Trust & Security
Higher education runs on trust. Korus is built around it. SSO-only access, FERPA compliance designed into the architecture, U.S.-based infrastructure, and a complete audit trail — because student voice carries a duty of care, not just a duty to collect.
What you need to know
- SAML 2.0 SSO required for all access — students, faculty, and administrators
- Strong tenant data isolation built into the platform
- Data encrypted at rest and in transit (TLS)
- FERPA-aligned by design: student identity separated from response data in normal operations
- Configurable minimum-response threshold protects anonymity in small-enrollment courses
- Controlled re-identification pathway for documented safety situations — restricted, justified, audit-logged
- Complete tamper-evident audit log
- U.S.-based cloud infrastructure; U.S.-only data residency for AI processing
- WCAG 2.1 AA target across all user-facing interfaces
- HECVAT, VPAT, DPA, BAA, and SLA available by contract execution
Authentication & Access
Every path into Korus passes through SSO. Email links, dashboard logins, deep links — all of them. There is no anonymous or unauthenticated access. Students, faculty, and administrators all start at the same URL; the system shows the right view based on who you are.
Data Security & Tenant Isolation
Korus is multi-tenant SaaS with strong tenant data isolation. Each institution's data is segregated from every other institution's, and that segregation is enforced consistently across the platform. Data is encrypted at rest and in transit. Detailed architectural information is available to procurement and security teams under NDA as part of evaluation.
FERPA & Student Data
FERPA compliance in Korus is architectural, not just contractual. In normal operations, student identity is separated from response data — faculty and administrators cannot link a specific response to a specific student through any technological marker available in the product. A controlled re-identification pathway exists for documented safety situations (for example, when a response indicates a potential threat). Access to that pathway is restricted to authorized personnel, requires documented justification, and is recorded in the audit trail. A configurable minimum-response threshold protects anonymity in small-enrollment courses, and the disclosure students see at survey open accurately reflects how the system actually works.
U.S. Data Residency
All cloud infrastructure storing or processing Korus customer data is hosted in U.S.-based data centers. Any AI or ML processing applied to customer data runs through providers operating under U.S.-only data residency commitments.
Availability & Reliability
Korus is built for the operational reality of higher-ed survey cycles, where reliability matters most during the few weeks per semester when everything is happening at once. Notification delivery is designed to survive load spikes. On data sync failure, the system continues operating on the last successful sync, with an immediate alert to the institution administrator. Deployment failures trigger proactive alerts with course-level detail, so the administrator hears about it before a faculty member does.
Audit Logging
Korus maintains a complete tamper-evident audit log covering authentication events, data access, permission changes, and use of the controlled re-identification pathway.
Accessibility
WCAG 2.1 AA is our target across all user-facing interfaces. A current VPAT is available by contract execution.
Data Breach Response
Korus maintains a documented data breach response policy covering incident detection and classification, notification requirements, containment and remediation protocols, and post-incident review. Full policy available on request.
Documentation
Have a security or procurement question we didn't answer?
Reach out — we'll get you what you need to complete your evaluation.