Security & Data Protection

CollegeNET is a pioneer in Software as a Service (SaaS) technology holding several patents related to web-based commerce. We adhere to the highest standards of security for protecting our customers’ data and privacy. These standards cover all three areas of Internet security and data privacy: (1) secure transmission of data over the Internet, including financial transactions, (2) protection of networks and systems from external attack, and (3) user privacy.

Data Transmission

Every step of processing an online transaction, from the submission of data by the user to the final data download to your institution, has been designed with security in mind. All confidential, personal, or sensitive information transmitted to or from CollegeNET over the Internet is encrypted using strong, modern, PCI-compliant cryptography methods such as TLS or SSH.

Financial Transaction Security – PCI-DSS Compliance

CollegeNET is in compliance with the strict requirements of the Payment Card Industry Data Security Standards (PCI-DSS). We are SOC2 compliant,and undergo yearly audits and quarterly external network scans by Moss Adams. CollegeNET is classified as a Level Three Merchant by the PCI Standard.

Network and System Protection

CollegeNET's secure systems are configured to prevent intrusions and protect from abuse in day-to-day use by a combination of the features described below.

Prevention

We strictly and continuously monitor access to our servers. Administrative access is restricted to users with a documented need for access, via our secured local network. All administrative access must be attained through encrypted connections.

Although administrative credentials are not allowed to cross the network unencrypted, the network is fully switched to prevent sniffing of network traffic. Our firewalls are in redundant configurations.

Every employee is required to use a strong password for each machine they access. Staff accounts are regularly audited for strength and checked to ensure they do not appear in any public data breaches.

All CollegeNET servers are audited regularly for vulnerabilities. We update our scanning utilities with the latest security exploits. Although our servers are firewalled, they are configured, by default, not to trust each other. This helps to contain and minimize the impact of any attack. All services not in use are shut off, and the remaining services are updated and secured before a machine is brought live on our network.

Detection

Multiple Intrusion Detection Systems (IDS) monitor our network in real time. The IDS locally and remotely monitor the logs, file systems, network traffic and services running on each machine. The IDS are monitored continuously and will automatically alert the on-call Systems Administrator if a failure of the IDS occurs.

Response

At least one System Administrator is on call 24 hours a day, 7 days a week. The system pager will contact the on-call Systems Administrator if any system or security issue arises.

Servers

CollegeNET servers use a combination of Linux and Windows operating systems. These operating systems were selected based on their reliability, scalability, efficiency and security. All software and operating systems are updated with the latest patches and updates before they go live, and are kept up-to-date while online.

Network

The routers, firewalls and switches are top of the line equipment in redundant configurations. CollegeNET maintains diverse physical connections to multiple upstream ISPs. We own our own portable network block to facilitate load balancing and rapid disaster recovery.

Backups

Automated network backups are performed on a regularly scheduled basis with encrypted archives stored at an off-site facility for quick restoration in case of the need for disaster recovery. In addition to the backups, our servers use RAID technology to greatly increase the reliability of the information while on disk.

User Data Privacy

All data is encrypted at rest and in transit with Strong cryptographic algorithms.

CollegeNET has a strict policy never to give, sell, rent or trade any personally identifiable information to third parties for marketing or other purposes. See our Privacy Statement.

To report any security issues to CollegeNET, please contact privacy_help@collegenet.com with the details.