Policy on Information Security

About

Campus Cafe is committed to delivering quality customer support to our client organizations. It is our intention to deliver superior services to you while adhering to strict information security guidelines outlined by the state and federal governments. Campus Cafe is committed to working in partnership with you to ensure that personally identifiable information and other sensitive data is protected, with minimal impact to our provided services.

Organizational commitment to privacy and security

Campus Cafe maintains a multi-disciplinary commitment to privacy and security, including roles responsible for the management and security of physical, network, application, authentication, and database assets. Systems that solicit or display personally identifiable information are protected by access controls that require authorized credentials, which are verified via multi-factor authentication (2FA). Access to client connection lists and/or database information is secured utilizing source control technology. Data stored in the data center has multiple layers of protection, following industry best practices. All Campus Café employees are required to complete an information security training program, to ensure they adhere to industry best practices for protecting and handling sensitive data. For on-premise customers, school-based installers are only available to customers by written request and sent using encryption technologies such as a password-protected website using SSL or an FTP site using Secure Shell (SSH) file transfer.

Internal Password Policy

Campus Cafe adheres to a strict password policy for accessing our business computers and systems. Our password policy follows industry best practice regarding password length, complexity, and expiration. All employees are required to login to their respective company-provided computer system each day and log out or lock the screen whenever the computer or server resource is left unattended. Passwords are not to be kept in any written form. Employees are not to share passwords with colleagues, external (3rd party) vendors, friends or family members. Employees who violate this policy will be disciplined accordingly. Each member of the Campus Café team is granted full administrative privileges to all system computers and is subject to the appropriate use policy as outlined below.

Appropriate Use Policy

All Campus Café employees are subject to the appropriate use of all company assets including personal and work computers, office equipment and servers, office telephones and personal cell phones when on company property.  Any downloading of inappropriate material, file sharing that disrupts normal business operation, use of chat programs for non-business-related discussions are all subject to disciplinary action. Any use of the physical office space for non-business use will be subject to approval by the company CEO.

Physical Security and Proper Disposal of Non-Computer Based Sensitive Information

Campus Café offices are always locked when not in use by an authorized employee. All employees have full physical access to all office and server spaces. All paper records with sensitive information will be shredded after they are no longer needed or kept in a locked filing cabinet when not in use. The office manager is charged with keeping access control over the locked spaces within the office and keeping a record of who has keys and collecting keys from terminated employees and/or contractors. Security for Cloud-based customers is documented in the SLA (service level agreement). Employees working remotely with access to personally identifiable information and other sensitive data are required to follow these same security guidelines.

Security of Web-Based Transactions and Remote Access

Campus Cafe transactions involving personal, confidential, or sensitive information are secured between your web browser and Campus Cafe’s web servers by SSL (Secure Sockets Layer protocol). The transfer or access to databases will take place utilizing modern encryption-based technologies. Campus Cafe will not download or provide for download or access any database from a client or 3rd party vendor website or FTP site unless the connection is secured utilizing SSL or other similar encryption-based technology. All access to client systems must be through a secured Virtual Private Network (VPN) connection. Access to the VPN utilizes multi-factor authentication to confirm the identity of the user and provide additional protection.

Personal Information Saved or Received

Campus Cafe occasionally will, as a normal part of doing business, keep private information about students, staff and administrators of our clients within databases provided by our clients. This is usually for the purposes of support and/or conversion of data. We are responsible for converting data at the request of our customers and it is often most efficient for us to store and convert this data locally. Information that can potentially be stored on our business servers includes the following:

• Your name and date of birth 
• Social Security Number (limited use only)
• School ID Number
• Country of residence
• Campus address and phone number
• Home and cell phone number(s)
• Emergency contact information (name[s], phone number[s], and email address[es])
• Academic credentials
• Academic, leisure and/or other interests
   
  Campus Cafe will destroy any database provided to us for the purposes of consulting or conversion services will be destroyed after the service has been provided and the customer agrees that the service will no longer require the use of said database/s.

Use of the Campus Cafe ID Number, Collection and Use of the Social Security Number (SSN)

The Campus Cafe ID Number is used as the student identification number and is intended to replace the use of the Social Security Number for normal day-to-day transactions at our client institutions. The SSN number in the database is often used for integration with 3rd party systems, for example, financial aid and payroll. Therefore, the SSN number must be used to join two databases together for the most reliable method of matching records for importing and exporting between systems.
 
 For on-premise customers, it is the client’s responsibility to secure any excel spreadsheets, crystal reports (or other ODBC compliant reporting tools) or ODBC connections to their database that can access the SSN of students, staff and administrators of our client institutions. We recommend that these files be secured on the client’s machine/s by utilizing some type of file encryption technology. It is also recommended that any ODBC connection to a database be encrypted using Secure Shell, Secure Sockets Layer, Point-to-Point Tunneling Protocol/Layer 2 Tunneling Protocol or IPsec. Campus Cafe has the means to deny access to the SSN through our application security protocols; however, direct access to the SSN and other sensitive data is still accessible through an ODBC connection. We strongly advise that clients incorporate physical and administrative policies and network controls to mitigate this threat and to maintain compliance with government regulations.
 
 While the SSN is no longer used as the student identification number, the SSN is required to be collected by clients as a normal part of business operations for the following:

• those who are employed by and/or paid by the client institution, 
• individuals applying for or receiving financial aid at the client institution,
• all students 
   
  All collection, handling and use of the SSN by Campus Cafe are governed by our SSN policy. All SSN’s in the possession of Campus Cafe will be destroyed properly after any such data is no longer needed as part of our normal business operations.
   

How your personal information is used outside Campus Cafe (Third-party distribution and disclosure of information)

To the extent necessary to deliver and improve services to you, we may share your personal information with others outside of our company, such as third-party providers, vendors, and others acting on behalf of Campus Cafe. We do not sell personal information. We comply with lawful orders for production of records pursuant to law enforcement investigations, and in supplying information as may be required by local, state and Federal agencies.

Your private e-mail address

If you supply us with a work-related or private e-mail address, we may share this address with persons and organizations outside our company who may be called on to assist in processing your inquiry or serving your needs.

E-Mail messages

If you send us e-mail, we may share your e-mail address and message content with other persons
and organizations outside our company who may be called on to assist in processing your inquiry or serving your needs.

Your Telephone Numbers

If you supply telephone numbers of any description, we may share these numbers with other persons and organizations outside our company who may be called on to assist in processing your inquiry or serving your needs.

Emergency/Crisis Notification

Any and all contact information you provide, such as home telephone numbers, cellular numbers, and e-mail addresses, may be used to notify you of an emergency or crisis that may affect you, your organization or Campus Cafe.

Emergency Contact Information

Your emergency contact information may be used to notify your designated emergency contact(s) of an emergency or crisis that may affect you, your organization or Campus Cafe.

How to contact the organization

If you have a question about the security information policy of Campus Cafe, please contact us via phone or email. This information can be gathered from our public web address www.campuscafesoftware.com.

Changes to the privacy policy

The Campus Cafe Information Security Policy is subject to change at any time. We encourage clients to regularly review the privacy policy for any changes.