Single Sign-On (SSO) Makes Authenticating Your Users Easy
Branching Minds supports a variety of Single Sign-On (SSO) technologies and protocols, including but not limited to, Google Apps, Microsoft Azure AD, Active Directory/LDAP, and SAML. In addition, Branching Minds is capable of integrating with any OpenID or OAuth platforms and, if necessary, can configure both password and non-password based email authentication.
Branching Minds Prioritizes the Security and Privacy of Your Data
|At Branching Minds, we are serious about our data safeguarding responsibilities. We have implemented several security measures to protect PII from unauthorized disclosure.|
|NIST CSF Alignment||Branching Minds as an organization and product is regularly aligned with the NIST Cybersecurity Framework|
|Data Encryption||All data on Branching Minds is encrypted in transit and at rest.|
|File Transfer Protocol||Data is securely transferred to Branching minds using File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol.|
|Firewalls||Anti-virus software and firewalls are installed and configured to scan our system. The firewall is periodically updated and configured so users cannot disable the scans.|
|Data Storage Provider||We store all of our data and host Branching Minds at secure off-site facilities managed by industry-leading Amazon Web Services (AWS) at their secured data centers in the United States. These data centers are housed in nondescript facilities and physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or AWS. All physical access to data centers by AWS employees is logged and audited routinely. All access to the information within Branching Minds stored on these servers is encrypted. User passwords are also encrypted and all data stored with AWS on their computers is secured behind a firewall.|
|Security Audits||Branching Minds conducts internal security audits and code reviews on a regular basis.|
|Secure Programming Practices||Branching Minds software developers are aware of secure programming practices and strive to avoid introducing errors in our application (like those identified by OWASP and SANS) that could lead to security breaches.|
|Account Protection||Each user of Branching Minds is required to create an account with a unique account name and password.|
|Facility Security||Branching Minds is located inside the continental United States. Physical access is protected by electronic access devices, with monitored security and fire/smoke alarm systems.|
|Data Retention & Management||All PII provided to Branching Minds will be destroyed upon termination of our relationship with the school or district, or when it is no longer needed for the purpose for which it was provided|
|Staff Training & Background Checks||All employees undergo regular training on security best practices. All employees and contractors with access to PII or who work onsite undergo background checks.|
|Third Party Vendor Monitoring||All Branching Minds vendors are monitored by us on an ongoing basis to ensure they utilize industry-standard privacy precautions.|
|Password Protection||All Branching Minds employees utilize an encrypted password storage system to safeguard sensitive login information.|
|Data Leak Prevention (DLP)||We employ a leading DLP solution to ensure that sensitive information is not shared in an insecure fashion.|
We Utilize Best Practices to Destroy Your Data Once It’s No Longer Needed
Branching Minds employs United States Department of Education best practice recommendations for data destruction using the following processes for data destruction:
Unless otherwise requested by your district, all PII provided to Branching Minds will be destroyed upon termination of our relationship with you (typically during September of the school year following the school year in which your LEA opts to terminate our relationship), or when it is no longer needed for the purpose for which it was provided.
Data is destroyed using the National Institute of Standards and Technology (NIST) clear method sanitization that protects against non-invasive data recovery techniques.
Sensitive data will not be disposed of using methods (e.g.; file deletion, disk formatting, and one-way encryption) that leaves the majority of data intact and vulnerable to being retrieved.
The individual who performs the data destruction signs a certification form describing the destruction.
Occasionally, non-electronic media used within Branching Minds may contain PII. When these documents are no longer required, the non-electronic media is destroyed in a secure manner (most typically using a shredder) that renders it safe for disposal or recycling.
Branching Minds Is Designed from the Ground Up to Support FERPA Compliance
Restricted access to individually identifiable student and personnel data based on defined system roles to meet all FERPA requirements.
Branching Minds is designed to give administrators flexibility to limit staff access to student information and to ensure that student and staff data is protected in accordance with all FERPA requirements.
After the initial onboarding process, teacher users have access to students listed on their class rosters, as reported by their student information system, while manager users have access to all students at their school (or district). Teacher users can then either request, or be assigned students who they do not initially have access too. In addition, teacher users and manager users can be assigned to multiple schools within a district.
Branching Minds utilizes a permission system to ensure that student data is accessible to teacher users that are working with that student. Conversely, administrators are able to see all data at the campus and district level, depending on their access level.
Restricted access to individually identifiable student progress to staff members involved in educational support planning for the student and defined administrators.
By default, Branching Minds restricts teacher user access to only those students who appear on their official school roster (as provided to Branching Minds through the student information system). Manager users (typically those coordinating RTI/MTSS, such as campus and district administrators, counselors and specialists such as school or district psychologists), who are defined explicitly by the district during implementation planning and onboarding, have access to all students at their school/district. Teacher users can then either request, or be assigned students who they do not initially have access to, by manager users. Both types of users may be assigned to multiple schools by manager users, as necessary.