Security and Privacy
Security at Clever
Clever's goal is to set the highest bar in the industry for student data privacy and security. Learn more about our security and download our whitepaper here.
Security Best Practices
As part of our ongoing commitment to data security and privacy, we require all Clever app account users to activate SSO or two-factor authentication (2FA) by June 30th, 2023.
Login Options
There are three login options available:
- App Dashboard SSO
- Sign in with Google
- Two-factor Authentication
These login options provide a simple, effective way to protect your account from unauthorized access at no cost to you.
Important Note
The email provided in the OAuth token is not verified by Clever. We do not warrant that the email is controlled by the user authenticated by Clever.
Before using the email for any authentication or authorization purpose, ensure to match their Clever ID or have an alternate mechanism to verify the control of the email address.
Since the email address value is controlled by Clever users, a malicious user can use an unverified email in the OAuth flow. This can lead to account takeover if the email is implicitly trusted. Clever IDs are not controlled by the user; they are based on authentication completed with Clever and tied to the user’s identity.
Keep Secrets Secret
Do not send district-app tokens or your client secret (or full authorization headers) through email or other non-secure channels. We recommend excluding them from your code and loading them as environment variables instead.
Security Notice
If our team detects a token or secret sent through email, we will reset the token/secret within 24 hours.
Privacy Considerations
Applications integrating with Clever are expected to enter into contracts with Districts and be an onboarded District vendor before connections are made via Clever (District SSO and/or Secure Sync integrations). Those contracts will govern Partners' usage of PII student data and should include data privacy obligations like whether they are allowed to store user emails or not.
Aside from those contracts, all Partners agree to Clever's Terms of Use, which includes an obligation to comply with all applicable laws, including FERPA and COPPA, and any additional state laws, such as CCPA.
As such, every application integrating with Clever should consider its contractual obligations as well as applicable laws and determine whether its usage of PII is appropriate. Clever cannot make that determination for any application.
Updated about 1 month ago