, mission statement, and policies for your information security unit?
ANSWER: Is willing to share some but not all of the requested information (see notes to clarify what information is shared)
User Notes:
PowerSchool's mission statement can be found in our website : https://www.powerschool.com/company/ .
Our Information Security Governance Policy is accessible to customers under Non-Disclosure Agreements (NDAs) through our Whistic platform. However, our organization chart for the Information Security Unit is considered internal and cannot be shared due to security reasons.
PowerSchool's mission statement can be found in our website : https://www.powerschool.com/company/ . Our Information Security Governance Policy is accessible to customers under Non-Disclosure Agreements (NDAs) through our Whistic platform. However, our organization chart for the Information Security Unit is considered internal and cannot be shared due to security reasons.
Unselected Option: Answer Partially Meets Expectations Unselected Option:
User Notes DOC11 - Are information security principles designed into the product lifecycle?
ANSWER: Information security principles are designed into the product lifecycle and tested against security requirements at each functional code revision
User Notes:
PowerSchool implemented and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
PowerSchool implemented and practices Security and Privacy by design. Some security principles designed into the product and SDLC are: secure development is to reduce the overall risk by reducing the attack surface area. This is done by following guidelines from the Top 10 OWASP. Requirements of password complexity, Principle of Least privilege, Principle of defense in depth, etc.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC12 - Do you have a documented information security policy?
ANSWER: Yes
User Notes:
The PowerSchool Information Security Governance Policy is made available to customers behind NDA through our Whistic platform.
The PowerSchool Information Security Governance Policy is made available to customers behind NDA through our Whistic platform.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC13 - Do you have a formal incident response plan?
ANSWER: Yes and regularly exercised and people are regularly trained
User Notes:
Identifying and responding to security incidents is an important part of our security operations. The Incident Management and Communication Plan defines detailed roles and responsibilities that are initiated when actual or potential security incidents are identified. This plan follows industry best practices and is modeled after the PICERL (Preparation, Identification, Containment, Eradication, Remediation and Lessons Learned) method to provide quick response, effective isolation and containment, thorough root cause analysis, and appropriate remediation.
Identifying and responding to security incidents is an important part of our security operations. The Incident Management and Communication Plan defines detailed roles and responsibilities that are initiated when actual or potential security incidents are identified. This plan follows industry best practices and is modeled after the PICERL (Preparation, Identification, Containment, Eradication, Remediation and Lessons Learned) method to provide quick response, effective isolation and containment, thorough root cause analysis, and appropriate remediation.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC14 - Do you carry cyber-risk insurance?
ANSWER: Yes
User Notes:
PowerSchool maintains an internal incident response team that is managed in-house.
PowerSchool maintains an internal incident response team that is managed in-house.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC15 - Do you have either an internal incident response team or retain an external team?
ANSWER: Yes, both internal and external
User Notes:
PowerSchool has an internal incident response team and maintains a retainer for external incident response support when needed.
PowerSchool has an internal incident response team and maintains a retainer for external incident response support when needed.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DOC16 - What is your capability to respond to incidents?
ANSWER: Yes, 24x7x365
User Notes:
PowerSchool maintains around-the-clock monitoring of security incidents. Our dedicated Security Operations Center (SOC) team ensures continuous surveillance and timely response.
PowerSchool maintains around-the-clock monitoring of security incidents. Our dedicated Security Operations Center (SOC) team ensures continuous surveillance and timely response.
Answer Meets Expectations Unselected Option: Unselected Option:
Data Meets Partially Meets Doesn't Meet
User Notes DA01 - Does the environment provide for dedicated single-tenant capabilities?
ANSWER: Yes
User Notes:
PS SIS environment provides for dedicated single-tenant capabilities
PS SIS environment provides for dedicated single-tenant capabilities
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DA02 - Is data encrypted in transport? (e.g. system-to-client, system-to-system)
ANSWER: Yes
User Notes:
With our PowerSchool Hosting deployment, all web-based access is secured using Transport Layer Security (TLS) version 1.2 or later for encryption of data in transit.
With our PowerSchool Hosting deployment, all web-based access is secured using Transport Layer Security (TLS) version 1.2 or later for encryption of data in transit.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DA03 - Is sensitive data encrypted, using secure protocols/algorithms, in storage? (e.g. disk encryption, at-rest, files, and within a running database)
ANSWER: All data encrypted at rest
User Notes:
PowerSchool uses AES-256 on volumes
PowerSchool uses AES-256 on volumes
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DA04 - Do you have a media handling process, that is documented and currently implemented, including end-of-life, repurposing, and data sanitization procedures?
ANSWER: Yes, has all of the above
User Notes:
PowerSchool implements comprehensive security measures throughout the entire data life cycle as part of our ISO 27001:2022 compliance and security framework. These measures apply to the physical and logical data in PowerSchool chain of custody. Included are secure processes for clearing, purging, and destroying of customer data to ensure it is sanitized and irretrievable.
PowerSchool implements comprehensive security measures throughout the entire data life cycle as part of our ISO 27001:2022 compliance and security framework. These measures apply to the physical and logical data in PowerSchool chain of custody. Included are secure processes for clearing, purging, and destroying of customer data to ensure it is sanitized and irretrievable.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DA05 - Will data regulated by PCI DSS reside in the vended product?
ANSWER: Not Applicable
User Notes:
PCI DSS is not applicable to us as we do not store credit card information.
PCI DSS is not applicable to us as we do not store credit card information.
NOT APPLICABLE
User Notes DA06 - Are you able to accommodate storing each institution's data within their desired geographic region?
ANSWER: Yes
User Notes:
Data is stored and processed in Microsoft Azure cloud computing environments aligned with regulatory geographic requirements.
Data is stored and processed in Microsoft Azure cloud computing environments aligned with regulatory geographic requirements.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes DA07 - Does the hosting provider have a SOC 2 Type 2 report available?
ANSWER: Has SOC 2
User Notes:
PS SIS utilizes Microsoft Azure for cloud hosting services, which undergoes the SOC 2 Type 2 Audit. Please contact Microsoft directly for any necessary reports, as the Azure SOC 2 report is available upon signing an NDA directly with Microsoft.
PS SIS utilizes Microsoft Azure for cloud hosting services, which undergoes the SOC 2 Type 2 Audit. Please contact Microsoft directly for any necessary reports, as the Azure SOC 2 report is available upon signing an NDA directly with Microsoft.
Answer Meets Expectations Unselected Option: Unselected Option:
Systems Management Meets Partially Meets Doesn't Meet
User Notes SM01 - Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?
ANSWER: Yes
User Notes:
PowerSchool has a comprehensive systems management and configuration strategy that covers servers, appliances, cloud services, applications, and both company and employee-owned mobile devices. We maintain standard hardened configurations for servers, appliances, and mobile devices. Our PowerSchool Hosting solution ensures that all systems undergo extensive hardening aligned with our security framework, including disabling unnecessary services, user accounts, and ports.

For company-owned mobile devices, PowerSchool enforces device encryption. We centrally manage these systems to provide tracking and compliance reports.
PowerSchool has a comprehensive systems management and configuration strategy that covers servers, appliances, cloud services, applications, and both company and employee-owned mobile devices. We maintain standard hardened configurations for servers, appliances, and mobile devices. Our PowerSchool Hosting solution ensures that all systems undergo extensive hardening aligned with our security framework, including disabling unnecessary services, user accounts, and ports. For company-owned mobile devices, PowerSchool enforces device encryption. We centrally manage these systems to provide tracking and compliance reports.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM02 - Will the institution be notified of major changes to your environment that could impact the institution's security posture?
ANSWER: Yes, prior to the change
User Notes:
PowerSchool communicates application and system changes to customers through our Community portal. The schedule of regular maintenance windows, notification of emergency changes when need, and details of changes and release notes are published to customers.
PowerSchool communicates application and system changes to customers through our Community portal. The schedule of regular maintenance windows, notification of emergency changes when need, and details of changes and release notes are published to customers.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM03 - Are you utilizing a stateful packet inspection (SPI) firewall?
ANSWER: Yes, and alerts are actioned
User Notes:
All alerts are monitored by our SOC 24x7x365. We have a documented policy for firewall change requests. All changes to firewalls go through change management processes prior to execution.
All alerts are monitored by our SOC 24x7x365. We have a documented policy for firewall change requests. All changes to firewalls go through change management processes prior to execution.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM04 - Do you use an automated IDS/IPS system to monitor for intrusions?
ANSWER: Yes
User Notes:
PowerSchool uses Intrusion Detection System (IDS) to analyze network events and create alerts for anomalous activity. A SIEM is used to capture and correlate events and alerts from those systems as well as other sources. We also use uses best-of-breed Endpoint Detection and Response (EDR) software to identify and respond to security threats and unusual system activity. PowerSchool's Security Operations Center monitors and responds to alerts from the SIEM 24/7/365.
PowerSchool uses Intrusion Detection System (IDS) to analyze network events and create alerts for anomalous activity. A SIEM is used to capture and correlate events and alerts from those systems as well as other sources. We also use uses best-of-breed Endpoint Detection and Response (EDR) software to identify and respond to security threats and unusual system activity. PowerSchool's Security Operations Center monitors and responds to alerts from the SIEM 24/7/365.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM05 - Do you require direct connectivity to the Institution's network for support/administration or access into any existing systems for integration purposes?
ANSWER: Any direct connectivity we require will be for limited periods of time and will be fully monitored by the institution
User Notes:
For hosted SIS applications or services there may be a need for PowerSchool employees to access the network to setup integrations, trouble shoot problems in the infrastructure or with the Application itself. For day-to-day operations though there is no requirement. On-prem customers manage this on their own unless they have a support agreement.
For hosted SIS applications or services there may be a need for PowerSchool employees to access the network to setup integrations, trouble shoot problems in the infrastructure or with the Application itself. For day-to-day operations though there is no requirement. On-prem customers manage this on their own unless they have a support agreement.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM06 - Do you support access control (e.g. RBAC, ABAC, PBAC) for end-users?
ANSWER: Provides separation of at a minimum students, teachers / faculty and teaching assistants
User Notes:
PowerSchool SIS supports role-based access control (RBAC) to users. Granular permissions can be assigned to roles within the product for district administrators, staff, and teachers. Students can only see their own data and parent's are limited to their student's information.
PowerSchool SIS supports role-based access control (RBAC) to users. Granular permissions can be assigned to roles within the product for district administrators, staff, and teachers. Students can only see their own data and parent's are limited to their student's information.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM07 - Do you support access control (RBAC, ABAC, or PBAC) for system administrators?
ANSWER: Yes, it is fully customizable and can provide evidence
User Notes:
Granular permissions can be assigned to roles within the product for district administrators
Granular permissions can be assigned to roles within the product for district administrators
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM08 - Do you control and audit employee access to customer data?
ANSWER: Controlled, but not audited
User Notes:
We rigorously control access to customer data using Role-Based Access Control (RBAC) and Data Loss Prevention (DLP) solutions. RBAC ensures that access to customer data is strictly based on job responsibilities. , minimizing the risk of data exposure and misuse. Meanwhile, DLP solutions enable continuous monitoring of data protection policies, ensuring that sensitive customer information remains secure and compliant with regulatory requirements. Together, these measures form a robust framework that safeguards customer data against unauthorized access and potential breaches.
We rigorously control access to customer data using Role-Based Access Control (RBAC) and Data Loss Prevention (DLP) solutions. RBAC ensures that access to customer data is strictly based on job responsibilities. , minimizing the risk of data exposure and misuse. Meanwhile, DLP solutions enable continuous monitoring of data protection policies, ensuring that sensitive customer information remains secure and compliant with regulatory requirements. Together, these measures form a robust framework that safeguards customer data against unauthorized access and potential breaches.
Unselected Option: Answer Partially Meets Expectations Unselected Option:
User Notes SM09 - Does the system provide data input validation?
ANSWER: Yes, follows OWASP guidelines
User Notes:
The SIS has data integrity and validation build into the UI (client), Application and Database tiers to ensure data is complete and correct. Limited Data Validation (LDV) is the primary framework for ensuring data validation (database field data validation) across the application. LDV is configured from the application by default. In addition, all checks done on the UI are also performed in the application, applying business rules and having relational database integrity constraints. Application offers data validation which can be configured by the admin on critical fields. The user is prompted if invalid data or workflows are attempted requiring corrective action.
The SIS has data integrity and validation build into the UI (client), Application and Database tiers to ensure data is complete and correct. Limited Data Validation (LDV) is the primary framework for ensuring data validation (database field data validation) across the application. LDV is configured from the application by default. In addition, all checks done on the UI are also performed in the application, applying business rules and having relational database integrity constraints. Application offers data validation which can be configured by the admin on critical fields. The user is prompted if invalid data or workflows are attempted requiring corrective action.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM10 - Are you using a web application firewall (WAF)?
ANSWER: Utilizes a web application firewall (WAF) and alerts are actioned
User Notes:
PowerSchool utilizes best-in-class web application firewall (WAF) to protect against application layer attacks including, but not limited to, DDoS, cross-site scripting (XSS) and SQL injection.
PowerSchool utilizes best-in-class web application firewall (WAF) to protect against application layer attacks including, but not limited to, DDoS, cross-site scripting (XSS) and SQL injection.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM11 - Do you subject your code to static code analysis and/or static application security testing prior to release?
ANSWER: Yes
User Notes:
We subject our application to static code analysis, dynamic analysis, and software composition analysis (SCA) testing prior to release. The PowerSchool Product Development team conducts scans on all PowerSchool application software to identify potential security vulnerabilities, including those outlined by the Open Web Application Security Project (OWASP). Issues identified are promptly remediated to ensure a clean scan before release.
We subject our application to static code analysis, dynamic analysis, and software composition analysis (SCA) testing prior to release. The PowerSchool Product Development team conducts scans on all PowerSchool application software to identify potential security vulnerabilities, including those outlined by the Open Web Application Security Project (OWASP). Issues identified are promptly remediated to ensure a clean scan before release.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM12 - Do you enforce MFA for vendor administrative access?
ANSWER: Uses MFA
User Notes:
MFA is enforced across internal networks where applicable throughout the organization
MFA is enforced across internal networks where applicable throughout the organization
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM13 - Does your solution support single sign-on (SSO) protocols for user and administrator authentication? (e.g. InCommon)
ANSWER: Does provide a institution approved SSO for institutional users and administrators
User Notes:
SSO Authentication includes SAML, OIDC and OpenID protocols and Oauth 2.0 for machine-to-machine (M2M). SIS can operate as a Service Provider/Identity Provider or as a Relying Party to an Identity Provider like Microsoft, Google and Auth0. M2M integration utilizes Oauth 2.0 with SIS or Auth0.as Identity Provider. In addition, local login is available if not using SSO.
SSO Authentication includes SAML, OIDC and OpenID protocols and Oauth 2.0 for machine-to-machine (M2M). SIS can operate as a Service Provider/Identity Provider or as a Relying Party to an Identity Provider like Microsoft, Google and Auth0. M2M integration utilizes Oauth 2.0 with SIS or Auth0.as Identity Provider. In addition, local login is available if not using SSO.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM14 - Are audit logs available to the institution that include AT LEAST all of the following; login, logout, actions performed, timestamp, and source IP address?
ANSWER: Audit logs include all of the following; login, logout, actions performed, and source IP address only by formal request
User Notes:
PS SIS logs all login attempts in the application database. Access to the environments would be tracked by the applicable cloud hosting environment.
PS SIS logs all login attempts in the application database. Access to the environments would be tracked by the applicable cloud hosting environment.
Unselected Option: Answer Partially Meets Expectations Unselected Option:
SM15 - Can your system auto provision accounts through SSO?
ANSWER: Yes
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes SM16 - Do you support differentiation between email address and user identifier?
ANSWER: Yes, and enforces it
User Notes:
PowerSchool has implemented edit checks to distinguish between an email address and other user identifiers based on the input context. While this differentiation may not be uniformly applied across all systems, edit checks are enforced where applicable.
PowerSchool has implemented edit checks to distinguish between an email address and other user identifiers based on the input context. While this differentiation may not be uniformly applied across all systems, edit checks are enforced where applicable.
Answer Meets Expectations Unselected Option: Unselected Option:
Third Party Assessment Meets Partially Meets Doesn't Meet
User Notes TP01 - Will institution data be shared with or hosted by any third parties?
ANSWER: Shared and/or hosted only to provide service
User Notes:
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes TP02 - Do you perform security assessments provided of third party companies with which you share data? (i.e. hosting providers, cloud services, PaaS, IaaS, SaaS, etc.)
ANSWER: Yes
User Notes:
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
Institution data is shared only with vendors and hosting providers who provide specific services. PowerSchool conducts annual security reviews of all vendors and hosting providers. Our management also obtains and reviews attestation reports from vendors and third parties to assess the effectiveness of controls within their environments.
Answer Meets Expectations Unselected Option: Unselected Option:
User Notes TP03 - Have your systems and applications had a third party security assessment completed in the last year?
ANSWER: Yes, has a 3rd party assessment and can provide high level results and gives organization's name
User Notes:
All PowerSchool products undergo annual external penetration testing conducted by third-party firm. We conduct regular vulnerability assessments as part of our security practices. Additionally, PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
All PowerSchool products undergo annual external penetration testing conducted by third-party firm. We conduct regular vulnerability assessments as part of our security practices. Additionally, PowerSchool’s security program is audited via ISO 27001:2022 to ensure adherence to industry standards for safeguarding data. The resulting reports from the audits are made available to customers behind NDA through our Whistic platform.
Answer Meets Expectations Unselected Option: Unselected Option:

Vetting Context

Policies Cited

The following urls were cited as a basis for this information.

Geographical Context

(Laws and regulations can vary across regions)
California
United States United States flag

Regulatory Compliance

The information below provides insight into compliance with various regulatory policies.

  • GDPR Compliant: Yes
  • FERPA Compliant: Yes
  • COPPA Compliant: No
US State Regulatory Compliance:
  • Arkansas HB 1961
  • California AB 1584
  • California SB 1177
  • California AB 2799
  • California AB 2828
  • Georgia SB 89
  • Kansas HB 2008 (S sub)
  • Maine SP 183

This application can be used by children under the age of 13.


Email Support@1edtech.org

The views and opinions expressed in this information are those of the authors and do not necessarily reflect the official policy or position of 1EdTech. The information provided is intended to surface trends about the policies and procedures of systems leveraged by the educational community. It should not be considered legal advice.

Disclaimer: The 1EdTech TrustEd Apps Security Practices Rubric provides a self-assessment tool for a supplier to evaluate their product, according to the 1EdTech TrustEd Apps Security Practices Rubric Specification v1.0. This information is to be a starting point for institutional security review processes and is not intended to serve as a full security review. Find out more here.

© Copyright 2024 1EdTech Global Learning Consortium Inc. All Rights Reserved.

App Vetting Rubric Version: 2