What kind of data security does PlanetHS/ArbiterAthlete employ to keep student information safe?

Protecting your privacy and your information is a priority at PlanetHS/ArbiterAthlete. We do not rent or sell the personal financial information you provide to us. All connections to the website, occur over industry-standard secure TLS connections using a strong cipher and minimum 2048-bit key size certificate. A firewall is used to limit connections to the servers to the relevant ports needed for the website to function. Other connections are blocked completely, or limited to authenticated users and IPs. All external access occurs over secured VPN & SSH connections to prevent any interception of traffic. Physical access to the servers is secured by Microsoft. Access to any PII data requires a user to be authenticated, and have their permissions verified prior to being able to see any data. In addition, as an added security measure, if you use a credit card to make a purchase on our site, an PlanetHS/ArbiterAthlete representative may call you to verify the transaction.

The data received from Pre-participation forms are only used to complete the information needed to submit eligibility for student-athletes and to provide information to the school and district. PlanetHS/ArbiterAthlete complies with relevant FERPA and HIPAA requirements regarding security and privacy. Only school administrators and staff that have been designated by the school have access to view the information – principal, athletic director and assistants, coach of relevant teams and athletic trainers. PlanetHS/ArbiterAthlete takes the following security measures: all access to the site is over HTTPS access to the physical servers is restricted to senior IT staff, and remote access is only over secure channels. All unnecessary services are disabled; firewalls are configured for each service to allow only approved traffic through. HIPAA and FERPA compliance is maintained through our use of Microsoft's Azure platform as more fully described in the document Microsoft Azure Compliance Offerings and Microsoft's HIPAA BAA and its Online Services Terms.

While we use SSL encryption to protect sensitive information online, we also take steps to protect user information off-line. Access to all of our users' information, not just the sensitive information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerk or a customer service representative) are granted access to personally identifying information. Furthermore, employees are kept up-to-date on our security and privacy policies and practices, and such policies and practices are strictly enforced. Finally, the servers on which we store personally identifying information are kept in a secure environment.