VeriCite® Security Policy v4.5

The security of Our clients’ data is paramount.  In the course of providing services, we receive, store and manage data that may contain personally identifiable information that may be restricted from disclosure under one or more provisions such as FERPA (US Family Educational Rights and Privacy Act), or HIPAA (US Health Insurance Portability and Accountability Act) or rules such as COPPA (US FTC’s Child Online Privacy Protection Act).  We treat ALL information from our clients as confidential.   We protect client information with the same measures we use to protect our own information.   We do not share any client information with anyone without express written permission from you.

1.1. Data access

1.1.1 General

1.1.1.1. Data access will be limited to VeriCite® employees with a "need to know" and controlled by you. You will maintain accurate authentication and authorization data to determine access within VeriCite®.  We are not responsible for the security of your authentication services or your passwords that are compromised outside of VeriCite®.

1.1.1.2. All VeriCite® data are stored at Amazon Web Services (AWS) regional data centers in the United States.  VeriCite follows AWS Security Best Practices.

1.1.2. Physical access

1.1.2.1. Physical access to the AWS data centers at which the Services are hosted is strictly controlled by AWS, following the AWS Security Best Practices.  Only AWS employees have physical access; VeriCite employees do not have physical access to the AWS data centers at which the Services are operated. 

1.1.3. Virtual access

1.1.3.1. VeriCite Employees have only virtual access to Your data and Services. All exchanges of your data, including all network connections to VeriCite®, will take place using encrypting protocols over secure network connections. All endpoints (ours and yours) must maintain current certificates. Only under exceptional circumstances should VeriCite® employees store or transport any client data on personal or company- provided mobile devices (laptops, netbooks, smartphones, portable storage devices, etc.). If such storage is needed, data shall be stored for as little time as possible and always encrypted in transport and at rest and password protected. Any exceptions must be reported immediately to VeriCite® management.

1.1.3.2. VeriCite® employees’ access to your services is managed through a centralized LDAP authentication service. This provides a single point of management for VeriCite® staff access as well as convenience so that staff can follow strict credentialing requirements in the VeriCite® Employee Handbook which must be accepted as part of the VeriCite® terms of employment.

1.1.3.3. Access to your data of all types will end immediately upon termination of employment with VeriCite®.

1.1.3.4. Our email and shared document services are hosted by Google Apps for Business, access to which requires two-factor authentication.  Our operational file store is encrypted in transit and at rest.

1.2. Security standards

1.2.1. Our computers and systems including those used by VeriCite® employees in the conduct of their work will be protected by acceptable industry practices for antivirus, firewalls, and network and system intrusion detections systems.

1.2.2. All systems used in the storage, processing, transmittal and display of Your data must have operating systems that are current in release, with unneeded services disabled, with default administrator access shut off, and with all critical security patches updated within 24 hours after the release of the patch.

1.2.3. We conduct routine event monitoring, promptly investigate suspicious incidents and respond accordingly.

1.2.4. SOC1-2-3 audit certifications are conducted annually on the AWS infrastructure that VeriCite uses. All SOC1, SOC2 and SOC3 reports are available online.

1.2.5. We conduct routine security assessments for vulnerabilities (buffer overflows, open ports, unnecessary services, input filtering, cross site scripting vulnerabilities, SQL injection vulnerabilities, and any other well-known vulnerabilities).  identified issues will be fixed or mitigated within thirty (30) days of the report.

1.2.6. All VeriCite® services that send or receive Your Confidential Information or Your Covered Content must utilize appropriate encryption methods (SSL, sFTP, VPN, etc.).   All network connections to VeriCite® must be encrypted. Clear text transactions are not permitted.

1.3. Changes to the policy

1.3.1. This policy may be updated from time to time.   Updates will become effective as soon as they are published at www.vericite.com/security If there are any material changes to these policies, You will be notified by email prior to the change being published and becoming effective. Your continued use of VeriCite® Services or websites constitutes your agreement to be bound by such changes to the policy. Your only remedy, if you do not accept the updated terms of a VeriCite® policy, is to discontinue use of the VeriCite® Service and VeriCite® websites.

1.4. Definitions

1.4.1. Confidential Information: means the information that you have provided to us as part of the contracting or purchasing process.  By example, this would include names, addresses, email addresses, phone numbers, account numbers, purchase orders, and other information that is not included in Your Covered Content.  Confidential Information would also include the terms and pricing of the VeriCite® Service under this Agreement, Your Covered Content and all information clearly identified as confidential at the time of its disclosure.

1.4.2. Your Covered Content: means all VeriCite® service data that you, your agents or your end users provide to us as part of the process of detecting and reporting plagiarism.  By example, this would include student submissions, course IDs and titles, student first and last names, student email addresses, grades, student ID in the LMS, user roles, and comments and annotations that may be attached to report results.

1.4.3. Us, We, Our and related terms means the company named VeriCite, Inc. who developed and hosts the VeriCite® Service, as represented by Our employees.

1.4.4. You, Your and related terms means the subscribing entity and all affiliated personnel who use the VeriCite® Service. By example, You would mean the college, school district, university or company whose Agents and End Users access the VeriCite® Service.