Data security and privacy at Ellucian

As a software company, data security and privacy are of utmost importance to us. Improper use of or access to data can result in negative consequences for our employees, customers, partners, and communities and lead to a loss in revenue, trust, and privacy. At Ellucian, we rely on our data security and privacy policies and practices to drive behavior, enforce rules, and provide guardrails to ensure protection of our data assets. Our global team of information security and cloud experts work 24/7 to keep our customers’ data private and secure.

Our information security program is modeled on the ISO 27001 Information Security Management System framework. Ellucian Cloud Services achieved its ISO27001:2013 certification in 2021. The ISO certification demonstrates Ellucian’s commitment to security across its products and cloud services and demonstrate the effectiveness of our security controls. We are also compliant with several international industry security standards and regulations for cloud platform solutions.

Rigorous testing is critical before our software is released to the market. Each year, an independent audit firm conducts our annual Service Organization Control (SOC) audits. The SOC1 and SOC2 Type II reports are available to customers for review upon request and execution of a non-disclosure agreement.

Ellucian partners with third-party vendors annually to perform penetration testing to assess the security of our Cloud solutions environments and applications. We conduct ongoing crowdsourced testing through a private bug bounty program where our products are continuously tested by expert ethical hackers and managed by HackerOne.

Our Responsible Disclosure Policy values and honors the assistance of security researchers and others in the security community in keeping our systems secure. The disclosure of security vulnerabilities to Ellucian helps us keep our information safe. We thank those who have helped so far by honoring them on our Security Researcher Hall of Fame.

We have robust formal data security and privacy processes and programs through which we identify potential risks in those areas; develop, implement, and monitor compliance with policies related to those areas; and provide regular mandatory training and awareness on these topics. Ellucian’s privacy notice describes our privacy practice in greater detail.

In 2021, we enhanced our Distributed Denial of Service (DDoS) protection capabilities and mitigated several potential attacks. To learn more about our key infosec practices, please read our cloud security paper which goes into greater detail about all our data security and privacy initiatives.