At Tuition.io, we know that many businesses face compliance pressure when managing sensitive customer information.
Tuition’s service provides several technical and process controls that create a foundation to comply with the highest regulatory or industry requirements.
Tuition achieved ISO 27001 certification starting 2018. International Organization for Standardization (ISO) is an internationally recognized best practice framework that specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). ISMS is a systematic approach to managing sensitive company information including people, processes and IT systems.
Learn more about Tuition’s solutions for:
- CCPA Compliance
For more information about Tuition’s security practices, visit Security Overview from our website
About the California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a state law that went into effect on January 1, 2020. This law provides California residents (consumers) more control over their data and requires companies to be more transparent with what data they are collecting and how they are using that data.
What You Don’t Know CAN Hurt You
Under the CCPA, penalties for non-compliance can include fines of up to $2,500 per violation, and not more than $7,500 for each intentional violation.1 A business has 30 days to respond to a written notice of a violation claim, and is given the chance to remedy the violation before fines are imposed.
Does the CCPA Apply to My Business?
Generally, a consumer under the CCPA means a natural person who is a California resident. The rights afforded under the CCPA apply to all consumers in this context. Therefore, any business who collects and/or processes information of California residents, whether these residents are your customers, prospects, employees, or otherwise, may be subject to the CCPA. For more details about who the CCPA impacts, read this article.
What Rights do Consumers Have Under the CCPA?
The CCPA provides consumers with five new rights regarding their personal information:
- The right to request information on your business’ data collection, processing, and usage as it applies to them specifically. This includes what categories of information businesses have collected and if the information was disclosed or sold to third parties.
- The right to request a copy of any information businesses have collected about them during the previous 12 months.
- The right to have their information deleted (with some exceptions).
- The right to request that their information not be sold to third parties.
- The right to not be discriminated against because they have exercised any of these rights.
How does Tuition support you in complying with CCPA?
As your trusted financial management provider, Tuition provides industry standard security measures such as encryption, authentication, access controls, and auditing to support your CCPA requirements.
By working within this rigid set of technical and process controls, we believe you can incorporate Tuition into a CCPA compliant solution.
|CCPA Requires…||Tuition Responds…|
|Right to a Copy The right to request a copy of any information businesses have collected about them during the previous 12 months.||When you use Tuition as a payment vendor, you can quickly respond to requests for data access.|
|Right to be Forgotten The right to have their information deleted (with some exceptions).||Your data stored in Tuition are easily searchable, and based on the user’s permission level in Tuition, can be retrieved.|
|Full Document & Workflow Audit Under the CCPA, consumers have the right to request information on your data collection, processing, and usage procedures. Fully documenting how data is processed and transferred and for what reasons you have to do so will help you respond to these requests and ensure your procedures meet compliance requirements. Document who has access to the data at each stage of processing and transfer.||Tuition is designed to allow access via authenticated logins. In other words, data stored in Tuition are only accessible if you log into the service with another individual that must log into the service. Tuition employs an Activity Log that you can use to review:|
The CCPA wants you to think about privacy and data protection from the beginning, not as a bolted-on after-thought. Documenting your workflows is the first step to build privacy into your everyday business operations. Choose technology that supports streamlined, secure workflows for your business and create internal controls and processes to maintain the utmost security posture. This is commonly known as Privacy by Design, and includes:
- Limit Data: Only collect what is necessary.
- Limit Processing: Only process data for the purpose that it was collected for.
- Limit Access: Only authorized individuals should be able to access data.
- Impact Assessment: Conduct assessments for personal data that is high risk to individuals.
- Keep Reviewing: Keep checking the confidentiality, availability & resilience of your systems.
- Record Keeping: Note processing, data categories, erasure time, and storage locations.
While we are not a CCPA compliance consulting firm, we are happy to assist you in getting pointed in the right direction. Feel free to contact us at firstname.lastname@example.org for more insight.
At Tuition, we take the responsibility of protecting your personal sensitive data very seriously. We’ve engineered the Tuition service from the ground up to protect your valuable digital assets.
Tuition is built with a security-first mindset, and we never compromise. No decision is made without a conversation around security and we’re committed to our disciplined approach to protect your documents. We continually evaluate and seek to improve our security technology and procedures and our team works hard to ensure that Tuition’s single platform is the most secure way to confidently store your data.
Your Data is Secure While in Transit
All interactions with Tuition occur over an encrypted channel. We employ SSL to protect your passwords, and interactions with Tuition from eavesdropping.
Your Data is Secure While at Rest
Tuition encrypts your documents and all information stored in our databases at rest. The data is encrypted using AES-256.
How Your Data is Stored
Tuition is designed to allow access to data via authenticated logins. In other words, data stored in Tuition are only accessible if you log into the service. Tuition employs an Activity Log that you can use to review:
- What has been granted permissions to access your data?
- Who has actually accessed or changed?
Tuition classifies the information you store in Tuition into two categories: confidential data and sensitive data.
Confidential data includes the contents of bank account number, and password hashes. Confidential information is accessible by a limited number of Tuition employees; however, Tuition has processes and technologies which forbid access to that data without your express permission. Staff with this level of access are screened and trained on Tuition’s security controls designed to protect your privacy. Auditing mechanisms are in place to detect any violation of this policy.
Tuition uses the ISO Standard as an actionable framework to provide a robust security process. This standard is designed to protect sensitive information; however, Tuition employs this framework as a tool across all confidential information – including your documents. This framework provides us a security process that incorporates prevention, detection, and appropriate response to security incidents.
Tuition hosts your data using services provided by Amazon Web Services (AWS).
Amazon Web Services are trusted and relied upon all over the world to provide highly secure and scalable infrastructure.
Your Data is Securely Backed Up
Your data and metadata are always stored using highly redundant replicated storage provided by Amazon Web Services (AWS). Multiple copies of metadata and data are stored in multiple geographical locations and backed up regularly to ensure availability.