Trust

We’re Committed to Protecting Member and Learner Data

Maintaining the security, confidentiality, privacy, integrity, and availability of your data is critical to our team. As part of our ongoing commitment to putting our members and learners first, Parchment has built robust and transparent information security and compliance programs.

COMPLIANCE

Frameworks

Parchment information security management system is based on industry best practices ISO 27001, NIST CSF, PCI DSS. Through these frameworks, members and learners can trust that working with Parchment is a reliable, consistent, and secure experience.

ISO

ISO 27001:2013 (ISO 27001) is an international standard that helps organizations manage the security of their information assets. It provides a management framework for implementing an ISMS (information security management system) to ensure the confidentiality, integrity, and availability of all corporate data (such as financial information, intellectual property, employee details or information managed by third parties).
The ISO 27001 framework was published in 2013 by the ISO (International Organization for Standardization) and belongs to the ISO 27000 family of standards. It is the only internationally recognized certifiable information security standard. ISO 27001 is supported by its code of practice for information security management, which explains how to implement information security controls for managing information security risks.

These certifications run for 3 years (renewal audits) and have annual touch point audits (surveillance audits).

The Information Security Management system is designed to support a mission of Turning Credentials into Opportunities through the delivery and support of learner Accounts. Parchment Award, Parchment Pathways, Parchment Services, and Parchment Digitary (CORE, MyEquals, and MyCreds) across the K12, Higher Education, International and Workforce markets.

Including the technologies, staff, policies, and office locations in accordance with the State of Applicability v2023. 1

SOC2 Type II

Annually, Parchment undergoes SOC2 Type II audit by a third-party AICPA firm to ensure customers are protected across various levels. The scope of the SOC2 Type II audit covers all of Parchment Products and emcompnases all five Trust Servce Criteria, inducing Security, Confidentiality, Availability, Processing Integrity, and Privacy.

PCI

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council. PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
Parchment maintains compliance with PCI DSS, as a level one Service provider. To ensure credit card data is securely handled Parchment has Partnered with Chase to provide a secure and reliable payment process. Parchment does not directly store, process, or transmit any cardholder data. Parchment undergoes annual Report on Compliance assessment by Qualified Security Assessors against the current PCI DSS requirements. We can provide a copy of our Attestation of Compliance upon request.

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records. Parchment handles all requests and access to FERPA protected records in a secure and compliant manner, always requiring consent as needed and preventing unauthorized disclosure.

Accessibility VPAT 508 Compliance

Parchment is committed to making its services accessible to individuals with disabilities by meeting or exceeding accessibility standards. We target compliance with the Web Content Accessibility Guidelines (WCAG) 2.0 Level AA guidelines in the design and development of Parchment services. Conformance with these guidelines makes Parchment more accessible and user friendly for everyone. We enhance and test Parchment services regularly to maintain compliance with this standard.
A Voluntary Product Accessibility Template is a document used by providers to self-disclose the accessibility of a particular product. We are happy to provide a copy of the product specific VPAT upon request.

PRIVACY

We are deeply committed to learner and member privacy and embrace privacy by design in everything we do. Transparency builds trust, and we strongly believe in informing all of our users about their Privacy Rights and Terms of Use. If you have any questions or concerns regarding Privacy, please contact Privacy@parchment.com

GDPR and CCPA

Parchment handles personal information with compliance in mind. Our platform is General Data Protection Regulation (GDPR) compliant and meets the California Consumer Privacy Act (CCPA) standards. Please reference Parchment’s Privacy Policy, Data Protection Addendum, and designated Suprocessors. If you wish to exercise any Privacy rights, please contact us at Privacy@parchment.com

SECURITY CONTROLS

Availability & Reliancy

Parchment systems are hosted on Amazon Web Services (SOC 1, SOC 2, and SOC 3 certified) deployed across multiple availability zones. Providing our members and learner communities with trusted Uptime and Reliability.

Vulnerability Management

A formal Vulnerability Management Program to proactively identify and remediate technical vulnerabilities in its systems, applications and services. Please contact us through our Responsible Disclosure page to report any suspected vulnerabilities.

Network & Transmission Protection

Parchment implements appropriate technical solutions to protect the confidentiality and integrity of network communications. Baselines of network traffic and expected data flows to identify what activities that would be considered anomalous behavior. Parchment leverages AWS Security tooling that includes; GuardDuty, CloudTrail, Security Hub, & Inspector, as well as an enterprise SIEM.

Audit, Logging, & Monitoring

Parchment leverages the AWS Well-Architected framework to build secure, high-performing, resilient, and efficient infrastructure for all Parchment Products.

To ensure the effectiveness of our security measure, and detect potential security events, auditing, logging and monitoring are enabled throughout our AWS environment, and the application.

Software Development

Security is considered in the entire end-to-end process of developing software, including OWASP training, processes, code reviews, and vulnerability scanning.

Risk Management & Incident Response

Risk management is continuously in place for both internal and external sources. We take a proactive approach to performing risk assessment. Potential security risks or events are evaluated and reviewed continuously. Formal incident response plans are in place and tested.

Data Protection

Data integrity and confidentiality are obtained through extensive encryption of data, both in transit and at rest, and role based access controls.

SECURITY ASSESSMENTS

Parchment understands the importance of vendor management and due diligence. Our Information Security team wants to assist you in providing a timely response to your security questions and assessments. Parchment has a streamlined process to complete your requests when considering partnering with us. If your Vendor Risk Management process is based on the EDUCAUSE HECVAT, we can share our pre-completed questionnaires. If your Vendor Risk Management process is based on 3rd party auditor attestations or reports, Parchment is happy to provide copies of our PCI Attestation of Compliance and/or SOC2 Type II report. Parchment’s ISO 27001 certification is also available by request. Please contact your Regional Sales Representatives or Account Executive to get the process started, or submit us a ticket in our Help Center.

Cookie	Duration	Description
aka_debug	session	Vimeo sets this cookie which is essential for the website to play video functionality.
BIGipServer*	session	Marketo sets this cookie to collect information about the user's online activity and build a profile about their interests to provide advertisements relevant to the user.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-essential	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category “Necessary”.
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
STYXKEY_api_token	1 hour	AWS Cloud API
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
webinarVideo	never	Recursive support screen share session tracking cookie

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__sharethis_cookie_test__	session	ShareThis sets this cookie to track which pages are being shared and by whom.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	This is a cookie from LinkedIn and is used for storing visitors' consent regarding the use of cookies for non-essential purposes
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
liveagent_oref	1 year	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.
liveagent_ptid	1 year	LiveAgent sets this cookie to link previous chats and transcripts from a single visitor.
liveagent_sid	session	LiveAgent sets this cookie to capture a unique pseudonymous ID when a user requests a chat during an active session.
liveagent_vc	1 year	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.
NextPage	past	This cookie tracks the previous page to allow users to go back and forth between pages using the user interface buttons.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
X-Salesforce-CHAT	session	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.

Cookie	Duration	Description
__jid	30 minutes	Cookie used to remember the user's Disqus login credentials across websites that use Disqus.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
_clck	1 year	Persists the Clarity User ID and preferences, unique to that site, on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_clsk	session	Connects multiple page views by a user into a single Clarity session recording.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_N0Q7GW0J6L	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_335339_11	2 hours	Set by Google to distinguish users.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gat_UA-335339-11	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	No description
ANONCHK	10 minutes	The Microsoft Clarity ANONCHK cookie, indicates whether MUID is transferred to ANID, which is a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0 indicating not for advertising.
CLID	1 year	Used by Microsoft Clarity. The cookie is set by embedded Microsoft Clarity scripts. The purpose of this cookie is for heatmap and session recording.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
disqus_unique	1 year	Set by Disqus to record internal statistics for anonymous visitors.
loglevel	never	Collects data on visitor interaction with the website's video-content - This data is used to make the website's video-content more relevant towards the visitor.
SM	session	This Microsoft Clarity cookie is used in synchronizing the MUID across Microsoft domains.
SRM_B	1 year 24 days	Used by Microsoft Clarity as a unique ID for visitors.
ti_	2 years	This cookie is set by Triblio to track the way a visitor uses the website and to monitor the performance of marketing campaigns.
VISITOR_PRIVACY_METADATA	5 months 27 days	YouTube meta data

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
bito	1 year 1 month	This cookie is set by Beeswax for advertisement purposes.
bitoIsSecure	1 year 1 month	Beeswax sets this cookie for targeting and advertising. The cookie is used to serve the user with relevant advertisements based on real time bidding.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
NID	6 months	Google sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
S	1 hour	Used by Yahoo to provide ads, content or analytics.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuuid	2 years	The tuuid cookie, set by Demandbase via BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner.
tuuid_lu	2 years	This cookie, set by Demandbase via BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Trust

We’re Committed to Protecting Member and Learner Data

COMPLIANCE

RESPONSIBLE DISCLOSURE

PRIVACY

SECURITY CONTROLS

SECURITY ASSESSMENTS

COMPLIANCE

Frameworks

PRIVACY

GDPR and CCPA

SECURITY CONTROLS

Availability & Reliancy

Vulnerability Management

Network & Transmission Protection

Audit, Logging, & Monitoring

Software Development

Risk Management & Incident Response

Data Protection

SECURITY ASSESSMENTS