What member information do you collect?
We collect minimum required information from our members to process their transactions and better serve with pertinent information, such as purchase confirmations and status updates. The information collected may include any of parent and student first and last names, student thumbscan, email, grade, student photo and student identification number.
PushCoin does not sell, share, or rent personally identifiable information to any outside parties.
How is member information collected?
Parents or guardians of students share their basic personal information with PushCoin when they: a) fill out a signup form or b) use a partner login mechanism known as OAuth. In either case, visitors must explicitly enter or permit information transfer to PushCoin.
School administrators enter student information after login into pushcoin.com or upload student records in bulk (CSV file) over HTTPS. Student photos are uploaded via HTTPS or SFTP.
How is member data physically protected?
PushCoin deploys all its server infrastructure at one of the most advanced and recognized datacenter providers in the world, Amazon AWS. For detailed information on how Amazon AWS datacenters operate and their compliance with security and privacy regulations, visit http://aws.amazon.com/security/
How is data protected in transit and on the servers?
PushCoin takes precautions to protect member information. All administrative access to servers undergoes two-factor authentication with One-Time-Password tokens.
When users submit sensitive information from the browser or a mobile device, all information is encrypted using the latest and strongest cryptography standards.
None of the Internet facing servers store member information. Web servers delegate requests to the second tier servers through a secondary firewall, running tightly privileged databases. Arriving data undergoes the following transformations:
- User passwords are hashed and original passwords are discarded.
- Database files are served from encrypted partitions.
- Server log files and scheduled database backups are stored on similarly encrypted partitions and never leave them. All inspections of problems which require analyzing logs are performed over encrypted channels.
How big is the PushCoin IT team overlooking the platform and having access to (student) data?
PushCoin prides itself in writing efficient software requiring minimal maintenance. As of today, the PushCoin platform is managed by a handful of US citizens. All individuals went through several background checks on behalf of both federal and private-sector organizations.
How long do student records remain with PushCoin?
Unless the school refreshes student information, existing records are automatically deleted after 13 months. Biometric (TouchID) template data is deleted after 120 days.
Is any of production data used in development?
No personal, student, school staff or parent data is used in a development environment.
Portions or entire lunch menus from the production may be used during development to accurately portray point of sale conditions the software will be exposed to during actual use.
What service availability does PushCoin offer?
PushCoin software is written with scalability and reliability in mind. The software is deployed at several redundant locations. Furthermore, the delivery of our “reliability promise” is continually reviewed, tested and criticized to ensure we stay current with the latest and most stringent industry practices. To this day, PushCoin has not experienced a single service interruption.
Are you open to security and privacy audits?
We are happy to work with the school staff and the school-delegated third party providers to demonstrate our commitment and readiness to deliver the best in data privacy and security. Additionally, our point of sale software and user mobile applications are open source. This means that anyone with some programming knowledge can evaluate our coding standards and security, comment or submit patches.
PushCoin is committed not only to “play well” with the rest of the Internet, but to contribute back to the Internet and Open Source communities. We worked with IANA, a department of ICANN, to standardize our protocol encoding and offer it royaltyfree. The application undergone an extended peer-review and was granted an official MIME status: http://www.iana.org/assignments/mediatypes/application/vnd.pcos
What’s your policy for applying security patches or bug fixes?
We rely on several channels for security alerts, bug fixes and updates:
- Our cloud provider regularly keeps us informed about security risks and system patches.
- Our team is subscribed to and follows security and privacy blogs, conferences and websites.
- The PushCoin software infrastructure is configured to automatically apply critical security updates from authorized vendors.
- All of our in-house software releases are managed by the source code control system, undergo regression tests and are subject to frequent peer code reviews.
How do I submit a problem report or a comment?
Please send all comments, problem reports or experiences to firstname.lastname@example.org
We read all inquiries and reply within 48 hours if necessary.