HECVAT 4.0 Assessment

Higher Education Community Vendor Assessment Toolkit

Assessment Date: March 2026  |  Vendor: Varsity Learning, Inc.

HECVAT 4.0 Lite Spreadsheet

Download the completed assessment for your institution's formal procurement review process. Contact support@varsitylearning.com with questions.

Download HECVAT (.xlsx)

Company Information

Company Name Varsity Learning, Inc.
Product Name Varsity Learning Online Math Management System
Product URL https://www.varsitylearning.com
Deployment Model SaaS (cloud-hosted, multi-tenant)
Primary Contact support@varsitylearning.com

Data Classification & Handling

Does the product store, process, or transmit student education records (FERPA)?

Yes — student names, email, scores, submissions, grades. See our FERPA Compliance page.

Does the product store PII (Personally Identifiable Information)?

Yes — names, email addresses, IP addresses, institution names.

Does the product process payment card data?

No — payment processing is delegated to Stripe (PCI DSS Level 1). We do not store, process, or transmit credit card numbers.

Does the product store protected health information (PHI)?

No.

What is the data classification level?

Moderate — education records and PII, no financial or health data.

Infrastructure & Hosting

Cloud Provider Amazon Web Services (AWS)
Data Center Region US-West-1 (N. California). All data resides within the United States.
Compute EC2 (m5a.large) running Ubuntu 24.04 LTS
Database AWS Aurora MySQL 8.0 (encrypted at rest, automated backups)
File Storage AWS S3 (server-side encryption, versioning enabled)
CDN / WAF Sucuri CloudProxy (DDoS protection, virtual patching, bot mitigation)
SSL/TLS TLS 1.2 and 1.3 enforced. Let's Encrypt certificates with automatic renewal.
Backup Strategy Automated daily Aurora snapshots (35-day retention). S3 versioning for file storage.

Authentication & Access Control

Authentication Methods

Username/password (bcrypt hashed), LTI 1.3 SSO via institutional LMS

Password Policy

Minimum 8 characters, bcrypt cost factor 12, rate-limited login attempts

Session Management

Server-side sessions, 2-hour idle timeout, secure/httponly cookies, CSRF protection

Role-Based Access

Yes — 5-tier role system: Student, Instructor, Group Admin, Full Admin, Developer

Administrative Access

Restricted to authorized personnel. SSH access via AWS EC2 Instance Connect (no persistent keys). Database access via IAM authentication.

Security Practices

Vulnerability Management

Regular security audits, automated dependency scanning, prompt patching of critical vulnerabilities.

Incident Response

Documented incident response procedures. Affected institutions notified within 72 hours of confirmed data breach.

Logging & Monitoring

Application and access logs retained. Failed login monitoring with automatic lockout.

Encryption in Transit

TLS 1.2/1.3 enforced for all connections. HTTP Strict Transport Security planned.

Encryption at Rest

AES-256 encryption for Aurora database and S3 storage via AWS KMS.

Network Security

Sucuri WAF, AWS Security Groups (principle of least privilege), no direct database access from internet.

Third-Party Subprocessors

AWS (hosting), Stripe (payments), Mailgun (email), Sucuri (WAF). All US-based, with data processing agreements.

Compliance & Certifications

FERPA Compliant — operates as school official under legitimate educational interest exception. See FERPA Compliance page.
COPPA Platform serves high school students (14+). No intentional collection of data from children under 13 without consent.
CCPA Compliant — does not sell personal information. Data access and deletion rights supported.
Section 508 / WCAG 2.1 AA Partially conformant — see VPAT for detailed conformance report.
SOC 2 Not currently certified. Infrastructure provider (AWS) is SOC 2 Type II certified.
PCI DSS Not in scope — credit card data handled entirely by Stripe (PCI DSS Level 1).

Business Continuity & Data Portability

Uptime Target

99.5% availability (historical average >99.9%)

Disaster Recovery

Multi-AZ Aurora database with automated failover. Daily encrypted backups with 35-day retention. AMI snapshots for rapid server recovery.

Data Export

Instructors can export gradebook data as CSV. Institutions can request full data export. LTI grade passback provides real-time grade sync to institutional LMS.

Contract Termination

Upon contract termination, institutional data will be exported and securely deleted within 90 days, or as specified in the institutional agreement.

Need the full HECVAT 4.0 Lite spreadsheet or a custom security questionnaire response? Contact our team.

Get the HECVAT Spreadsheet by Email

Enter your details below and we'll send the completed assessment instantly. You'll also receive quarterly updates automatically.

By submitting you agree to receive the HECVAT assessment and quarterly security updates from Varsity Learning, Inc. We respect your privacy — see our Privacy Policy.