Security

Security built for institutional standards

OnboardConnect was designed with campus IT security requirements in mind — FERPA awareness, zero firewall changes, an outbound-only on-prem agent, and credentials that are encrypted before they ever leave your dashboard.

Security Pillars

Four layers of protection

Every layer is designed to meet the expectations of a higher-ed CISO or auditor, not just a consumer SaaS checklist.

Zero inbound exposure

The on-prem agent connects outbound only via an encrypted tunnel. No inbound firewall rules, no open ports, no VPN required. Your network never exposes a listening service to OnboardConnect.

  • Agent initiates outbound connection — never receives inbound connections
  • Cloudflare Tunnel technology with TLS 1.3 minimum
  • Agent token stored in the OS credential store, never on disk in plaintext
  • Connection revocable from the dashboard in under 30 seconds

Encrypted credentials at rest

AD bind credentials, LDAP passwords, SFTP private keys, and Microsoft Graph tokens are all encrypted with AES-256-GCM before storage. Encryption keys are never written to application logs.

  • AES-256-GCM symmetric encryption for all stored secrets
  • Credentials never appear in logs, error messages, or API responses
  • SFTP private keys accepted but never re-exported after upload
  • Graph API tokens refreshed on a short-lived rotation schedule

Immutable audit trail

Every provisioning action is logged with the actor, timestamp, trigger source, and outcome. The log is append-only — no record can be modified or deleted, even by platform administrators.

  • Append-only log structure enforced at the storage layer
  • Every entry includes actor identity, not just system attribution
  • Exportable to CSV or JSON for external compliance review
  • Automated export to cold storage after 30 days; 365-day hot retention

Role-based access control

Fine-grained permission boundaries ensure staff only access what their role requires. Help desk technicians can reset passwords without touching provisioning rules. All actions are attributed to named users — no shared credentials.

  • Four built-in roles: Owner, Admin, Technician, Read-only
  • API-level enforcement — UI restrictions cannot be bypassed
  • Every action attributed to the authenticated user who performed it
  • Custom roles with granular permissions on Enterprise plans

On-Prem Agent

How the on-prem agent works

The OnboardConnect agent is a lightweight Windows service that installs on any server inside your network with LDAP access to your Active Directory domain controllers.

It establishes a persistent outbound tunnel to the OnboardConnect cloud service. When a provisioning command is dispatched, it travels over this encrypted channel to the agent, which executes the LDAP operation and reports the result back.

The agent never listens for inbound connections. Your firewall does not need to be modified. There is no DMZ requirement, no reverse proxy, and no VPN.

Agent security details

  • Outbound-only tunnel

    Agent initiates the connection. The cloud service cannot push arbitrary commands — only queued provisioning tasks authenticated to your account.

  • Agent token

    Stored in the Windows Credential Manager or DPAPI-protected storage. Never written to a config file in plaintext.

  • Command signing

    Each provisioning command is signed with a per-account HMAC key. The agent rejects any command that fails signature verification.

  • Instant revocation

    Revoke the agent token from the dashboard and the tunnel is terminated within seconds. The agent cannot reconnect without a new token.

SFTP Security

Secure file transport end to end

Student data files in transit are protected at every hop. OnboardConnect supports SSH key and certificate authentication for all SFTP connections and enforces host fingerprint pinning to prevent man-in-the-middle scenarios.

Certificate expiry is monitored automatically — you'll receive alerts before an expiring key causes a sync failure, not after.

SFTP security controls

  • SSH key and certificate authentication — password auth not accepted
  • Host fingerprint pinning — connection rejected on fingerprint mismatch
  • Certificate and key expiry monitoring with 30-day advance alerts
  • Private keys encrypted at rest with AES-256-GCM immediately on upload
  • SFTP private keys are write-once — they cannot be retrieved after upload
  • File transfer logs included in the provisioning audit trail

Our approach to student data

OnboardConnect does not store student PII beyond what is operationally required for provisioning. Student records are processed in memory and written to the audit log as anonymized event references — not full PII snapshots. Data flows through the platform, not into it. We are FERPA-aware by design and operate as a school official under the legitimate educational interest exception.

Get Started

Security questions? We welcome the scrutiny.

Share our security overview with your CISO or send us your vendor security questionnaire. We'll respond in full.

Request Access Send us your VSQ