Security is built in throughout the WPS eCommerce website and the Online Evaluation System. Maintaining a secure infrastructure and environment that safeguards data and protected health information (PHI) is highest priority for our customers.

 

SECURITY & COMPLIANCE

FOR WESTERN PSYCHOLOGICAL SERVICES

Security at WPS

Security is built in throughout the WPS eCommerce website and the Online Evaluation System. Maintaining a secure infrastructure and environment that safeguards data and protected health information (PHI) is highest priority for our customers.

WPS has implemented an Information Security Program and a set of Security Controls that are automatically monitored in real time by utilizing a cloud-based security and compliance solution that helps organizations establish, maintain, and automatically monitor their Information Security Program.

 

We've Got You Covered

WPS security has many layers to keep information protected.


Security operations and best practices

Our security team approaches security holistically based on industry best practices and aligned to a common controls framework. Security threats are prevented using 24/7 security monitoring, secure software development practices, and industry-accepted operational practices.


Platform and network security

We perform rigorous security testing including threat-modeling, automated scanning, and third-party audits. If an incident occurs, we resolve the issue quickly using our security incident response practices and keep you informed.


Availability and continuity

We maintain high levels of availability with multiple availability zones and robust Disaster Recovery and Business Continuity programs. Physical access to our data centers is strictly controlled with comprehensive security measures by our data center hosting partners.

  • 24/7 monitoring by expert SOC Team (Security Operations Center)
  • Encryption In-Transit (TLS v1.2)
  • Encryption At-Rest (AES-256)
  • Customer data segregation
  • Strict access control using Least Privilege Principle
  • Ongoing security education and awareness training
  • Ongoing network and application vulnerability scanning
  • Annual 3rd party penetration testing
  • Intrusion Detection & Prevention Systems (IDS/IPS)
  • AI-driven Security Information & Event Management (SIEM)
  • Web Application Firewalls (WAF) and network segmentation
  • Hosted at AWS. A leading and secure infrastructure provider
  • Highly available and redundant architecture
  • Automated scaling architecture
  • 99.99% uptime. No downtime for updates.
  • Tested Disaster Recovery and Business Continuity Plans

 

 

Trusted, shared security in the cloud

Data security is paramount for your organization. Our cloud architecture is built on Amazon Web Services (AWS) with an inherently strong data security infrastructure that delivers always-on services. AWS Cloud Services is a secure platform offering computing power, database storage, content delivery, and a variety of other services designed for scalability, resilience, and security. More information about AWS's cloud computing can be found here.

AWS is responsible for the security of the cloud system, and WPS is responsible for the security of the data it stores in the cloud. More details can be found here for the AWS Shared Responsibility Model.

 

 

Compliance at WPS

WPS is regularly audited by 3rd party organizations and follows strict standards and regulations in order to keep your information safe. We obtain industry-accepted attestations and adhere to current industry standards and regulations so you can feel confident that your company and client data remain secure and compliant.


Moving to the cloud means protecting sensitive workloads while achieving and maintaining Compliance with complex regulatory requirements, frameworks, and guidelines. Our team is constantly working to expand coverage to help organizations meet compliance needs.

Our Compliance Reports and Adherence

Learn more about WPS's featured compliance adherence to a variety of industry regulations and government legislation.

SOC LogoSOC 2 Type 2

SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.

Learn More
SOC LogoSOC 3

SOC 3 (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability, and confidentiality of a cloud service.

Learn More
HIPAA LogoHIPAA

HIPAA is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual's Protected Health Information (PHI).

Learn More
FERPA Logo FERPA

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. FERPA gives parents certain rights with respect to their children's education records.

Learn More
COPPA LogoCOPPA

Children's Online Privacy Protection Act (COPPA) imposes certain requirements on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Learn More
SOPIPA LogoSOPIPA

The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes.

Learn More
CSA STAR LogoCSA STAR Level 1

The CSA (Cloud Security Alliance is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Learn More
PCI-DSS LogoPCI-DSS SAQ A 4.0

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Learn More

 

Related Resources

Check out these resources to learn more about WPS's data privacy, security, and other useful information.

Privacy Policy

Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you.

Learn More

Terms of Use

These Terms of Use describe your rights and responsibilities as a customer of our products.

Learn More

Technical Support

Here you will find lots of information that can help you quickly resolve a technical problem on your own.

General WPS Support Online Evaluation System Help

WPS Test Security Position Statement

A psychologist shall not reproduce or describe in public or in publications subject to general public distribution any psychological tests or other assessment devices, the value of which depends in whole or in part on the naivete of the subject, in ways that might invalidate the techniques; and shall limit access to such tests or devices to persons with professional interests who will safeguard their use.

Download

Contact Us

Email: Customer Service
Call: 424.201.8800 or 800.648.8857 (U.S. and Canada only) Monday through Friday 6 a.m. - 4 p.m. PST

For Compliance & Security specific concerns: Email: WPS Compliance Team

SOC Logo

SOC 2 Type 2

WPS's SOC 2 Type 2 report validates our security, availability, and confidentiality controls. We perform an annual third-party audit to certify that we've implemented controls that operate effectively to meet the objectives of the AICPA Trust Services Principles.

System and Organization Controls (SOC) 2 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.

SOC 2 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

The SOC 2 report concludes with the independent third-party audit firm's opinion, which describes the organization's system and assesses the fairness of the organization's description of controls. The audit firm's opinion also evaluates whether the organization's controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.

Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.

The SOC 2 Type 2 Report is a restricted use report. Only customers who are required to have a copy for compliance, regulatory or security assessment purposes may request one after executing a non-disclosure agreement (NDA). Please email compliance@wpspublish.com for details.

 

 

SOC Logo

SOC 3

The System and Organization Controls (SOC) 3 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.

SOC 3 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to provide a publicly facing version of the SOC 2 attestation report for customers who need assurances about service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy, but do not require a full SOC 2 report. SOC 3 reports can be freely distributed because they are general use reports.

A SOC 3 report contains a written assertion by service organization management regarding control effectiveness to achieve commitments based on the applicable trust services criteria, as well as service auditor's opinion on whether management's assertion is stated fairly.

Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.

Click here to download the SOC 3 Report.

 

 

HIPAA Logo

HIPAA

WPS provides comprehensive privacy and security protections that enable our customers to operate our products in compliance with HIPAA. These include:

  • Security measures for protecting PHI
  • Assessments for reasonable remediation or mitigating controls of addressable HIPAA Security Rules
  • Annual HIPAA Security Attestation, Gap Assessment, and Security Risk Analysis
  • Annual 3rd party review and attestation of HIPAA Security policies and procedures
  • Security awareness content regarding the protection of ePHI, and
  • Designation and role definition of a HIPAA Security Officer.

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual's Protected Health Information (PHI). The HIPAA Security Rule was established to protect individuals' health information and ensure the security, integrity, and confidentiality of this data. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as other third parties, known as “Business Associates”, that create, receive, maintain, or send PHI.

Customers who are subject to HIPAA compliance and want to partner with WPS can enter into a Business Associate Agreement (BAA) that covers the applicable products and services. For more information on the signed BAA, please email compliance@wpspublish.com

 

 

CSA STAR Logo

Cloud Security Alliance (CSA) STAR Level 1

WPS has attained the CSA's STAR Level 1 Self-Assessment, which is an assessment that maps our security controls against security standards, regulations, and controls from industry-accepted outfits like ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.

The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices.

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to.

Here is a link to the CSA STAR Registry listing for WPS - WPS CSA Star Registry Listing.

 

 

COPPA Logo

Children's Online Privacy Protection Act (COPPA)

WPS follows the requirements of the Children's Online Privacy Protection Act (COPPA).

Children should not provide any personal information without permission from their parent, guardian, or teacher. We do not condition children's participation in an online activity on the disclosure of more information than is reasonably necessary to participate in the activity. We do not share children's information with outside third parties not bound by the WPS Privacy Policy, or otherwise inconsistent with the requirements of COPPA.

If you are a Parent or Legal Guardian and would like to review any personal information that we have collected online from your child, have this information deleted, and/or request that there be no further collection or use of your child's information, or if you have questions about these information practices please email compliance@wpspublish.com.

For more information regarding COPPA and online privacy, please see the COPPA webiste.

 

 

SOPIPA Logo

Student Online Personal Information Protection Act (SOPIPA)

WPS is a SOPIPA complaint vendor and adheres to the following requirements under this act:

  • Does not use any data collected via our services to target ads to students
  • Does not create advertising profiles on students
  • Does not sell student information
  • Does not disclose information, unless required by law or as part of the maintenance and development of your service
  • Uses sound information-security practices, which often include encrypting data and other security industry best practices
  • Will delete data that we have collected from students in a school when the school or district requests it
  • Shares information only with educational researchers or with educational agencies performing a function for the school
  • Innovates safely without compromising student privacy by only using de-identified and aggregated data as we develop and improve our service.

The Student Online Personal Information Protection Act (SOPIPA), which came into effect in 2015, is a California state law which prevents online companies from compiling K-12 student data for marketing or advertising purposes.

For more information regarding SOPIPA, please see details here at the CA Legislative Information website.

 

 

FERPA Logo

Family Educational Rights and Privacy Act (FERPA)

WPS is a FERPA complaint vendor and adheres to the following requirements under this act:

  • Does not use any data to advertise or market to students or use data for any purpose other than the specific purpose(s) outlined in the WPS Terms of Use and Privacy Policy
  • Does not change methods on how data is collected, used, or shared under the WPS Terms of Use and Privacy Policy in any way without advance notice to, and consent from customers
  • Only collects data necessary to fulfill requirements necessary to utilize our services
  • Only uses data for the purpose of fulfilling its duties and providing and improving services
  • Does not share data without prior written consent of the user except as required by law
  • Will delete or de-identify personal information when it is no longer needed, upon expiration or at termination of our agreement with an educational institution
  • The educational institution retains full ownership rights to the personal information and education records it provides to WPS
  • Will share and make available upon request any student data stored from the educational institution
  • WPS stores and process data in accordance with industry best practices by utilizing the following, but not limited to:
    • Conducts periodic risk assessments
    • Remediates any identified security vulnerabilities in a timely manner
    • Has formal incident response plan that includes prompt notification in the event of a security or privacy incident
    • Has strict access control using Least Privilege Principle
    • Performs ongoing security education and awareness training for WPS staff

The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student.

For more information regarding FERPA, please see details here at the U.S. Department of Education website.

 

 

PCI DSS SAQ Logo

Payment Card Industry Data Security Standards Validation - SAQ A 4.0

The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and systems that are used to secure and log access to the systems in scope.

Based on the information provided by WPS involving its security policies, procedures, and regulations, SecurityMetrics has found the merchant to be compliant with the Payment Card Industry Data Security Standards (PCI DSS), endorsed by Visa, MasterCard, American Express, Discover, and JCB card brands.

Click here to download our Certificate of PCI DSS Merchant Compliance.