Common use of Security Features Clause in Contracts

Security Features. Epic shares data at its discretion, but only subject to prior consent of customers (parents, educators, districts where applicable). Third parties must receive prior authorization by the school district to get access to the district’s data. Epic (as Data processor) receives data from other Data Controllers and agrees to store, transmit, and display student data only via secure and FERPA compliant methods. For all secure data stored at Epic, we have implemented permissions and audit controls based on role-based access. We protect our computer systems, using the following methods: • All sensitive data encrypted over HTTPS(HTTP over TLS, also known as HTTPS) across all connections and interfaces, as it transits over the internet. TLS configuration receives an A from Qualys SSL Labs. Refer to the Appendix for details. • Protection against brute force by rate limiting login attempts. • Internal tools access is centrally managed (SSO), requires authorization and audited. We use Content Security Policy (CSP) to detect and prevent unauthorized Javascript from running in the context of our applications.