Security at WPS
Security is built in throughout the WPS eCommerce website and the Online Evaluation System. Maintaining a secure infrastructure and environment that safeguards data and protected health information (PHI) is highest priority for our customers.
WPS has implemented an Information Security Program and a set of Security Controls that are automatically monitored in real time by utilizing a cloud-based security and compliance solution that helps organizations establish, maintain, and automatically monitor their Information Security Program.
We've Got You Covered
WPS security has many layers to keep information protected.
Security operations and best practices
Our security team approaches security holistically based on industry best practices and aligned to a common controls framework. Security threats are prevented using 24/7 security monitoring, secure software development practices, and industry-accepted operational practices.
Platform and network security
We perform rigorous security testing including threat-modeling, automated scanning, and third-party audits. If an incident occurs, we resolve the issue quickly using our security incident response practices and keep you informed.
Availability and continuity
We maintain high levels of availability with multiple availability zones and robust Disaster Recovery and Business Continuity programs. Physical access to our data centers is strictly controlled with comprehensive security measures by our data center hosting partners.
- 24/7 monitoring by expert SOC Team (Security Operations Center)
- Encryption In-Transit (TLS v1.2)
- Encryption At-Rest (AES-256)
- Customer data segregation
- Strict access control using Least Privilege Principle
- Ongoing security education and awareness training
- Ongoing network and application vulnerability scanning
- Annual 3rd party penetration testing
- Intrusion Detection & Prevention Systems (IDS/IPS)
- AI-driven Security Information & Event Management (SIEM)
- Web Application Firewalls (WAF) and network segmentation
- Hosted at AWS. A leading and secure infrastructure provider
- Highly available and redundant architecture
- Automated scaling architecture
- 99.99% uptime. No downtime for updates.
- Tested Disaster Recovery and Business Continuity Plans
Trusted, shared security in the cloud
Data security is paramount for your organization. Our cloud architecture is built on Amazon Web Services (AWS) with an inherently strong data security infrastructure that delivers always-on services. AWS Cloud Services is a secure platform offering computing power, database storage, content delivery, and a variety of other services designed for scalability, resilience, and security. More information about AWS's cloud computing can be found here.
AWS is responsible for the security of the cloud system, and WPS is responsible for the security of the data it stores in the cloud. More details can be found here for the AWS Shared Responsibility Model.
Compliance at WPS
WPS is regularly audited by 3rd party organizations and follows strict standards and regulations in order to keep your information safe. We obtain industry-accepted attestations and adhere to current industry standards and regulations so you can feel confident that your company and client data remain secure and compliant.
Moving to the cloud means protecting sensitive workloads while achieving and maintaining Compliance with complex regulatory requirements, frameworks, and guidelines. Our team is constantly working to expand coverage to help organizations meet compliance needs.
Our Compliance Reports and Adherence
Learn more about WPS's featured compliance adherence to a variety of industry regulations and government legislation.
SOC 2 Type 2
SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.
Learn More
SOC 3
SOC 3 (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability, and confidentiality of a cloud service.
Learn More
HIPAA
HIPAA is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual's Protected Health Information (PHI).
Learn More
FERPA
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. FERPA gives parents certain rights with respect to their children's education records.
Learn More
COPPA
Children's Online Privacy Protection Act (COPPA) imposes certain requirements on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
Learn More
SOPIPA
The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes.
Learn More
CSA STAR Level 1
The CSA (Cloud Security Alliance is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
Learn More
PCI-DSS SAQ A 3.2.1
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
Learn More
Related Resources
Check out these resources to learn more about WPS's data privacy, security, and other useful information.
Privacy Policy
Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you.
Learn More
Terms of Use
These Terms of Use describe your rights and responsibilities as a customer of our products.
Learn More
Business Associates Agreement (BAA)
When you register your account on the WPS Online Evaluation System, you are required to read and agree to the terms of the WPS Business Associate Agreement, which specifies how WPS maintains the security of protected health information in accordance with HIPAA guidelines.
Download BAA
WPS Test Security Position Statement
A psychologist shall not reproduce or describe in public or in publications subject to general public distribution any psychological tests or other assessment devices, the value of which depends in whole or in part on the naivete of the subject, in ways that might invalidate the techniques; and shall limit access to such tests or devices to persons with professional interests who will safeguard their use.
Download
SOC 2 Type 2
WPS's SOC 2 Type 2 report validates our security, availability, and confidentiality controls. We perform an annual third-party audit to certify that we've implemented controls that operate effectively to meet the objectives of the AICPA Trust Services Principles.
System and Organization Controls (SOC) 2 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.
SOC 2 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
The SOC 2 report concludes with the independent third-party audit firm's opinion, which describes the organization's system and assesses the fairness of the organization's description of controls. The audit firm's opinion also evaluates whether the organization's controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.
Please email compliance@wpspublish.com to request a copy of the SOC 2 Type 2 Report.
SOC 3
The System and Organization Controls (SOC) 3 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.
SOC 3 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to provide a publicly facing version of the SOC 2 attestation report for customers who need assurances about service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy, but do not require a full SOC 2 report. SOC 3 reports can be freely distributed because they are general use reports.
A SOC 3 report contains a written assertion by service organization management regarding control effectiveness to achieve commitments based on the applicable trust services criteria, as well as service auditor's opinion on whether management's assertion is stated fairly.
Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.
Click here to download the SOC 3 Report.
HIPAA
WPS provides comprehensive privacy and security protections that enable our customers to operate our products in compliance with HIPAA. These include:
- Security measures for protecting PHI
- Assessments for reasonable remediation or mitigating controls of addressable HIPAA Security Rules
- Annual HIPAA Security Attestation, Gap Assessment, and Security Risk Analysis
- Regular review and retention of HIPAA Security policies and procedures
- Security awareness content regarding the protection of ePHI, and
- Designation and role definition of a HIPAA Security Officer.
WPS's 3rd party HIPAA Attestation is provided in the SOC2 Type 2 report. Please email compliance@wpspublish.com to request a copy of the SOC 2 Type 2 Report.
The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual's Protected Health Information (PHI). The HIPAA Security Rule was established to protect individuals' health information and ensure the security, integrity, and confidentiality of this data. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as other third parties, known as “Business Associates”, that create, receive, maintain, or send PHI.
Customers who are subject to HIPAA compliance and want to partner with WPS can enter into a Business Associate Agreement (BAA) that covers the applicable products and services. For more information on the signed BAA, please email compliance@wpspublish.com
Click here to download the Business Associates Agreement. (BAA)
Cloud Security Alliance (CSA) STAR Level 1
WPS has attained the CSA's STAR Level 1 Self-Assessment, which is an assessment that maps our security controls against security standards, regulations, and controls from industry-accepted outfits like ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.
The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices.
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to.
Here is a link to the CSA STAR Registry listing for WPS - WPS CSA Star Registry Listing.
Children's Online Privacy Protection Act (COPPA)
WPS follows the requirements of the Children's Online Privacy Protection Act (COPPA).
Children should not provide any personal information without permission from their parent, guardian, or teacher. We do not condition children's participation in an online activity on the disclosure of more information than is reasonably necessary to participate in the activity. We do not share children's information with outside third parties not bound by the WPS Privacy Policy, or otherwise inconsistent with the requirements of COPPA.
If you are a Parent or Legal Guardian and would like to review any personal information that we have collected online from your child, have this information deleted, and/or request that there be no further collection or use of your child's information, or if you have questions about these information practices please email compliance@wpspublish.com.
For more information regarding COPPA and online privacy, please see the COPPA webiste.
Student Online Personal Information Protection Act (SOPIPA)
WPS is a SOPIPA complaint vendor and adheres to the following requirements under this act:
- Does not use any data collected via our services to target ads to students
- Does not create advertising profiles on students
- Does not sell student information
- Does not disclose information, unless required by law or as part of the maintenance and development of your service
- Uses sound information-security practices, which often include encrypting data and other security industry best practices
- Will delete data that we have collected from students in a school when the school or district requests it
- Shares information only with educational researchers or with educational agencies performing a function for the school
- Innovates safely without compromising student privacy by only using de-identified and aggregated data as we develop and improve our service.
The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes.
For more information regarding SOPIPA, please see details here at the CA Legislative Information website.
Family Educational Rights and Privacy Act (FERPA)
WPS is a FERPA complaint vendor and adheres to the following requirements under this act:
- Does not use any data to advertise or market to students or use data for any purpose other than the specific purpose(s) outlined in the WPS Terms of Use and Privacy Policy
- Does not change methods on how data is collected, used, or shared under the WPS Terms of Use and Privacy Policy in any way without advance notice to, and consent from customers
- Only collects data necessary to fulfill requirements necessary to utilize our services
- Only uses data for the purpose of fulfilling its duties and providing and improving services
- Does not share data without prior written consent of the user except as required by law
- Will delete or de-identify personal information when it is no longer needed, upon expiration or at termination of our agreement with an educational institution
- The educational institution retains full ownership rights to the personal information and education records it provides to WPS
- Will share and make available upon request any student data stored from the educational institution
- WPS stores and process data in accordance with industry best practices by utilizing the following, but not limited to:
- Conducts periodic risk assessments
- Remediates any identified security vulnerabilities in a timely manner
- Has formal incident response plan that includes prompt notification in the event of a security or privacy incident
- Has strict access control using Least Privilege Principle
- Performs ongoing security education and awareness training for WPS staff
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student.
For more information regarding FERPA, please see details here at the U.S. Department of Education website.
Payment Card Industry Data Security Standards Validation - SAQ A 3.2.1
The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).
PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and systems that are used to secure and log access to the systems in scope.
Based on the information provided by WPS involving its security policies, procedures, and regulations, SecurityMetrics has found the merchant to be compliant with the Payment Card Industry Data Security Standards (PCI DSS), endorsed by Visa, MasterCard, American Express, Discover, and JCB card brands.
Click here to download our Certificate of PCI DSS Merchant Compliance.