Designed to meet international regulatory obligations

Compliance

We designed Tassel Turner to be a trustworthy platform with data governance and compliance made easy through convenient administrative controls.

Legal basis for data collection

The legal basis for the platform's collection and use of data depends on the data concerned and the context in which it was collected. All platform data management is explicitly controlled by system administrators and constitutes a functional requirement to use the Tassel Turner features in question, for example sending emails, personalizing tickets, or conducting surveys.

Shared Responsibility

Tassel Turner follows a shared responsibility model common to software as a service platforms. While the infrastructure and workload responsibilities are sustained by us, users are necessarily responsible for other areas of the platform, specifically in regard to the ownership of data, user consent, and freedom of information laws.

Tassel Turner Responsibilities	Shared Responsibilities	Client Institution Responsibilities
Infrastructure, network, and software security Platform availability and reliability Data storage, encryption, and backups Platform software releases and patch deployments	Business processes such as incident management or validation testing Configuring DNS records for platform domains and mail servers Servicing data rights requests	All data created, imported, generated, uploaded, and exchanged while using the platform Application access controls and security settings User authentication and identity management Software integrations with third party services Data retention and destruction policies

Mechanisms and Controls

Tassel Turner provides all the tools you need to uphold your institution’s compliance responsibilities with safe secure defaults and flexible customization options.

Platform data is encrypted data in transit, at work, and while at rest using strong encryption and key management.
All communication channels have multiple opt-out mechanisms and automatic block lists
Administrators follow a strong permission-based access control
Multi-factor and passwordless user authentication
The entire lifecycle of data from collection to destruction is supported through platform controls
All platform services and applications comply with accessibility requirements and regulations
Immutable audit logs are created to track user and system activity
We perform automated security scans and static code analysis a part of the Tassel Turner development and release cycle
We proactively monitor our systems data breaches and maintain an incident response plan
Configurable alert notifications for security events

User rights

Tassel Turner supports the data rights of all users out of the box through a variety of data management features. Students, staff, guests, partners, and all other identifiable users of the platform have the following rights:

Right to access: users can access and request the data collected on them and how it’s used
Right to correction: users can request or perform corrections on their personal data
Right to restrict processing: users can restrict which personal data they provide and opt out of processing
Right to erasure: users can request to purge all their data from the system
Right to data portability: user can download their data in a common machine-readable format
Right to object: users have the means to object to the use of their information
Right to complain: users have the means to complain to a supervisory authority if available

Note that the exact implementation of data rights features will depend on how you or the system administrator configures Tassel Turner.

Hosting Environment

Tassel Turner is fully hosted on Amazon Web Services (AWS). AWS has a proven track record providing secure services to enterprise customers and governments, and complies with an extensive catalog of standards.

Unlike many platforms, Tassel Turner uses no additional hosting or third party web services outside the AWS environment, minimizing the risks of data exposure and consolidating privacy controls around the smallest surface possible.

Platform deployments on Tassel Turner are completely independent from each other and utilize no shared resources such as databases or cloud storage. The platform architecture ensures sure your data is strictly segregated both logically and physically.

Reference compliance

We apply comprehensive safeguards to all Tassel Turner organizational and technical operations, and have designed our services to facilitate governance across various laws and frameworks that apply to the regulatory landscape of higher education.

Privacy Laws and Regulations:

In general terms of data privacy Tassel Turner can be considered a data processor or data custodian.

Although there are many regional privacy standards they are broadly aligned in their scope and mandate. Regardless of the location of a university or end user, we apply the strictest prevailing responsibilities and aim to fulfill the requirements of the following regulations.

Security Standards and Frameworks:

Tassel Turner is designed and operated in compliance with the most broadly recognized security frameworks pertinent to software as a service (SaaS) providers. We use a harmonized framework covering the following standards:

NIST Cybersecurity Framework
Cloud Controls Matrix (CCM)
Application Security Verification Standard (ASVS) 4.0
Systems and Organizations Controls (SOC) 2
ISO / IEC 27001:2013
ISO / IEC 27017:2015

Information Management Frameworks:

Tassel Turner can potentially undertake a wide range of responsibilities depending on how you adopt the platform and which institutional frameworks you already have in place.

The specifics of information management systems will differ in their implementation, as well as overlap with common privacy and security regulations. We employ a variety of best practices and harmonized policies to support compliance with frameworks such as the following.

Secure Architecture Privacy Protections