Security at WPS

Security is built in throughout the WPS eCommerce website and the Online Evaluation System. Maintaining a secure infrastructure and environment that safeguards data and protected health information (PHI) is highest priority for our customers.

WPS has implemented an Information Security Program and a set of Security Controls that are automatically monitored in real time by utilizing a cloud-based security and compliance solution that helps organizations establish, maintain, and automatically monitor their Information Security Program.

We've Got You Covered

WPS security has many layers to keep information protected.

Trusted, shared security in the cloud

Data security is paramount for your organization. Our cloud architecture is built on Amazon Web Services (AWS) with an inherently strong data security infrastructure that delivers always-on services. AWS Cloud Services is a secure platform offering computing power, database storage, content delivery, and a variety of other services designed for scalability, resilience, and security. More information about AWS's cloud computing can be found here.

AWS is responsible for the security of the cloud system, and WPS is responsible for the security of the data it stores in the cloud. More details can be found here for the AWS Shared Responsibility Model.

Compliance at WPS

WPS is regularly audited by 3rd party organizations and follows strict standards and regulations in order to keep your information safe. We obtain industry-accepted attestations and adhere to current industry standards and regulations so you can feel confident that your company and client data remain secure and compliant.

Our Compliance Reports and Adherence

Learn more about WPS's featured compliance adherence to a variety of industry regulations and government legislation.

SOC 2 Type 2

SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.

Learn More

SOC 3

SOC 3 (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability, and confidentiality of a cloud service.

Learn More

HIPAA

HIPAA is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual's Protected Health Information (PHI).

Learn More

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. FERPA gives parents certain rights with respect to their children's education records.

Learn More

COPPA

Children's Online Privacy Protection Act (COPPA) imposes certain requirements on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Learn More

SOPIPA

The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes.

Learn More

CSA STAR Level 1

The CSA (Cloud Security Alliance is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Learn More

PCI-DSS SAQ A 3.2.1

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Learn More

Related Resources

Check out these resources to learn more about WPS's data privacy, security, and other useful information.

SOC 2 Type 2

WPS's SOC 2 Type 2 report validates our security, availability, and confidentiality controls. We perform an annual third-party audit to certify that we've implemented controls that operate effectively to meet the objectives of the AICPA Trust Services Principles.

System and Organization Controls (SOC) 2 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.

SOC 2 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

The SOC 2 report concludes with the independent third-party audit firm's opinion, which describes the organization's system and assesses the fairness of the organization's description of controls. The audit firm's opinion also evaluates whether the organization's controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.

Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.

The SOC 2 Type 2 Report is a restricted use report. Only customers who are required to have a copy for compliance, regulatory or security assessment purposes may request one after executing a non-disclosure agreement (NDA). Please email compliance@wpspublish.com for details.

SOC 3

The System and Organization Controls (SOC) 3 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.

SOC 3 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to provide a publicly facing version of the SOC 2 attestation report for customers who need assurances about service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy, but do not require a full SOC 2 report. SOC 3 reports can be freely distributed because they are general use reports.

A SOC 3 report contains a written assertion by service organization management regarding control effectiveness to achieve commitments based on the applicable trust services criteria, as well as service auditor's opinion on whether management's assertion is stated fairly.

Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.

Click here to download the SOC 3 Report.

HIPAA

WPS provides comprehensive privacy and security protections that enable our customers to operate our products in compliance with HIPAA. These include:

• Security measures for protecting PHI
• Assessments for reasonable remediation or mitigating controls of addressable HIPAA Security Rules
• Annual HIPAA Security Attestation, Gap Assessment, and Security Risk Analysis
• Annual 3^rd party review and attestation of HIPAA Security policies and procedures
• Security awareness content regarding the protection of ePHI, and
• Designation and role definition of a HIPAA Security Officer.

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual's Protected Health Information (PHI). The HIPAA Security Rule was established to protect individuals' health information and ensure the security, integrity, and confidentiality of this data. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as other third parties, known as “Business Associates”, that create, receive, maintain, or send PHI.

Customers who are subject to HIPAA compliance and want to partner with WPS can enter into a Business Associate Agreement (BAA) that covers the applicable products and services. For more information on the signed BAA, please email compliance@wpspublish.com

Cloud Security Alliance (CSA) STAR Level 1

WPS has attained the CSA's STAR Level 1 Self-Assessment, which is an assessment that maps our security controls against security standards, regulations, and controls from industry-accepted outfits like ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.

The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices.

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to.

Here is a link to the CSA STAR Registry listing for WPS - WPS CSA Star Registry Listing.

Children's Online Privacy Protection Act (COPPA)

WPS follows the requirements of the Children's Online Privacy Protection Act (COPPA).

Children should not provide any personal information without permission from their parent, guardian, or teacher. We do not condition children's participation in an online activity on the disclosure of more information than is reasonably necessary to participate in the activity. We do not share children's information with outside third parties not bound by the WPS Privacy Policy, or otherwise inconsistent with the requirements of COPPA.

If you are a Parent or Legal Guardian and would like to review any personal information that we have collected online from your child, have this information deleted, and/or request that there be no further collection or use of your child's information, or if you have questions about these information practices please email compliance@wpspublish.com.

For more information regarding COPPA and online privacy, please see the COPPA webiste.

Student Online Personal Information Protection Act (SOPIPA)

WPS is a SOPIPA complaint vendor and adheres to the following requirements under this act:

• Does not use any data collected via our services to target ads to students
• Does not create advertising profiles on students
• Does not sell student information
• Does not disclose information, unless required by law or as part of the maintenance and development of your service
• Uses sound information-security practices, which often include encrypting data and other security industry best practices
• Will delete data that we have collected from students in a school when the school or district requests it
• Shares information only with educational researchers or with educational agencies performing a function for the school
• Innovates safely without compromising student privacy by only using de-identified and aggregated data as we develop and improve our service.

The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes.

For more information regarding SOPIPA, please see details here at the CA Legislative Information website.

Family Educational Rights and Privacy Act (FERPA)

WPS is a FERPA complaint vendor and adheres to the following requirements under this act:

• Does not use any data to advertise or market to students or use data for any purpose other than the specific purpose(s) outlined in the WPS Terms of Use and Privacy Policy
• Does not change methods on how data is collected, used, or shared under the WPS Terms of Use and Privacy Policy in any way without advance notice to, and consent from customers
• Only collects data necessary to fulfill requirements necessary to utilize our services
• Only uses data for the purpose of fulfilling its duties and providing and improving services
• Does not share data without prior written consent of the user except as required by law
• Will delete or de-identify personal information when it is no longer needed, upon expiration or at termination of our agreement with an educational institution
• The educational institution retains full ownership rights to the personal information and education records it provides to WPS
• Will share and make available upon request any student data stored from the educational institution
• WPS stores and process data in accordance with industry best practices by utilizing the following, but not limited to:
  • Conducts periodic risk assessments
  • Remediates any identified security vulnerabilities in a timely manner
  • Has formal incident response plan that includes prompt notification in the event of a security or privacy incident
  • Has strict access control using Least Privilege Principle
  • Performs ongoing security education and awareness training for WPS staff

The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student.

For more information regarding FERPA, please see details here at the U.S. Department of Education website.

Payment Card Industry Data Security Standards Validation - SAQ A 3.2.1

The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and systems that are used to secure and log access to the systems in scope.

Based on the information provided by WPS involving its security policies, procedures, and regulations, SecurityMetrics has found the merchant to be compliant with the Payment Card Industry Data Security Standards (PCI DSS), endorsed by Visa, MasterCard, American Express, Discover, and JCB card brands.

Click here to download our Certificate of PCI DSS Merchant Compliance.