1. Does EDMO use student data for purposes other than providing services to the university?

No. EDMO processes data solely on behalf of the university and its authorized partners and only for approved academic and administrative purposes required to deliver EDMO’s services. University data is not used for advertising, not sold, and not shared with other customers. Data is processed strictly within the scope defined by institutional agreements and applicable data protection requirements.

2. How does EDMO demonstrate ongoing commitment to security?

Security is built into EDMO’s product design and operational processes. Controls are reviewed periodically, and security practices are updated to address evolving risks, regulatory requirements, and customer expectations.

3. How long is data retained?

Data retention follows contractual obligations, institutional requirements, and regulatory expectations. Logs and operational data are retained only as long as necessary for security, compliance, and operational purposes.

4. Is EDMO’s system publicly accessible?

No. EDMO’s systems are not open to the public. All access requires authentication, and no anonymous access is permitted.

5. What happens if there is a system outage or data loss?

EDMO maintains a documented Business Continuity and Disaster Recovery (BCDR) plan. Regular backups are performed and tested to ensure systems and data can be restored in the event of an outage or emergency.

6. Does EDMO follow industry security standards?

Yes. EDMO aligns its security program with industry best practices and SOC 2 Trust Services Criteria, including controls related to access management, encryption, logging, monitoring, and incident response.

7. Does EDMO comply with FERPA?

Yes. EDMO acts as a service provider processing data on behalf of universities and supports FERPA compliance through strict access controls, data minimization, encryption, monitoring, and contractual safeguards.

8. How does EDMO protect against cyber threats?

EDMO employs a layered security approach, including:

• Network firewalls
• Anti-malware protections
• Intrusion detection and prevention
• Continuous monitoring
• Audit logging and alerting

These controls are designed to protect confidentiality, integrity, and availability of university data.

9. Is sensitive data logged or stored in application logs?

No. Sensitive data such as full transcripts, credentials, or personally identifiable information is never stored in application logs. Logs capture activity metadata only to support security monitoring and auditing.

10. Is data encrypted?

Yes.

• Data at rest is encrypted using industry-standard encryption (e.g., AES-256).
• Data in transit is protected using secure transport protocols (e.g., TLS 1.2+ / TLS 1.3).

Encryption is enforced across databases, file storage, backups, and network communications.