FERPA Compliance

---

Protecting your student identifiable information and data is a core value informing our development. In addition to our participation in the CT Student Data Privacy Pledge, we are listed/approved at the CT Education Technology Hub.

We individually encrypt each field of student identifiable information - first from last name, grade, etc. When students are being served by BRTI, each field that could relate to the identity of the student is mathematically changed so that it can only be read by a complementary decryption algorithm and secret key. 

AES256 was selected from multiple security algorithms to protect the data in the BRTI database because of its effectiveness and usage by federal government agencies to protect sensitive and top-secret information. The AES256 encryption algorithm is the first (and only) publicly accessible cipher approved by the U.S. National Security Agency (NSA) for top secret information.

BRTI incorporates multiple security features to ensure the data being transferred is secure. This is accomplished through an ordered flow:

1. Every request/response to the BRTI cloud application is encrypted over the internet using TLS (Transport Layer Security). This is the industry standard security employed by every secure website on the internet, including banks and financial institutions. 
2. Each function that requires sending or retrieving data across has an independent secret key that is only known to the client application. This key accompanies each call to prove to the server the application calling the endpoint is the BRTI client. Any other application or user that tries to access one of the BRTI  cloud endpoints will be rejected before any processing by the server logic is required. 
3. The IP address of the user is compared to the original IP address of the user when they logged in. This also prevents snooping attacks. If someone manages to intercept the requests on the network and use the associated information to call a BRTI cloud endpoint, the requests will be rejected because the IP will not match the IP address used when the user logged in. Because of this requirement, the user has to login before further access any of the BRTI cloud functionality is allowed. 
4. The user’s credentials are verified with each request prior to any BRTI logic to ensure that the user is a legitimate and authorized user of BRTI. 

Every request made to the BRTI cloud system verifies the user and decides if the user has permission to execute the requested function. BRTI operations are also protected by "Role-Based Security." Teachers, administrators, and behavior intervention leaders are assigned roles designating different access and function.

BRTI also protects students from being accessed by school staff without a "legitimate educational interest." Each student profile has a team of staff specified by administrators who can access the student. This prevents unauthorized persons from seeing or manipulating the data of students they don't serve.

Student privacy and security is a foundation of BRTI's systems, and we continuously evaluate and improve security through development and testing.