GuidesClever App DashboardAPI Postman CollectionClever AcademySupportStatus
Guides

Security and Privacy

Security at Clever

At Clever, our mission is to set the highest standard for student data privacy and security in the industry. For more details, check out our Security Whitepaper.

Security Best Practices

To prioritize data security and privacy, we require all Clever app account users to enable Single Sign-On (SSO) or Two-Factor Authentication (2FA) by June 30th, 2023.

Login Options

Clever offers three secure login methods:

  1. App Dashboard SSO
  2. Sign in with Google
  3. Two-Factor Authentication

These methods provide simple, effective protection for your account at no additional cost.

❗️

Important Note:

The user email in the OAuth token is not verified by Clever. If using an email sourced from Clever data, it’s important to always confirm that the email address is controlled by the user authenticated through Clever.

  • Always use the Clever User ID as the primary identifier for all Clever users. This is the most reliable way to identify a user from Clever.
  • Some users may not have an email on record, as Clever does not require the field for users, and this field is populated for users by their district administrator. This is especially true for younger students.
  • Malicious actors may exploit unverified emails, leading to potential account takeovers. Clever IDs are provisioned by Clever and are secure.

For more information on using the Clever ID as a primary identifier, please see our Users documentation.

Keep Secrets Secure

For your safety, never send district-app tokens, client secrets, or authorization headers via email or other unencrypted channels. We recommend storing them as environment variables rather than embedding them directly in code.

❗️

Security Notice:

If we detect that a token or secret has been sent through email or unsecured channels, we will reset it within 24 hours.

Privacy Considerations

If you’re integrating with Clever, ensure that you have a signed contract with the District and are onboarded as an official District vendor before initiating connections through Clever (e.g., District SSO or Secure Sync integrations). These contracts outline your usage of personally identifiable information (PII) and must specify whether you’re allowed to store user emails.

Additionally, all partners must agree to Clever’s Terms of Use and comply with relevant laws, including FERPA, COPPA, and other state laws like CCPA.

Note:
Clever cannot make decisions on whether your usage of PII complies with applicable laws. It’s your responsibility to ensure compliance with both your contractual obligations and relevant legal requirements.

Updated about 1 month ago

What’s Next