KidRewards Security Whitepaper
KidRewards, operates the services offered on kidrewards.org (the "KidRewards Website"), including the KidRewards platform (the "KidRewards Platform"), and any associated mobile applications (the "KidRewards Apps") or products and services that Company may provide now or in the future (collectively, the "Service").
Protecting data privacy and security is a top priority for KidRewards. Our Privacy Policy and Student Data Privacy Addendum solidify the commitments that KidRewards and schools make to each other, including our security and privacy commitments. Capitalized terms not defined in this document, such as "Student Data", are defined in our Student Data Privacy Addendum. We regularly evaluate our policies and practices to improve security and to keep up with the latest practices of the security industry.
This document is designed to provide technical readers, such as Chief Information Officers or Chief Technology Officers at school districts, additional clarity and specifics about our security commitments. While this document is written for technology experts who often play a key role in assessing our policies, we recognize that data security is just as important to families, teachers, and students as it is to school officials. Additionally, should you have security or privacy questions, please reach out to our team at contact@
kidrewards.orgInfrastructure Security
Encryption
Access to the KidRewards Service occurs via encrypted connections
(HTTP over TLS, also known as HTTPS) which encrypt all data before it leaves the KidRewards Service's servers and protects that data as it transits over the internet. We use HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections.
Network Security
Network access to the KidRewards Services infrastructure is highly restricted.
Patching
We use automated processes to regularly install security updates on the infrastructure that powers the KidRewards Services, these processes include:
Backups and Availability Control
We have a data backup and recovery capability that is designed to provide a timely restoration of the KidRewards Services, with minimal data loss, in the case of catastrophic failure. These backups are encrypted and stored in multiple availability zones. Additional technical and organizational measures to ensure that Student Data are protected against accidental destruction or loss (physical/logical) include:
- Uninterruptible power supply (UPS);
- Remote storage; and
- Firewall systems.
Physical Security
Physical Access Controls
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Student Data are Processed*, include:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (ID reader, magnetic card, chip card);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);and
- Surveillance facilities, video/CCTV monitor, alarm system.
Virtual Access Control
Technical and organizational measures to prevent data processing systems used for Student Data from being used by unauthorized persons include:
- User identification and authentication procedures;
- ID/password security procedures (special characters, minimum length, change of password); and
- Encryption of archived data media.
Disclosure Control
Technical and organizational measures to ensure that Student Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Student Data are disclosed, include:
- Encryption/tunneling;
- Logging; and
- Transport security.
Entry Control
Technical and organizational measures to monitor whether Student Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
- Logging and reporting systems; and
- Audit trails and documentation.