Enterprise-Grade Data Security
Eight Independent Layers of Defense-in-Depth Protection
No Data Breaches... EVER!
Perfect security record protecting millions of student records with military-grade encryption
SOC 2 Type II Certified at All Tiers • Cloudflare Edge Protection • Annual Third-Party Audits
Three-Tier Defense-in-Depth Architecture
VisionQuest 20/20's EyeSpy platform implements a comprehensive eight-layer security architecture built on SOC 2 Type II certified enterprise infrastructure at all tiers. Unlike typical EdTech platforms that rely on just 1-2 security layers, our defense-in-depth approach ensures that even if one layer were compromised, seven additional layers continue protecting student data.
Our three-tier architecture with edge-level vendor diversification—Cloudflare edge protection (separate company), DigitalOcean Droplet (application tier), and DigitalOcean Managed Database (data tier)—follows security practices used by major financial institutions. This multi-tier design ensures that compromise of one tier cannot provide access to the others, with origin IP hidden behind Cloudflare's global network.
8 Security Layers • 3 Tiers • Zero Breaches
Security & Reliability Metrics
Enterprise-grade protection verified by independent auditors
Eight Independent Security Layers
Each layer provides complete protection on its own. Together, they create unmatched defense-in-depth security.
Layer 1: Web Transport Security
Dual-Layer TLS 1.3: All traffic encrypted twice—at Cloudflare edge and again to origin server—with Perfect Forward Secrecy.
- TLS 1.3 with AES-256-GCM
- Cloudflare edge + DigiCert origin
- X25519 key exchange
- Full (Strict) SSL mode
Layer 2: Application Security
Cloudflare WAF + Application Controls: Enterprise WAF with managed rulesets, plus comprehensive input validation and authentication.
- Cloudflare Web Application Firewall
- SQL injection prevention
- XSS/CSRF protection
- Developer panel detection
Layer 3: Database Connection Security
Encrypted Database Transport: All database connections use enforced SSL/TLS encryption with automatic retry logic.
- MySQL SSL/TLS 1.3 enforced
- TLS_AES_256_GCM_SHA384
- Client-side enforcement
- Connection resilience (5 retries)
Layer 4: Data-at-Rest Encryption
LUKS Volume Encryption: All storage volumes are encrypted with military-grade AES-256-XTS encryption.
- AES-256-XTS encryption
- 512-bit encryption keys
- Automatic key rotation
- Physical theft protection
Layer 5: Document Encryption
Zero-Knowledge Encryption: Parent-uploaded documents are encrypted so even VisionQuest cannot decrypt them without student credentials.
- AES-256-GCM encryption
- PBKDF2-SHA256 key derivation
- 100,000 iteration protection
- Zero-knowledge architecture
Layer 6: Access Controls
Role-Based Access Control: Strict least-privilege access ensures users only see data they're authorized to access.
- 5-tier RBAC system
- School-level data isolation
- Complete audit logging
- Least privilege enforcement
Layer 7: Administrative Security
4-Layer Admin Protection: Physical machine access, application protection, platform 2FA, and encryption keys all required.
- SSH tunnels with RSA-4096/Ed25519
- 2FA on all admin platforms
- Key-based authentication only
- AppCrypt application protection
Layer 8: Network Access Controls
Three-Tier Network Protection: Cloudflare edge filtering, UFW firewall, and Trusted Sources database whitelist.
- Cloudflare DDoS (300+ Tbps)
- Origin IP hidden
- UFW + Fail2Ban intrusion prevention
- Trusted Sources IP whitelist
Three-Tier Architecture with Edge Protection
Enterprise architecture with vendor diversification at the edge
Cloudflare Edge Security (Tier 0)
All traffic passes through Cloudflare's global network (300+ data centers) before reaching our infrastructure. This provides multi-terabit DDoS protection, Web Application Firewall filtering, and hides our origin server IP from attackers—operated by a completely separate company for true vendor diversification.
Application & Database Tiers
Our application runs on a hardened DigitalOcean Droplet with UFW firewall, Fail2Ban intrusion prevention, and automatic security updates. The database operates on DigitalOcean Managed Database with Trusted Sources firewall allowing only the application tier to connect—ensuring database compromise requires breaching multiple independent systems.
SOC 2 Type II Certified at All Tiers
Both Cloudflare and DigitalOcean maintain SOC 2 Type II certification, audited annually by Schellman & Company. This provides independent third-party verification of security controls across our entire infrastructure stack—not just one component.
High Availability & Disaster Recovery
Hot standby database nodes with real-time replication ensure automatic failover in under one minute. Encrypted backups with AES-256-CTR provide recovery point objectives (RPO) of less than one minute, protecting against data loss. Dual-layer monitoring (internal dashboard + New Relic external) ensures alerts even during complete infrastructure failure.
Advanced User Security Features
Protecting accounts with industry-leading authentication
Two-Factor Authentication (2FA)
SMS-based two-factor authentication is mandatory for superuser accounts and available for all school users. District administrators can require 2FA for their staff. 2FA is also required on all administrative platforms (DigitalOcean, Cloudflare, CloudPanel)—a security posture rare in K-12 EdTech.
Breached Password Screening
Integration with Have I Been Pwned API automatically checks passwords against billions of known breached credentials, preventing users from choosing compromised passwords. Combined with NIST SP 800-63B aligned password policy (8-char minimum, no forced complexity/expiration).
Account Lockout Protection
Configurable account lockout thresholds protect against brute-force attacks. Combined with bcrypt/Argon2 password hashing and Fail2Ban intrusion prevention, accounts remain secure even under sophisticated attacks.
Parent Privacy-by-Design
Parents access the portal without creating accounts—using schoolID + studentID + DOB + initials. No credentials are stored, meaning nothing to steal, phish, or breach. This eliminates credential theft risk entirely for parent access.
Innovative Security Features
Industry-leading capabilities rarely seen in K-12 EdTech
Vision GPS AI Assistant
Our AI-powered multilingual parent assistant is designed with privacy-by-design principles. Vision GPS specifically rejects personally identifiable information in conversations—if a parent attempts to share names, addresses, or health details, the system politely redirects without storing the attempted disclosure. The AI is completely isolated from student screening records.
Zero-Knowledge Document Sharing
The first K-12 platform with true zero-knowledge encryption for parent document uploads. Files are encrypted using AES-256-GCM with keys derived from student credentials (PBKDF2-SHA256, 100,000 iterations). VisionQuest cannot decrypt these documents without the original credentials—providing the strongest possible privacy protection.
Developer Panel Detection
A sophisticated security measure rarely implemented in EdTech platforms. The application detects when browser developer tools are opened, monitors for debugging attempts that could indicate malicious activity, logs detection events for security review, and can trigger session termination.
Compliance & Regulatory Alignment
Exceeding requirements across multiple frameworks
FERPA Compliant
Eight-layer encryption, role-based access controls, and comprehensive audit logging exceed FERPA (20 U.S.C. § 1232g) technical safeguard requirements for education records.
COPPA Standards Met
Data protection standards and privacy controls align with COPPA (15 U.S.C. § 6501) requirements for protecting children's online privacy. No direct collection from children—only authorized staff use the system.
NIST Cybersecurity Framework
All five NIST Cybersecurity Framework functions implemented: Identify, Protect, Detect, Respond, and Recover—with detailed mapping available in our Technical Security White Paper.
CIS Controls v8
Data protection, access control, and network monitoring controls from CIS Controls Version 8 are actively implemented throughout the platform.
SOC 2 Type II (All Tiers)
Both Cloudflare and DigitalOcean maintain SOC 2 Type II certification, audited annually by Schellman & Company—providing third-party verification across our entire infrastructure stack.
Arizona ARS § 36-899.10
Full compliance with Arizona vision screening law including ADHS-approved methodology, privacy requirements, and automatic data reporting to the state.
Security Information by Audience
Understanding how our security protects everyone involved
For IT Directors
Eight-layer defense-in-depth architecture with AES-256 encryption at every layer. Three-tier infrastructure with Cloudflare edge protection (origin IP hidden), DigitalOcean Droplet with UFW/Fail2Ban, and Managed Database with Trusted Sources firewall. SOC 2 Type II certified at all tiers. Dual-layer monitoring (internal + New Relic external). TLS 1.3, RBAC, mandatory 2FA for superusers, and comprehensive audit logging. 253-page Technical Security White Paper available upon request.
For School Administrators
Zero data breaches protecting millions of student records since our founding in 2003. Meets all FERPA and Arizona § 36-899.10 requirements automatically. SOC 2 Type II certified infrastructure verified by independent auditors at all tiers. No IT burden or compliance consultants needed—security is built-in and free for Arizona schools.
For Parents
Your child's vision screening data is protected with eight layers of military-grade encryption—stronger than what most banks use. Only authorized school staff can access results. Documents you upload are encrypted so even VisionQuest cannot read them. No account required—access with your child's school ID and birthdate. Contact us with any privacy questions.
Frequently Asked Questions
Common questions about our data security measures
What makes your security different?
While typical EdTech platforms use 1-2 security layers, we implement eight independent layers plus three-tier infrastructure with Cloudflare edge protection (separate company) hiding our origin IP. SOC 2 Type II certification at all tiers provides third-party verification of our security controls.
Have you ever had a data breach?
No. We have maintained a perfect security record with zero data breaches since our founding in 2003, protecting millions of student records. Our defense-in-depth architecture is designed to prevent breaches at multiple levels.
What is zero-knowledge encryption?
Documents uploaded by parents are encrypted using credentials known only to authorized parties. Even VisionQuest cannot decrypt these files without the student's credentials, providing the highest level of document privacy possible.
What happens if servers go down?
Hot standby database nodes with real-time replication enable automatic failover in under one minute. Dual-layer monitoring (internal + New Relic external) ensures we're alerted even during complete infrastructure failure. Our 99.99% uptime SLA ensures schools can always access services.
Can VisionQuest staff access student data?
Administrative access requires four layers of authentication: physical machine access, AppCrypt application protection, platform 2FA, and SSH encryption keys. All access is logged and monitored. Staff cannot view individual student PII without explicit authorization.
What about password security?
Passwords are hashed using bcrypt/Argon2 algorithms. Our integration with Have I Been Pwned API prevents users from choosing passwords that appear in known data breaches. Two-factor authentication is mandatory for superusers and available for all school users.
How do you verify security?
Both Cloudflare and DigitalOcean undergo annual SOC 2 Type II audits by Schellman & Company. This provides independent third-party verification of security controls across our entire infrastructure stack—not just one component.
Is there an additional cost?
No. Thanks to generous philanthropic support, EyeSpy 20/20 is completely free for Arizona schools, including all eight security layers, Cloudflare edge protection, SOC 2 certified infrastructure at all tiers, and enterprise-grade protection.
How does ADHS reporting maintain security?
Automatic ADHS reporting uses encrypted connections to transmit de-identified aggregate data. The automation eliminates manual data handling, reducing accidental disclosure risk while ensuring Arizona ARS § 36-899.10 compliance.
Security Documentation
Resources available for IT teams, administrators, and compliance audits
Technical Security White Paper V4
Comprehensive 253-page documentation of our eight-layer security architecture, three-tier infrastructure, encryption implementations, key management, access controls, operational monitoring, and 18 detailed appendices.
Request White PaperExecutive Summary
High-level overview of security capabilities, three-tier architecture, compliance certifications, and key differentiators for decision-makers and school board presentations.
Request Executive SummarySecurity 1-Pager
Quick-reference security overview highlighting zero data breaches, SOC 2 certification at all tiers, eight security layers, Cloudflare edge protection, and FERPA compliance at a glance.
Request 1-PagerProtect Arizona Students with Enterprise-Grade Security
Join 140+ Arizona schools using EyeSpy 20/20's eight-layer security architecture