At the National Wine School, we understand that working with colleges and universities means more than delivering educational content—it means upholding the highest standards of data privacy, security, and institutional trust.
Our data compliance framework is designed to support a range of academic partnerships, from individual instructors to fully accredited institutions. Whether you require basic FERPA-conscious design or full SOC 2 Type 2 compliance, we offer a tiered support system that scales with your needs.
This page outlines the protections we provide at each tier, explains our Enterprise Compliance Tier, and offers guidance for institutions choosing to operate without a support agreement.
Overview of Data Compliance Protections
The National Wine School provides a comprehensive suite of data compliance measures that align with institutional, state, and federal requirements. These protections are built into our support tiers to ensure that your program’s security, privacy, and reporting standards are met without compromise. From FERPA compliance and encrypted hosting to incident response protocols and third-party oversight, our framework is designed to integrate seamlessly with your institution’s IT and academic governance policies.
1. FERPA-Compliant Data Handling
We comply with the Family Educational Rights and Privacy Act (FERPA) by implementing secure data handling procedures for student education records. This includes access controls, role-based permissions, restricted data sharing, and the use of institutional data only with proper authorization.
2. HIPAA/GLBA Compliance (If Applicable)
If any health-related or financial student information is processed, we adhere to applicable provisions under the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). We implement safeguards for data privacy, secure transmission, and breach response protocols to protect this information.
3. Data Sharing Agreement Execution
We execute a formal Data Sharing Agreement (DSA) with your institution, outlining our responsibilities and your control over the data we receive or process. This agreement is legally binding and aligns with institutional, state, and federal data policies.
4. Secure U.S.-Based Hosting
All systems that handle institutional data are hosted within the United States on secure cloud infrastructure certified to high standards (e.g., ISO 27001, SOC 2). This ensures compliance with data sovereignty and regional privacy requirements.
5. Encryption In Transit & At Rest
All institutional and student data is encrypted using industry-standard protocols both when stored on our systems and when transmitted over the internet. This includes HTTPS (TLS) for web communications and AES-256 encryption for databases and backups.
6. Audit Trail / Access Logs
We maintain a complete, auditable record of data access, changes, and system events. These logs can be used to verify authorized activity and investigate anomalies. Access to logs is restricted and can be made available to the institution upon request.
7. Limited Data Mapping (School-Approved Only)
Where necessary, we support institution-approved linking of anonymized system data (such as user activity or program performance) back to identifiable student or instructor accounts. This is done only under written agreement and within defined institutional governance protocols.
8. Subcontractor NDA & Oversight
Any subcontractor or service provider with potential access to your data is required to sign a Non-Disclosure Agreement (NDA) and is subject to our compliance oversight. We ensure subcontractors meet the same data handling and security standards we commit to in our agreements with institutions.
9. Incident Response Plan
We maintain a documented, institution-reviewed incident response plan that outlines how we will detect, respond to, and communicate about data security incidents. This includes defined response times, contact procedures, and recovery processes.
10. Breach Notification Support
In the unlikely event of a data breach, we will immediately notify your institution and assist in any required notifications, audits, or remediation steps. Our response protocol aligns with FERPA, state data breach laws, and institutional reporting policies.
11. Indemnity for Data Issues
We offer indemnity provisions to protect your institution from direct damages arising from our negligence in handling your data, including unauthorized disclosures, breaches, or failure to comply with agreed security measures. Terms are defined in our formal agreement.
12. SOC 2 Type 2 Report
We offer full SOC 2 Type 2 compliance for institutions that require independently audited proof of security, confidentiality, and availability controls. This report verifies that we have implemented and sustained enterprise-grade practices across our systems and processes.
Note: SOC 2 compliance is available exclusively through the Enterprise Compliance Tier and is quoted separately based on institution needs. Please contact us directly for pricing and details.
13. Custom Compliance Agreements
We will work with your institution to review and incorporate custom compliance language, institutional IT security terms, or additional privacy obligations. Our legal and technical teams are available to collaborate on a mutually agreeable compliance framework.
Compliance Features by Support Tier
Each support plan includes a specific set of data compliance features aligned to the needs of instructors, departments, and academic institutions. As support levels increase, so does the depth of data protection, ranging from basic FERPA-conscious design to full institutional indemnity, incident response planning, and infrastructure oversight.
The table below outlines which protections are included at each level. The Enterprise Compliance Tier offers our most advanced security and audit capabilities, including SOC 2 Type 2 compliance, and is available by request. Institutions interested in this tier should contact us directly for a custom quote and onboarding process.
| Compliance Option | Zero Support | Basic Plan | Silver Plan | Gold Plan | Platinum Plan |
|---|---|---|---|---|---|
| FERPA-Compliant Data Handling | ❌ | ✅ (instructor only) | ✅ | ✅ | ✅ |
| HIPAA/GLBA Compliance (if applicable) | ❌ | ❌ | ❌ | ✅ | ✅ |
| Data Sharing Agreement Execution | ❌ | ❌ | ✅ | ✅ | ✅ |
| Secure U.S.-Based Hosting | ✅ (static only) | ✅ | ✅ | ✅ | ✅ |
| Encryption In Transit & At Rest | ✅ (basic) | ✅ | ✅ | ✅ | ✅ |
| Audit Trail / Access Logs | ❌ | ❌ | ✅ (basic) | ✅ | ✅ |
| Limited Data Mapping (school-approved only) | ❌ | ❌ | ❌ | ✅ | ✅ |
| Subcontractor NDA & Oversight | ❌ | ❌ | ✅ | ✅ | ✅ |
| Incident Response Plan | ❌ | ✅ (basic) | ✅ | ✅ | ✅ |
| Breach Notification Support | ❌ | ❌ | ✅ | ✅ | ✅ |
| Indemnity for Data Issues | ❌ | ❌ | ✅ | ✅ | ✅ |
| Custom Compliance Agreements | ❌ | ❌ | ✅ | ✅ | ✅ |
Guidance for Professors Using the Zero Support Tier
Instructors using the Zero Support tier are responsible for ensuring that no personally identifiable student data is shared with the National Wine School. While our platform can be used to deliver educational materials and assessments, it must be done in a way that complies with FERPA and institutional privacy policies. We’ve created a detailed guide to help professors use the platform safely and effectively without formal data sharing.
