Security & Compliance

Infrastructure Security

Data Centers

Hosted on Amazon Web Services (AWS) with SOC 2/3 compliance
Data centers with 24/7 physical security and biometric access controls
Geographic redundancy across multiple availability zones
Automatic failover and disaster recovery capabilities

Network Security

Web Application Firewall (WAF) protection
DDoS mitigation and rate limiting
Virtual Private Cloud (VPC) isolation
Regular penetration testing by third-party security firms

Data Protection

Encryption

TLS 1.3 encryption for all data in transit
AES-256 encryption for all data at rest
Encrypted database backups with secure key management
End-to-end encryption for sensitive communications

Data Isolation

Logical data separation between schools and districts
Row-level security (RLS) in database architecture
Tenant isolation at application and database levels
No data commingling between organizations

Access Control

Authentication

Secure password requirements with complexity rules
Multi-factor authentication (MFA) available
Single Sign-On (SSO) support via SAML 2.0
Session timeout and automatic logout

Authorization

Role-based access control (RBAC)
Granular permissions for different user types
Audit logs for all access and modifications
Regular access reviews and deprovisioning

Compliance & Certifications

Educational Compliance

• FERPA compliant (pending)
• COPPA compliant (pending)
• State privacy laws (SOPIPA, etc.) (pending)
• Student Privacy Pledge signatory (pending)

Security Standards

• SOC 2 Type II certified (pending)
• ISO 27001 (in progress)
• NIST Cybersecurity Framework (pending)
• OWASP Top 10 protection (pending)

Security Practices

Development Security

Secure software development lifecycle (SSDLC)
Regular security code reviews and static analysis
Dependency scanning and vulnerability management
Security training for all developers

Operational Security

24/7 security monitoring and alerting
Incident response team and procedures
Regular security audits and assessments
Employee background checks and security training

Data Retention & Deletion

Data retained only as long as necessary for educational purposes
Automated data retention policies based on regulatory requirements
Secure data deletion upon request or contract termination
90-day grace period for data export after account closure
Cryptographic erasure for immediate data destruction

Vulnerability Disclosure

We welcome security researchers to help us maintain the highest security standards. If you discover a potential vulnerability:

Report to: security@pinkcow.app

Include: Detailed description, steps to reproduce, potential impact

Response: We'll acknowledge within 24 hours and work with you to resolve

Incident Response

In the unlikely event of a security incident:

Immediate containment and investigation
Notification within 72 hours as required by law
Full transparency about the nature and scope of the incident
Remediation steps and preventive measures
Support for affected users throughout the process

Third-Party Security

We carefully vet all third-party services:

Security assessments for all vendors
Data processing agreements with strict security requirements
Limited data sharing only when necessary
Regular review of third-party security practices