ScrubCampus

Security & Compliance

Effective: January 1, 2026
Updated: January 1, 2026

TL;DR: We use enterprise-grade security: AES-256 encryption, TLS 1.3, MFA, and regular audits. We comply with FERPA, GDPR, CCPA, and maintain HIPAA-ready practices. Report vulnerabilities to security@scrubcampus.com.

Security Commitment

At ScrubCampus, protecting your data is our highest priority. As a platform trusted by nursing students, educators, and healthcare institutions, we understand the sensitive nature of educational data and the importance of maintaining the highest security standards.

Our security program is designed around the principle of defense in depth, implementing multiple layers of protection to safeguard your information.

Infrastructure Security

Encryption

Protection LayerStandardDetails
Data in TransitTLS 1.3HTTPS enforced via HSTS, forward secrecy enabled
Data at RestAES-256Database encryption, encrypted backups with separate keys
Key ManagementSecure KMSKeys managed through secure key management services

Cloud Hosting

Our infrastructure is hosted on enterprise-grade cloud platforms that maintain:

CertificationStatus
SOC 2 Type IICertified
ISO 27001Certified
Third-party Security AssessmentsRegular
Physical SecurityBiometric access, 24/7 monitoring

Network Security

MeasureProtection
Web Application Firewall (WAF)Common attack prevention
DDoS ProtectionService availability
Intrusion Detection/PreventionThreat monitoring
Network SegmentationComponent isolation

Access Controls

ControlImplementation
Role-Based Access (RBAC)Least privilege access
Multi-Factor AuthenticationRequired for admin access
Privileged Access ManagementSensitive operations
Audit LoggingAll sensitive data access logged
Regular Access ReviewsPeriodic deprovisioning

Application Security

Secure Development

Our development practices include:

  • Secure coding guidelines and training for all developers
  • Code review requirements for all changes
  • Static application security testing (SAST) in CI/CD pipeline
  • Dependency scanning for known vulnerabilities
  • Regular third-party penetration testing

Authentication and Authorization

FeatureStandard
Authentication ProtocolsOAuth 2.0, OpenID Connect
Session ManagementAutomatic timeout
Password RequirementsComplexity and uniqueness enforced
Enterprise SSOSAML 2.0 supported
Rate LimitingBrute force prevention

Data Protection

  • Input validation and output encoding prevent injection attacks
  • Content Security Policy (CSP) prevents cross-site scripting
  • Protection against CSRF, clickjacking, and other common attacks
  • Regular vulnerability assessments and remediation

Compliance

Quick Reference

RegulationStatusKey Points
FERPACompliantSchool official status, no re-disclosure
GDPRCompliantDPAs with SCCs available
CCPACompliantFull privacy rights supported
HIPAAReadyBAA available upon request
FERPA Details (U.S. Educational Institutions)
  • School Official Status: We operate as a “school official” under FERPA, with a legitimate educational interest in accessing student records
  • Data Use Limitation: Educational records are used only for the purposes specified by the institution
  • No Re-disclosure: We do not disclose personally identifiable information without consent except as permitted under FERPA
  • Security Safeguards: Technical, administrative, and physical safeguards protect education records
  • Data Processing Agreements: Our agreements with institutions include FERPA-compliant terms
GDPR Details (EU/UK/Switzerland)
  • Lawful Basis: We process personal data only when we have a valid legal basis
  • Data Minimization: We collect only the data necessary for our purposes
  • Purpose Limitation: Data is used only for specified, explicit purposes
  • Storage Limitation: Data is retained only as long as necessary
  • Data Subject Rights: We support rights to access, rectification, erasure, portability, and objection
  • Data Processing Agreements: We offer DPAs with Standard Contractual Clauses for international transfers
  • Data Protection Officer: Available at dpo@scrubcampus.com
CCPA Details (California Residents)
  • Right to Know: We disclose what personal information we collect and how we use it
  • Right to Delete: Users can request deletion of their personal information
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We do not discriminate against users who exercise their privacy rights
  • Privacy Policy: Our Privacy Policy includes all required CCPA disclosures
HIPAA Details (Healthcare Organizations)

While ScrubCampus is primarily an educational platform and does not typically handle Protected Health Information (PHI), we maintain HIPAA-ready practices:

  • Technical Safeguards: Encryption, access controls, and audit logging
  • Administrative Safeguards: Policies, procedures, and training
  • Physical Safeguards: Secure hosting environment
  • Business Associate Agreements: Available for customers who require them

If your use case involves PHI, please contact us to discuss appropriate agreements.

Additional Standards

StandardCoverage
SOC 2 Type IISecurity, availability, and confidentiality
ISO 27001Information security management
NIST Cybersecurity FrameworkRisk management and security practices

Incident Response

PhaseActions
Detection24/7 monitoring, automated alerting, severity classification
ContainmentImmediate containment, root cause analysis, evidence preservation
NotificationWithin 72 hours, clear communication, regulatory notifications
RecoveryService restoration, post-incident review, preventive improvements

Vulnerability Reporting

We welcome responsible security research and will not take legal action against researchers who make a good faith effort to follow these guidelines.

How to Report

Email: security@scrubcampus.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (optional)

Our Response

TimelineAction
Within 48 hoursAcknowledgment
OngoingRegular updates on remediation
After fixRecognition in security hall of fame (if desired)

Scope

In ScopeOut of Scope
ScrubCampus web applicationPhysical attacks
ScrubCampus APIsSocial engineering on employees
Authentication systemsDenial of service attacks
Third-party services

Data Processing Agreements

When You Need a DPA

SituationNeed DPA?
U.S. educational institution (FERPA)Yes
Processing EU resident data (GDPR)Yes
Organizational policy requires itYes
Individual user accountNo

Request a DPA

Email: legal@scrubcampus.com

Include: organization name, contact information, and any specific requirements.

Contact Us

TeamEmailFor
Securitysecurity@scrubcampus.comVulnerabilities, security inquiries
Privacyprivacy@scrubcampus.comData protection inquiries
DPOdpo@scrubcampus.comGDPR-related matters
Legallegal@scrubcampus.comDPAs, compliance documentation