Security

Protecting student data and ensuring fair lotteries are our top priorities. Learn how we keep your information safe.

FERPA Compliant

We protect student education records in accordance with the Family Educational Rights and Privacy Act.

AWS Infrastructure

Built on AWS services (Cognito, RDS, S3, SES) that maintain SOC 2 and FedRAMP compliance.

No Data Sales

We never sell personal information. Your data is used solely to provide the enrollment lottery service.

Security Features

Encryption at Rest & In Transit

All data is encrypted using AES-256 at rest and TLS 1.2+ in transit. Your information is protected whether it's being stored or transmitted.

Secure Authentication

Powered by AWS Cognito with strong password requirements, secure session management, and optional multi-factor authentication (MFA).

Role-Based Access Control

Strict permissions ensure users only access data relevant to their role. Parents see only their students; admins see only their schools.

Tenant Isolation

Each organization's data is logically isolated. Cross-tenant access is prevented at the database query level with mandatory org filtering.

Comprehensive Audit Logging

Every action is logged for accountability. Audit trails support compliance requirements and enable security investigations when needed.

Lottery Integrity

Lotteries use cryptographically secure random number generation (crypto.randomInt). Results are hashed with SHA-256 for integrity verification.

FERPA Compliance

Charter Lottery processes education records as defined by the Family Educational Rights and Privacy Act (FERPA). We take this responsibility seriously and implement strict safeguards:

Act as "school official" with "legitimate educational interest"

Process records only as directed by educational institutions

Maintain strict role-based access controls

Complete audit trail of all access to records

No disclosure except as authorized by FERPA

Support parent rights to inspect and correct records

Infrastructure & Practices

AWS Cloud Infrastructure

•Amazon RDS PostgreSQL with encryption
•Amazon Cognito for authentication
•Amazon S3 with pre-signed URLs (15-minute expiry)
•Amazon SES for transactional emails
•Hosted in us-east-2 (Ohio) region

Data Protection Practices

•No PII stored in application logs
•Audit events store IDs only, never names or DOB
•Export files auto-deleted after 30 days
•Regular security assessments
•Secure software development lifecycle

Data Retention

Data Type	Retention Period	Reason
Audit Events	7 years	Regulatory compliance
Lottery Results	7 years	Historical records and audits
Applications	3 years	After enrollment cycle ends
Data Exports	30 days	Automatic deletion from S3
Account Information	Until deletion requested	Active account maintenance

Report a Security Vulnerability

If you believe you've discovered a security vulnerability in Charter Lottery, we encourage responsible disclosure. Please report it to our security team.

security@charterlottery.com

Please include detailed information about the vulnerability and steps to reproduce. We'll respond within 48 hours.