k-12.cloud
Trust center

Security & ownership posture

k-12.cloud is a managed service. The software, data, and content stay with the customer. We document how the environment is run — and who is responsible for what.

FERPA-aligned posture

Ownership model

We run it. You control it.

Your data, credentials, content, and domains remain yours. Operational responsibility for infrastructure and managed services is ours under the agreed deployment model.

Customer-controlled data and access

Your data, credentials, domains, and content remain under your control. Software ownership and license rights follow the deployment agreement.

Data

All customer data — student-adjacent or otherwise — remains owned by the customer and exportable on request.

Software rights and agreements

Third-party software and workflow engines are deployed under customer authorization, license terms, or commercial agreements. k12.cloud and approved partners may provide managed software layers where contracted.

Operating model

Single operating model: k-12.cloud managed account.

Today we operate environments through a k-12.cloud-managed account so operations, monitoring, and lifecycle controls remain consistent.

  • k-12.cloud-managed hosting account
  • Centralized operations runbook and monitoring
  • Managed provisioning, patching, backups, and maintenance
  • Auditable environment changes through repository workflows

Data handling

How customer data is protected.

Every environment ships with the same baseline. PII workloads tighten the baseline further during deployment review.

  • No customer secrets in Git
  • Encryption at rest and in transit
  • Daily backups with off-site copy
  • Documented retention policy per environment
  • Audit-trailed access via SSO
  • Restricted egress for PII workloads
  • Third-party software rights stay with the customer

GitOps & audit trail

Configuration is versioned. Every change is reviewable.

Each customer gets a private repository. Environment configuration, provisioning records, and operating events all flow through it.

No secrets in Git

Credentials, API keys, and other secrets live in a managed vault — never in repository files. Configuration that lands in Git is safe to be reviewed.

Auditable change history

Provisioning jobs, repo events, and agent-assisted edits are logged with actor, branch, and outcome — visible in the customer portal.

Agent-assisted operations

What agents do — and what they don't.

Agents help us scale operations and reviews. They do not have standing access to production environments, and they do not ship unsupervised remediation.

  • Risk-reduction guidance, not security guarantees
  • No destructive testing by default
  • Human approval before remediation lands
  • All agent-driven changes flow through PR review
  • Audit log of every agent action

Incident response

How we handle the bad day.

01

Detect

Monitoring, log alerts, or customer report opens an incident in our queue.

02

Triage

On-call engineer assesses severity and notifies the customer if impact is confirmed.

03

Mitigate

Roll back, scale, or patch under runbook. PR captures every change.

04

Postmortem

Written timeline, root cause, and remediation actions are documented and shared with the customer.

Status & uptime page

A public status page is on the roadmap. Until then, customers see incidents in the portal and receive direct notifications.

Coming soon
Third-party software notice: Some deployments may use open-source, commercial, or customer-provided software. Customers are responsible for maintaining required third-party software rights unless otherwise stated in an applicable order form. k12.cloud and approved partners may provide managed infrastructure, workflow packages, custom nodes, configuration, monitoring, and support.

Want the long version?

Ask for the security questionnaire.

We share a written security questionnaire and operating responsibility matrix on request — perfect for procurement and IT review.

Request the questionnaireEmail security@k-12.cloud