At CollegeOne, protecting the privacy and security of student and school data is at the heart of everything we do. From the very beginning, we build our platform with strong security and privacy measures, ensuring that our protections evolve alongside the latest industry best practices. Our Privacy Policy and Student Data Privacy Agreement outline the commitments CollegeOne and participating schools make to each other, including our shared responsibility for security and data protection.
This Security Overview provides a high-level summary of CollegeOne’s information security program. While it is written with technology experts in mind who often help assess our policies we recognize that data protection is equally important to families, teachers, and students. To learn more and access resources designed to explain technical details in plain language, please visit our Privacy Policy.
CollegeOne operates the services available through collegeone.net (the “CollegeOne Website”), including the CollegeOne platform (the “CollegeOne Platform”), as well as any mobile applications (the “CollegeOne Apps”) and other products or services we may provide now or in the future (collectively, the “Service”). Terms not defined in this overview, such as “Student Data,” are explained in our Privacy Agreement. We continuously review and update our policies and practices to maintain the highest security standards and stay aligned with the latest developments in data protection. For any questions about privacy or security, please contact our team at [email protected].
Audits and Certifications
The CollegeOne platform is continuously tested and validated to ensure the highest levels of protection. Our team conducts regular penetration testing (PenTesting) using industry-standard tools such as Faraday and Kali Linux, allowing us to proactively identify and remediate potential vulnerabilities before they can be exploited.
Our security program is aligned with the NIST CyberSecurity Framework, a globally recognized standard for organizing and strengthening security programs. In addition, we follow modern engineering practices and comply with key privacy regulations such as GDPR, COPPA, and FERPA. This layered approach ensures that our platform not only meets compliance requirements but also evolves to address new security challenges as they arise.
Physical Security
At CollegeOne, student data is hosted exclusively in the United States through our trusted cloud service providers, Amazon Web Services (AWS) and Oracle Cloud. Both providers maintain state-of-the-art physical security controls, including 24/7 monitoring, biometric access, redundant power systems, and advanced fire suppression.
By leveraging these enterprise-grade infrastructures, CollegeOne ensures that student and school data is safeguarded not only at the application level, but also at the physical and environmental layers of security. These measures provide resilience, reliability, and compliance with the highest industry standards for data protection.
Infrastructure & Corporate Security
Multi-Factor Authentication (MFA)
All CollegeOne employees are required to use multi-factor authentication when accessing corporate systems and cloud resources, ensuring that sensitive information remains protected even if credentials are compromised.
Disk Encryption
All corporate laptops are encrypted using FileVault (macOS) or BitLocker (Windows)
Endpoint Detection & Response
We protect and contain threats at the endpoint level using Cloudflare WAF (Layer 7), providing advanced prevention against malware, ransomware, and other cyber threats.
Threat Detection & Monitoring
CollegeOne leverages Cloudflare to continuously monitor for security threats and suspicious activity across corporate infrastructure, ensuring rapid detection, alerting, and response.
Cloud Security
Cloud Workload Protection
CollegeOne workloads run on Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS).
We perform regular penetration testing using Faraday and Kali Linux to identify vulnerabilities in both applications and infrastructure.
Systems are configured following OCI/AWS security best practices and CIS Benchmarks.
Remote Access
Administrative access to cloud servers is strictly limited to authorized personnel.
Remote access requires VPN and multi-factor authentication (MFA).
Identity and access management is centralized for consistent control.
Encryption at Rest
All disks on OCI and AWS instances are encrypted using AES-256 with cloud-managed keys.
Databases utilize native encryption at rest.
Sensitive credentials are securely stored in Vaults (e.g., HashiCorp Vault or GitHub Encrypted Secrets).
Encryption in Transit
All application traffic is encrypted using TLS 1.2+.
CollegeOne is delivered exclusively through Cloudflare, enforcing end-to-end SSL/TLS and HSTS.
Cloudflare provides automatic DDoS mitigation.
Firewall & Traffic Filtering
Cloudflare WAF filters malicious traffic and applies custom firewall rules.
At the network level, OCI Security Lists and AWS Security Groups restrict connectivity to necessary ports only.
IDS/IPS (Intrusion Detection & Prevention)
Cloudflare WAF and anomaly detection monitor traffic in real-time.
Critical security alerts are escalated to CollegeOne’s security team immediately.
Security Information and Event Management (SIEM)
Application, network, and system logs are collected in OCI Logging and Cloudflare Logs.
Suspicious patterns generate real-time alerts for rapid investigation and response.
Access Control and Monitoring
Access Monitoring
Access is strictly limited to engineers, support staff, and authorized personnel.
Permissions are periodically reviewed and updated according to role changes.
High-privilege access requires managerial approval.
Audit Logging
Logs from OCI, AWS, and Cloudflare provide full traceability of access and traffic.
Critical alerts are routed to the security team for immediate action.
Incident Response and Vulnerability Management
Incident Response
A formal incident response plan is in place.
24/7 monitoring is maintained via alerts from OCI, AWS, and Cloudflare.
All incidents follow defined protocols for containment and remediation.
Vulnerability & Patch Management
Regular scans with Faraday, Kali Linux, and other tools identify vulnerabilities.
Security patches are prioritized and applied to both infrastructure and applications.
Automated updates are deployed when possible to reduce risk.
Product Security
Code Analysis
Source code is automatically scanned at each commit for:
Static code vulnerabilities
Infrastructure-as-Code security issues
Dependency and library risks
Credential Management
Secrets are stored in secure Vaults.
User passwords are protected with one-way salted hashes.
Responsible Disclosure
CollegeOne maintains a responsible disclosure policy for security researchers.
Secure Development Training
Developers receive annual security training, including OWASP Top 10 best practices.
Software Development Lifecycle (SDLC)
Secure development practices include:
Peer code reviews
Automated security testing before deployment
Continuous monitoring and automated rollback for incidents
Controlled rollouts with canary deployments
IT Governance
Security policies are documented and aligned with industry best practices.
Periodic risk assessments are performed.
A risk register is maintained and reviewed by the security team.
Business Continuity and Disaster Recovery (BC/DR)
Daily encrypted backups are stored in OCI and AWS.
Backup access is protected with MFA.
Regular restoration tests validate data integrity.
Disaster recovery infrastructure on AWS ensures business continuity in case of complete OCI outage.
Data replication and synchronization reduce RTO/RPO.
Instruction Control and Data Segregation Security
Role-Based Access Control (RBAC)
Access is strictly limited by role.
All infrastructure access is logged and monitored.
Cloudflare, OCI, and AWS provide logical segregation of traffic and environments.
User Roles & Logical Access Controls
Application access is managed through defined roles and logical security controls according to user profiles.