Security at ConexED

Our Approach

Security at ConexED is built on the principle that protecting student data is not optional. It is the foundation of everything we do. Our security program is designed to meet the expectations of IT administrators, CISOs, and compliance officers at institutions of all sizes, from single-campus community colleges to multi-institution state systems.

We follow a defense-in-depth strategy that layers multiple security controls across our infrastructure, application, and operational processes. No single control is treated as sufficient on its own. Instead, we design overlapping protections so that a failure in one layer is caught by another. This approach reduces risk and increases our resilience against both common and sophisticated threats.

Our security team works closely with our engineering and operations teams to integrate security into every phase of the software development lifecycle. From threat modeling during design to automated security testing in our CI/CD pipeline to ongoing monitoring in production, security is embedded in how we build and run ConexED. We do not treat it as a separate concern to be addressed after the fact.

Infrastructure

ConexED is hosted on Amazon Web Services (AWS) within the United States. We use AWS regions that are compliant with federal data handling requirements and provide the low latency and high availability that our institutional customers expect. All customer data resides within U.S. borders and is never transferred to international data centers.

Our architecture uses isolated Virtual Private Clouds (VPCs) with strictly defined network access control lists and security groups. Application servers, databases, and internal services are deployed in private subnets that are not directly accessible from the public internet. Only load balancers and API gateways are exposed to external traffic, and they are protected by AWS Shield and our web application firewall.

We deploy across multiple Availability Zones within our AWS region to provide high availability and automatic failover. Our database layer uses managed services with automated backups, point-in-time recovery, and cross-region replication for disaster recovery.

Infrastructure is managed as code using industry-standard tools, ensuring that our environments are reproducible, auditable, and version-controlled. Changes to infrastructure require peer review and are deployed through our automated pipeline. We do not make ad hoc changes to production systems.

Encryption

All data transmitted to and from the ConexED platform is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and use HSTS headers to prevent protocol downgrade attacks. Our TLS configuration follows current best practices and is regularly reviewed against industry recommendations. We support only strong cipher suites and disable deprecated protocols.

Data at rest is encrypted using AES-256 encryption. This applies to all databases, file storage, backups, and logs that may contain sensitive information. Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation. We use separate encryption keys for different data classifications to limit the blast radius of a potential key compromise.

Sensitive fields within the application, such as authentication tokens and integration credentials, receive an additional layer of application-level encryption beyond the database-level encryption. This ensures that even database administrators cannot access these values in plaintext without the application's encryption keys.

Access Controls

Access to ConexED production systems follows the principle of least privilege. Engineers and operations staff are granted the minimum level of access required to perform their job functions. Access is provisioned through our identity management system and requires multi-factor authentication (MFA) for all administrative access. We use time-limited access grants for elevated privileges, so access automatically reverts after a defined period.

Within the ConexED platform, role-based access control (RBAC) ensures that users see only the data and functionality appropriate to their role. Institutions can define custom roles and permission sets to match their organizational structure. Student data access is scoped by advisor assignment, department, campus, or other institutional criteria. Administrators have full visibility into who has access to what.

All access to production databases requires approval through our access management workflow, which includes justification, time limitation, and audit logging. We conduct periodic access reviews to verify that all access grants are still appropriate and revoke any that are no longer needed. Access for former employees is revoked promptly upon separation.

Monitoring

ConexED operates a continuous monitoring program that covers our infrastructure, application, and user activity layers. We aggregate logs from all systems into a centralized security information and event management (SIEM) platform, where automated rules and machine learning models detect anomalous patterns that may indicate a security threat.

Our monitoring covers authentication events (successful and failed logins, MFA challenges, password resets), data access patterns (unusual query volumes, access outside normal hours, bulk data exports), infrastructure events (network traffic anomalies, unauthorized configuration changes, resource utilization spikes), and application events (error rates, API abuse, injection attempts).

Alerts are routed to our on-call engineering team for investigation. We maintain on-call coverage and have defined escalation procedures to ensure that security events receive prompt attention.

We retain security logs to support forensic analysis and compliance requirements. Log integrity is protected through append-only storage and cryptographic verification, ensuring that logs cannot be tampered with after the fact.

Incident Response

ConexED maintains a formal incident response plan that defines our procedures for detecting, containing, eradicating, recovering from, and learning from security incidents. The plan covers incidents ranging from minor security events to major data breaches, with defined severity levels and corresponding response procedures for each.

In the event of a confirmed security incident affecting customer data, we will notify affected institutions promptly, in accordance with our contractual commitments and applicable law. Our notification includes a description of the incident, the data types and approximate volume involved, the containment and remediation steps taken, and recommended actions for the institution. We cooperate fully with institutional investigations and provide technical resources as needed.

After each security incident, we conduct a thorough post-incident review to identify root causes, assess the effectiveness of our response, and implement improvements to prevent similar incidents in the future. Findings from these reviews are shared with affected institutions and used to update our security controls, monitoring rules, and incident response procedures.

Compliance

ConexED is TX-RAMP certified. The Texas Risk and Authorization Management Program, established by the Texas Department of Information Resources, validates that our cloud security controls meet the standards required for use by Texas state agencies and public institutions of higher education. Authorization documentation is available to customers and prospects upon request.

We are fully compliant with FERPA requirements for handling student education records. Our data processing agreements designate ConexED as a school official under FERPA, and our security controls are designed to meet the specific requirements for protecting education records. For more detail on our FERPA compliance posture, visit our FERPA Compliance page.

ConexED also maintains compliance with applicable state privacy and data breach notification laws. We complete the HECVAT (Higher Education Community Vendor Assessment Toolkit) questionnaire for institutions that require it and regularly respond to institution-specific security questionnaires as part of procurement processes. Our compliance team is experienced with the unique requirements of higher education IT governance.

Contact Us

For security questions, to request our TX-RAMP authorization documentation, or to report a security concern, please contact our security team:

ConexED Security Team
Email: security@conexed.com
Address: ConexED, Inc., 2825 E. Cottonwood Pkwy, #500, Cottonwood Heights, 84121

To report a potential security vulnerability, please email security@conexed.com with details of the issue. We ask that you give us a reasonable opportunity to address the vulnerability before publicly disclosing it. We appreciate the security research community's contributions to keeping ConexED and its users safe.