Technical, Security, and Compliance Overview
Liaison is committed to maintaining the highest technical, security, and compliance standards as outlined below.
General Security Practices
Network Security
Liaison understands that network security is key to data protection. The following active monitoring practices and independent security audits help protect against any external network threats:
- Secure Isolated Network
- Network Firewalls
- DDOS Attack Prevention
- Intrusion Detection
- Security Event Management
- Internal and External Network Scanning
Family Educational Rights and Privacy Act (FERPA) Compliance
Liaison performs all services in compliance with all applicable laws and regulations, including the Family Educational Rights and Privacy Act (20 USC §1232g) (FERPA). FERPA is a federal law in the United States that protects the privacy of students' personally identifiable information (PII). Under FERPA, Liaison is considered to be a third-party vendor.
To help education stakeholders learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data, the US Department of Education established the Privacy Technical Assistance Center (PTAC). PTAC maintains a website that outlines the responsibilities of third-party service providers under FERPA. You can visit PTAC's site to learn more about the practices to which Liaison adheres.
User Settings and Permissions
Liaison ensures that each user has a unique username and follows industry-standard best practices for password creation. WebAdMIT administrators can control user settings and access to specific programs, such as:
- Controlling who has access to certain permissions and groups
- Configuring interviews and assignments as private reviews
- Controlling access to programs, panels, permissions, and settings
Data Security
Data Center
Liaison houses its systems in a state-of-the-art data center. Additionally, we partner with cloud services such as Amazon Web Services and Google Cloud. Some of the benefits of using these data centers and cloud services include:
- 24/7 network, equipment, and data monitoring
- Proactive fault identification, reporting, and problem resolution
- Card and biometric security systems
- Physical and electronic security
- Uninterrupted Power Supplies (UPS) and backup generators equipped on site
- N+1 or greater redundancy for all essential systems and networking devices to reduce single points of failure
- SOC 1 and SOC 2*
- PCI certified compliance data center*
- SAS70 Type II / SSAE16 certified
*Supporting documentation is available upon request with a signed non-disclosure agreement. Please reach out to your Liaison point-of-contact for more information.
Personally Identifiable Information (PII) and Data Encryption
Personally Identifiable Information (PII) refers to information that can be used to identify or track an individual. Liaison uses industry-standard best practices (i.e. technical, physical, and administrative safeguards) to protect sensitive personal information from unlawful use and unauthorized disclosure. These best practices mean that:
- Data is fully encrypted on a secure network
- Data is transferred over SHA-256 and RSA 2048
- Data is encrypted in transit and at rest
- Encryption keys are stored in secure off-site locations
- Integrated third-party products must comply with Liaison's PII security policy and PII compliance program
To learn more about PII and the types of information that fall into that category, visit https://en.wikipedia.org/wiki/Personally_identifiable_information.
Data Privacy
Liaison adheres to stringent data privacy guidelines that focus on data collection that is relevant, lawful, and not excessive. This data is retained for no longer than is necessary to fulfill its intended purpose and is stored in a secure environment. To maintain both the integrity and privacy of this data, we take the following precautions:
- Access to sensitive data is monitored and restricted to authorized personnel
- Procedures are in place for reporting privacy breaches and data misuse
- Data is stored and deleted in a secure manner
Data Movement
Liaison's WebAdMIT API allows developers to automate admissions tasks. For example, institutions can use our Export API to extract applicant data from WebAdMIT for analysis, processing, or other integration with on-campus systems. For more information, visit our Integration Help Center.
GDPR
Protection of data is a primary focus for Liaison and its partners. We understand that our partners and users trust our tools and services to protect their privacy, and this is a responsibility we administer with attention and care.
The European Union has recently granted new data rights to European residents under the General Data Protection Regulation (GDPR). While the majority of its provisions are already supported by our existing processes, agreements, and policies, we will be making a few changes to ensure we adhere to these new provisions.
What will be changing in the Liaison products?
We will be providing more clarity for our users around the data we collect, how it is used, and with whom it is shared. To do this, we will be updating our Terms & Conditions and our Privacy Policy.
We will ask our users to accept these policies and the various ways we process their data in support of our services.
How will Liaison support our partners and clients in response to the new regulation?
Liaison’s tools and services exist to collect data from our users and, with the consent of these users, transmit it to our partners, schools, and programs. If we receive a request from a user to take action on their data under the rights afforded to them by the GDPR, we will coordinate a response to the request with the appropriate partners.
As is required under the new regulation, we have processes and procedures in place that will allow us to effectively access, rectify, or erase data as deemed appropriate.
Where can I learn more about GDPR?
The European Commission's website serves as a primary source of information about the GDPR.
Service Level Standards
Uptime Metrics
Liaison employs its best efforts to meet or exceed the following service level standards:
- Availability: Liaison shall maintain 99.5% System availability on a monthly basis, not including scheduled downtime, maintenance, and force majeure.
- Scheduled Maintenance: Liaison will:
- Notify the Institution of upcoming scheduled maintenance periods at least 24 hours in advance of the maintenance period
- Generally perform scheduled maintenance outside of business hours (Monday-Friday, 9AM-6PM ET)
- Generally limit scheduled maintenance to less than 12 hours per month
- Unscheduled Outages/Disruption of Availability: Liaison shall promptly notify the Institution of any unscheduled outages or disruptions to availability. Notification will include identification of the severity of the outage, communication protocol (e.g., who will provide updates and how often), contact name for unscheduled communications/updates, and estimated time for resolution, if known.