PERTS has strong information security policies and a proactive security culture. This page summarizes how PERTS secures student data and PERTS policies regarding potential data breaches.

Information Security at PERTS

Relevant policies

Unless superseded by a separate written agreement, the Terms of Use and Privacy Policy apply to all PERTS programs and services offered through copilot.perts.net and neptune.perts.net.

The Public Sites Privacy Policy applies to visits and interactions with PERTS public websites, including mindsetkit.org, PERTS social media pages, and perts.net pages that can be visited without registering for an account (“PERTS Public Sites”).

Securing data

PERTS works with third-party security experts to perform penetration tests and security scans of our systems. Verify and download our current audit certificate.
PERTS chooses cloud services with best-in-class security practices, all of which provide SOC 2 audit reports and achieve ISO 27001, 27017, and 27018 certifications.
PERTS double-encrypts data in transit and data at rest using industry-standard AES-256 encrypted file containers on top of already-existing protections (full-disk encryption, TLS connections).
PERTS staff prevent attacks from online threats by using dedicated devices with anti-virus and malware protection.
PERTS staff prevent attacks from in-person threats by using dedicated devices with full-disk encryption and password-locked accounts.
PERTS trains staff to be aware of typical social engineering attacks, such as phishing, and forward suspicious communications to the Director of Technology before interacting or responding.

Third-party security statements

These services operate our web servers and store potentially private information about teachers and students who use our programs. Each service protects data in transit with TLS, encrypts stored data, and segregates our data from all other service customers. Only a handful of PERTS staff have password-protected access to these accounts, which we never share. Please refer to each service's security statement for more details.

Third-party services used for Elevate, Ascend, and Catalyze:

Google Cloud Statement

Google Drive Statement

Additional third-party services used for Growth Mindset for College Students, Social Belonging for College Students, and Growth Mindset for 9th Graders:

Qualtrics Statement

Compliance documentation

For the Ascend, Catalyze, and Elevate programs, data is transmitted and stored exclusively on the Google Cloud Platform (this includes Google Drive/Workspace). Please refer to the corresponding SOC 2 audit reports and HECVAT. See also Google Cloud's full list of compliance offerings.

For the Ascend, Catalyze, and Elevate programs, PERTS completes a Voluntary Product Accessibility Template (VPAT).

What constitutes a data breach?

We consider an event a data breach if it involves the possibility that our privacy policy was violated, like the exposure of personal information to unauthorized parties.

The PERTS privacy policy defines personal information the same way as the Family Educational Rights and Privacy Act (FERPA), as “any information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.”

Data breaches

How are breach responsibilities divided?

All PERTS team members are responsible for being alert to signs that a data breach has occurred. The Director of Technology is responsible for leading the response to suspected and actual data breaches. The Director of Programs is responsible for external communication required as a result of any data breach. Legal consultation is provided by our fiscal sponsor, Tides Center.

How are suspected data breaches escalated?

Any suspicions of a data breach are reported to the Director of Technology.

How does PERTS detect data breaches?

PERTS manually verifies Authorized Organizational Representatives (see the corresponding section in the privacy policy) before allowing them to access personal information from their organization. All instances of access are recorded and audited.
PERTS periodically audits all access to data-containing accounts and account credentials.
PERTS monitors notices from third-party services we use about any applicable security issues.

What are the typical steps to respond to a data breach?

Choose appropriate staff members in each department to identify, contain, and recover from the breach.
Identify what type of breach has occurred and reference prepared protocols.
Secure all potentially-affected data by changing passwords and encryption keys and/or closing accounts.
Back up any digital evidence related to the breach.
Fully wipe any affected devices.
Identify the source of the breach.
Alert legal counsel.
Notify data owners about the breach.
Conduct a post-mortem and act on any take-aways.

Student data privacy

We collect and use student data exclusively for providing requested services. See our privacy policy under "Purpose".
Student data is routinely returned or destroyed. See our privacy policy under "Expiration".
Subcontractors handling student data adhere to stringent security practices. See third-party security statements.
Student data is handled securely and stored exclusively on dedicated devices (see Securing data) or trusted cloud services.
Students and/or their guardians may request that data be updated or removed by submitting a support ticket.