Privacy and Security Overview
Permission Click (“PC”) is a trusted partner of thousands of schools with over a million users replying on the platform. Permission Click has users in many countries around the globe, including Canada and the United States ranging from districts with 600 schools and 250,000 students to individual school buildings.
Comprehensive Privacy Impact Assessments (PIA’s), data security and threat assessment audits, and architecture reviews of Permission Click’s systems have been undertaken by districts in multiple countries (including Canada’s largest school board), insurance partners, and independent partners. We are proud to say we have never failed a privacy impact assessment or data security audit globally in any of the dozens of countries where we have users.
Permission Click meets security compliance requirements including, but not limited to:
We have a robust communication plan in place to immediately notify the Customer of the particulars of any security breach or threat occurrence including, but not limited to:
- Unauthorized access, collection, use, disclosure, alteration or disposal of Personal Information or records containing Personal Information; or,
- Unauthorized access to facilities or equipment has occurred or is likely to occur; the Supplier shall immediately notify the Customer of the particulars of that occurrence or likely occurrence.
In order to mitigate security breaches, Permission Click has the capability to lock out:
(a) All or some users;
(b) All users with a specific role; or,
(c) All users with a specific security level.
Security for SaaS Offering
Permission Click has an established information security policy that conforms to the International Organization for Standardization/International Electrotechnical Commission (“ISO/IEC”) 27001:2013 code of practice for information security policy and controls. In addition, we will provide the latest evidence of the following security reports including, but not limited to:
Service Organization Control (“SOC”) monitoring,
Permission Click has an active SOC program in place, including regular third-party monitoring of systems for SOC compliance completed by Microsoft’s Security Center. Permission Click operates fully in the cloud, leveraging the world-class Microsoft Azure infrastructure which maintains the highest industry standards for STAR certification level 2, SOC1, SOC2, SOC3, and ISO 27001 & 27018 Information Security Management.
Connection to Permission Click is secured and encrypted using 256 SSL (Secure Sockets Layer). This is the same level of encryption used by leading banks and government agencies. Data is encrypted in transit via SSL. It is fully encrypted in transit when it is transmitted across networks. The application secures data using: Transport-level encryption, such as HTTPS; Wire encryption, such as SMB 3.0 encryption; Client-side encryption, to encrypt the data before it is transferred into storage and to decrypt the data after it is transferred out of storage.
Documents and transactions are also stored and encrypted at rest using AES - 256-bit encryption. Each one is encrypted with a unique key. As an additional safeguard, each key is encrypted with a regularly rotated master key. Permission Click uses secured protocols such as Secured Shell (“SSH”), Pretty Good Privacy (“PGP”), and/or Secure File Transfer Protocol (“SFTP”) encrypted connections where applicable.
Permission Click leverages Stripe as a third-party payment collection back end. Stripe is an industry-leading processor certified as PCI Level 1 compliant. Permission Click does not store any cardholder or personally identifiable payment data on file. Tokens identifying account owners are also encrypted for security and privacy and all communication encrypted with 256bit SSL (higher than 128bit used by many banks).
Additionally - Permission Click Offers:
We use state-of-the-art web application firewalls, and vulnerability and penetration testing. Our fully redundant platform is hosted in the world-class Microsoft Azure environment.
Permission Click’s ‘SafePay’ payment processing platform utilizes strong end-to-end encryption, tokenization, and rigorous key management protocols. While PCI standards are designed and utilized for payments, we apply that same level of rigorous security to all sensitive data related to payments, which is stored securely within our systems, so schools and districts don’t need to store sensitive payment data locally in their own environments.
Permission Click never stores parent cardholder information within the Permission Click application, instead working with tokenized information handled by Stripe in a fully PCI approved method.
Permission Click Antivirus & Anti-spam Methods
Antivirus and anti-spam protection are handled by Microsoft Antimalware for Azure. This is a real-time protection that identifies and removes viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on Azure systems.
The solution is built on the same antimalware platform as Microsoft Security Essentials [MSE], Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender.
Permission Click Data Leakage Protection
Your connection to Permission Click is secure and encrypted using SSL (Secure Sockets Layer). This is the same level of encryption used by leading banks and government agencies. Your documents and transactions are also stored and encrypted at rest using AES - 256-bit encryption. Each one is encrypted with a unique key. As an additional safeguard, each key is encrypted with a regularly rotated master key.
Permission Click Email monitoring and blocking of phishing attacks
The permission.click and permissionclick.com domains have both SPF and DKIM enabled to prevent unauthorized persons and systems from sending email impersonating Permission Click email addresses.
Examples of other attempts using close match email addresses can be forwarded to firstname.lastname@example.org to be dealt with accordingly with the provider or ISP of the offending system.
Permission Click Intrusion Detection Methods.
Physical Intrusion Security
Permission Click is hosted in a state-of-the-art SAS70 Type II, SSAE 16 facility that has achieved ISO 27001 and ISO/IEC 27018 certification. Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.
Technical Intrusion Security
Permission Click’s security is further monitored by Microsoft Azure Threat Protection. SQL Threat Detection provides an additional layer of security, which enables us to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. We receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.
Permission Click Application Firewall (WAF) & Next-Generation Firewall (NGFW)
Not Applicable. These Publicly accessible web properties are protected by Azure-managed network appliances. The remaining systems (storage, databases, etc.) are accessible via internal network connections only. However, when and if required WAF and NGFW can be utilized via the Azure platform on a chargeback basis to customers.
Permission Click DDoS Protection
The scale and capacity of the globally deployed Azure network provides defense against common network-layer attacks through always-on traffic monitoring and real-time mitigation.
Permission Click Security Information Event Management or Log correlation
Permission Click creates a comprehensive transaction trail between signing parties. To provide you with a transaction history, we track and timestamp various information, such as IP address and associated user information, from the moment the document is submitted for signature to when it is completely signed and secured. To ensure any tampering of your transaction log is detectable, we process the transactions log with hashing technology.
Permission Click Audit Trails
The Audit Trail that is appended to all executed signatures/approvals includes an identifier that can be used to lookup the corresponding record(s) in our database. These records include a hash of the original response document which we can compare to the hash of a comparison document to determine whether or not it has been modified or tampered with, and confirm originality.
Permission Click Platform Instance Rollback Options
We always store the previous running version of our platform, and are ready to swap with the current version if the need arises.
Permission Click Vulnerability Tests Protocols
A complete scan of major and minor releases is conducted with high frequency prior to releasing, and following release. Additionally, most of our infrastructure is PaaS (instead of IaaS) leaving our security management up-to-date via Microsoft Azure.