Information Security at PERTS

PERTS has strong information security policies and a proactive security culture. This page summarizes how PERTS secures student data and PERTS policies regarding potential data breaches. Our privacy policies can be found at perts.net/terms.

How does PERTS secure data?

  • PERTS works with third-party security experts to perform penetration tests and security scans of our systems. Submit a support ticket to request a third-party security certificate.
  • PERTS chooses cloud services with best-in-class security practices, all of which provide SOC 2 audit reports and achieve ISO 27001, 27017, and 27018 certifications.
  • PERTS double-encrypts data in transit and data at rest using industry-standard AES-256 file containers on top of already-existing protections (full-disk encryption, TLS connections).
  • PERTS staff prevent attacks from online threats by using dedicated devices with anti-virus and malware protection.
  • PERTS staff prevent attacks from in-person threats by using dedicated devices with full-disk encryption and password-locked accounts.
  • PERTS trains staff to be aware of typical social engineering attacks, such as phishing, and forward suspicious communications to the Director of Technology before interacting or responding.

Third-Party Security Statements

These services operate our web servers and store potentially private information about teachers and students who use our programs. Each service protects data in transit with TLS, encrypts stored data, and segregates our data from all other service customers. Only a handful of PERTS staff have password-protected access to these accounts, which we never share. Please refer to each service's security statement for more details.

Third-Party Services used in 2021-22 school year for Elevate, Ascend, MessageIT, and Catalyze:

Third-Party Services used in 2021-22 school year for Growth Mindset for College Students, Social Belonging for College Students, and Growth Mindset for 9th Graders:

Services used by PERTS in prior years:

What constitutes a data breach?

We consider an event a data breach if it involves the possibility that our privacy policy was violated, like the exposure of personal information to unauthorized parties.

The PERTS privacy policy defines personal information the same way as the Family Educational Rights and Privacy Act (FERPA), as “any information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.”

How are breach responsibilities divided?

All PERTS team members are responsible for being alert to signs that a data breach has occurred. The Director of Technology is responsible for leading the response to suspected and actual data breaches. The Director of Programs is responsible for external communication required as a result of any data breach. Legal consultation is provided by our fiscal sponsor, Tides Center.

How are suspected data breaches escalated?

Any suspicions of a data breach are reported to the Director of Technology.

How does PERTS detect data breaches?

  • PERTS manually verifies Authorized Organizational Representatives (see the corresponding section in the privacy policy) before allowing them to access personal information from their organization. All instances of access are recorded and audited.
  • PERTS periodically audits all access to data-containing accounts and account credentials.
  • PERTS monitors notices from third-party services we use about any applicable security issues.

What are the typical steps to respond to a data breach?

  • Choose appropriate staff members in each department to identify, contain, and recover from the breach.
  • Identify what type of breach has occurred and reference prepared protocols.
  • Secure all potentially-affected data by changing passwords and encryption keys and/or closing accounts.
  • Back up any digital evidence related to the breach.
  • Fully wipe any affected devices.
  • Identify the source of the breach.
  • Alert legal counsel.
  • Notify data owners about the breach.
  • Conduct a post-mortem and act on any take-aways.

Privacy Policy

Our privacy policy covers all data stored or processed by cloud services across all PERTS programs.