Bloomz was created to promote and facilitate communication between schools and families in a safe and private environment. Parental engagement, which is proven to help improve student performance, requires open communication channels and straightforward coordination and collaboration between educators, students and their families.
In order to provide this environment, Bloomz complies with regulations like FERPA and COPPA, and all applicable privacy laws. Bloomz is also a signatory of the Student Privacy Pledge, taking responsibility to both support the effective use of student information and safeguard student privacy and information security.
To meet these guidelines, Bloomz has created a platform that accounts for privacy and security at both the front end, where teachers, students and parents interact with our service, and the backend where all information is stored and organized. For example, users can receive messages via text message, mobile app, or email, but contact information like phone numbers and email addresses are only visible to class and school administrators and not exposed to others. We have also implemented strict advanced cloud computing practices and policies to ensure the integrity of the data we manage. We strive to bring best-in-class security and controls to users and educational organizations, and continually work with school and district administrators to build upon our existing infrastructure.
This document provides an overview of the policies and practices that comprise our security approach.
Bloomz’s approach to security consists of the following components to maintain data security and integrity:
- Internal policies
- Identity security
- Physical security
- Server security
- Database & Software security
- Privacy principles
- Regulatory compliance
Each of these components are described in more detail below.
1. Internal policies
Bloomz is constantly listening to and acting upon industry-leading security guidelines, regulation and recommendations to guide our own policies and procedures.
- Bloomz’s policies and practices are intended to safeguard sensitive information, providing assurance to educational organizations who entrust us.
- Bloomz is developing privacy and security training that all employees will take at the time of hire and annually thereafter.
- All Bloomz employees and contractors sign agreements that require them to preserve and protect the confidentiality of sensitive information they may access while working with us.
- Information security controls are in constant evolution to ensure they are current, relevant and in compliance.
2. Identity security
Bloomz’s technology is thought of with security in mind to prevent inadvertent access of user information.
- Sensitive information is protected at rest and in transit across untrusted networks using encryption.
- Clear text passwords are not stored in the DB. Passwords should be at least 8 characters long and must have one alphabet and one number.
- Salted passwords with one-way encryption are recorded.
- Passwords are only sent via HTTPS only.
- Request old password while updating to new password.
- Request password to change the identity of the user.
- Authentication tokens are valid for one week for authenticated users.
- All Cookies are HTTPS and domain associated so that other services cannot read the cookies.
3. Physical security
While the Bloomz team works remotely, strong measures are taken to protect systems that access, store, transmit or process user information.
- Logging into a sensitive system is controlled by strong password requirements and access is assigned by role under need-to-know basis.
- All devices used by Bloomz personnel are required to include antivirus software and strong authentication requirements.
- Bloomz is hosted in AWS and Microsoft Azure data center facilities with rigorous physical security controls including a non-descript location, security staff, layered electronic access controls from all building ingress points to interior zones, intrusion detection, and surveillance monitoring.
4. Server security
Bloomz uses Amazon Web Services (AWS) and Microsoft Azure to host and operate our service.
- AWS’s environmental protections reduce the risks associated with fire, loss of power, flood, humidity, and temperature changes in their facilities.
- Data center facilities are strategically located in regions that are less commonly affected by natural disasters.
- Cloud-based information storage is protected from environmental threats using fault tolerance and redundancy.
- The AWS cloud infrastructure has been designed and managed in compliance with regulations, standards, and best practices, including HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP, DIACAP and FISMA, ITAR, FIPS 140-2, CSA, and MPAA.
- All the APIs to the server are on HTTPS. The API servers do not accept any requests on HTTP.
- Only ports 443 (HTTPS), and 22 (SSH) are opened on the API servers.
- SSH port can only be logged in via provided certificate.
- WW web server runs on Apache and redirects all HTTP requests to HTTPS endpoint.
5. Database and Software security
Bloomz is delivered using industry tested technology with privacy, end user safety, and security in mind.
- All databases run on top of Linux Ubuntu 64-bit servers.
- MongoDB, a NoSQL DB is used as the backend database.
- The databases are run on a network mask that is opens connections only from specific API servers
- Machines that run the primary and slave databases accept DB connections only through restricted Virtual Network (VNet).
- Only ports 22 (SSH) and DB ports are opened on the API servers.
- SSH port can only be logged in via provided certificate.
- Hard backups are stored on MongoDB MMS service.
- Bloomz works with researchers of varied disciplines and expertise under a bounty program to perform security assessments of our applications.
- Vulnerabilities discovered in our applications are prioritized and remediated to improve the overall security of our platform.
- Bloomz follows an industry standard secure development process that aims to avoid common security exposures.
6. Privacy principles
Bloomz has adopted modern practices with respect to handling personal information.
- Groups/Classes/Communities with controlled level of access for effective coordination, calendar and knowledge sharing
- Classroom membership is only via invitation – teachers can invite explicitly, even with class codes, additional security for verifying members is added.
- Classrooms are visible only for members of a school community
- None of the child information is pushed to the services that Bloomz uses for user analytics purposes.
- Bloomz maintains a Privacy Notice in a clear and visible location on our website to inform consumers about how personal information is used, collected, and shared.
- Bloomz will never sell, trade, barter, or exchange for value consumers’ personally identifiable information or personal data.
- In the case of a security incident resulting in a data breach or the unauthorized disclosure of personal information, as defined by a state, federal or other regulation, Bloomz will promptly notify impacted parties and authorities.
7. Regulatory compliance
Bloomz works with legal counsel to ensure that our products and practices remain compliant with relevant mandates and regulations.
- Bloomz meets COPPA legislative requirements.
- Bloomz helps schools comply with federal FERPA regulations.
To learn more about our Bloomz School and District subscriptions, please click below to schedule a demo with our team.