We protect student and teacher data using industry-standard safeguards aligned with the NIST Cybersecurity Framework and security best practices. This page summarizes how we secure the Ellii platform, how data flows through our infrastructure, and which trusted sub-processors help us deliver the service.
Our security commitment
We protect student and teacher data using industry-standard safeguards aligned with the NIST Cybersecurity Framework and security best practices. Security is built into how we design, host, monitor, and operate the Ellii platform. Every member of our team is trained to handle customer data with care.
We continuously review our controls so they keep pace with evolving threats and the privacy expectations of the schools, districts, and educators we serve.
Encryption in transit & at rest
All traffic to our platform is encrypted in transit using HTTPS / SSL, so data exchanged between users' browsers and our servers cannot be intercepted during transit.
All stored data is encrypted at rest with AES-256 block-level encryption. This applies to our primary database, object storage, and encrypted backups.
Hosting & data residency
Our platform is hosted on Heroku in AWS us-east-1 (Northern Virginia), with additional storage in AWS S3 in the same region. We do not allow data transit or storage outside of these systems.
Heroku's underlying infrastructure is supported by an audited security program with industry certifications including ISO 27001, SOC 1, SOC 2 / SSAE 16 / ISAE 3402, PCI Level 1, FISMA Moderate, and SOX.
Access controls
Access to data is restricted through password-protected, role-based access controls that follow the principle of least privilege. Staff only receive the access required to perform their role, and that access is reviewed regularly.
Administrative access requires strong authentication and is audited. Production systems are separated from development environments, and customer data is never copied into non-production environments.
Monitoring & threat detection
We use a Web Application Firewall (WAF) together with monitoring tools to detect malicious traffic and unusual activity. Alerts are routed to our on-call engineering team for rapid investigation.
Logs from our application, infrastructure, and security tooling are retained for forensic review and continuous improvement of our detection rules.
Backups & disaster recovery
Backups are encrypted and created regularly. Restores are periodically tested to ensure that we can recover within our recovery-time and recovery-point objectives in the event of a disruption.
Our Disaster Recovery and Incident Response plan documents the steps our team follows to contain, communicate about, and resolve any security event.
Sub-processors
Ellii works with a small number of trusted vendors ("sub-processors") who help us host, operate, and support the service. Each sub-processor is bound by data-processing terms requiring them to meet privacy and security standards equivalent to our own.
The table below lists the sub-processors currently in use, the nature of their service, the data we share with them, and how to contact them. We will update this list when we add, remove, or change vendors who process customer data.
| Name | Nature | Data shared | Location | Contact |
|---|---|---|---|---|
| HelpScout | Email platform; Help Docs | Name, email, any info that is provided to us through email; communication | US | privacy@helpscout.com |
| Recurly | Process recurring billing | Name, email, org address, country, phone, billing information | US | privacy@recurly.com |
| Pipedrive | Prospect and customer relationship management | Name, email, org address, country, phone, billing information | US | privacy@pipedrive.com |
| PayCove | Invoicing | Name, email, org address, country, phone, billing information | US | admin@paycove.io |
| Stripe | Payment Manager | Name, email, billing address, payment details | US | privacy@stripe.com |
| Customer.io | Email marketing | Name, email, notifications and system functions such as user invitations, password reset. | US | privacy@customer.io |
| AWS | Cloud infrastructure | No access to data in normal course of business | US | Not applicable — no access to customer data |
| Heroku | Platform as a service | Data is encrypted; no access to data in normal course of business | US | Not applicable — no access to customer data |
| FusionAuth | Authentication | Name, email, password | US | privacy@fusionauth.io |
Available documents on request
To support security and procurement reviews at your school or district, we can share the following documents on request:
- HECVAT (Higher Education Community Vendor Assessment Toolkit)
- System architecture diagram
- A current DAST scan (Dynamic Application Security Testing)
- Information Security Policy
- Disaster Recovery and Incident Response plan
To request any of these documents, contact us at hello@ellii.com or via ellii.com/contact.
Questions about this policy?
You can reach out to our team. We're happy to help clarify anything!