Privacy Policy

1. Who we are

OnboardConnect is a product of Zentrosoft LLC ("Zentrosoft," "we," "us," or "our"), a software company that provides automated Active Directory provisioning services to higher education institutions. Our principal place of business is in the United States. You can reach us at solutions@zentrosoft.com.

2. Scope of this policy

This Privacy Policy applies to:

• Visitors to our marketing website at onboardconnect.com
• Representatives of institutions who request access, create accounts, or use the OnboardConnect platform
• Students whose enrollment data is processed through the platform on behalf of an institution (see Section 8 — FERPA)

This policy does not apply to third-party websites or services linked from our site.

3. Information we collect

3a. Information you provide directly

• Contact information — name, institutional email address, job title, institution name, and phone number when you submit an access request or contact us
• Account credentials — email and password when you create a platform account
• Integration credentials — Active Directory bind credentials, LDAP configuration, SFTP keys, and Microsoft Graph tokens provided during platform setup (see Section 6 for how these are protected)

3b. Information collected automatically

• Usage data — pages visited, features used, timestamps, and session duration within the platform
• Log data — IP address, browser type, operating system, and referring URL for security and debugging purposes
• Provisioning audit logs — records of every provisioning action executed on behalf of an institution, including actor, timestamp, trigger, and outcome

3c. Student enrollment data (processed on behalf of institutions)

When an institution connects their Slate CRM or uploads enrollment files, OnboardConnect processes student records to provision Active Directory accounts. This data is processed as a service provider acting on the institution's behalf — not collected for our own purposes. See Section 8 for our FERPA position.

4. How we use information

We use the information we collect to:

• Provide, operate, and improve the OnboardConnect platform
• Process and fulfill access requests from institutions
• Communicate with platform users about their accounts, service updates, and support requests
• Generate audit logs for compliance and security purposes
• Detect and prevent security incidents and abuse
• Meet our legal obligations

We do not sell personal information to third parties. We do not use student enrollment data for advertising, analytics, or any purpose beyond provisioning the requested accounts.

5. How we share information

We share information only in the following circumstances:

• Service providers — infrastructure vendors (cloud hosting, database, and monitoring providers) who process data on our behalf under confidentiality agreements
• The institution — provisioning results and audit logs are made available to the institution that owns the account
• Legal requirements — if required by law, court order, or to protect the rights and safety of Zentrosoft, our customers, or the public
• Business transfers — if Zentrosoft is acquired or merges with another entity, customer data may be transferred as part of that transaction, subject to the same privacy commitments

6. How we protect credentials and sensitive data

Integration credentials (Active Directory passwords, SFTP private keys, Microsoft Graph tokens) are:

• Encrypted with AES-256-GCM before being written to storage
• Never logged, included in error messages, or returned in API responses
• SFTP private keys are write-once — they cannot be retrieved after upload
• Revocable at any time from the institution's dashboard

The on-premises agent token is stored in the Windows Credential Manager or DPAPI-protected storage on the institution's server — never in a plaintext config file.

7. Data retention

• Provisioning audit logs — retained in hot storage for 365 days; automatically exported to cold storage after 30 days
• Account data — retained for the duration of the institution's account plus 90 days after termination, then deleted
• Student enrollment records — processed in memory during provisioning runs; not persisted beyond the anonymized audit log entry
• Contact form submissions — retained until the inquiry is resolved or for up to 2 years

8. FERPA and student data

OnboardConnect operates as a school official under FERPA (20 U.S.C. § 1232g) pursuant to the legitimate educational interest exception, acting under the direct control of the institution and using student education records only for the purpose of provisioning accounts as directed by the institution.

Specifically:

• Student PII flows through the platform, not into it as a permanent record
• Audit log entries reference anonymized event identifiers, not full PII snapshots
• We do not use student data for any purpose beyond fulfilling the institution's provisioning instructions
• Institutions remain the data controller; Zentrosoft is the data processor

Institutions are responsible for ensuring their use of OnboardConnect complies with FERPA and their own institutional data governance policies.

9. Cookies and tracking

Our marketing website uses minimal cookies for session management and basic analytics. We do not use third-party advertising trackers. The platform application uses session cookies required for authentication.

You can configure your browser to block or delete cookies; note that blocking session cookies will prevent you from logging into the platform.

10. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or port personal information we hold about you. To make a request, contact us at solutions@zentrosoft.com.

For student data rights under FERPA, requests must be directed to the institution — they are the record custodian, not Zentrosoft.

11. Children's privacy

OnboardConnect is designed for use by higher education institutions and their adult staff. We do not knowingly collect personal information from individuals under the age of 13. If you believe a minor has provided personal information through our site, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, notify active platform users via email. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

13. Contact us

For privacy-related questions or requests, contact: