Hosting Security
The ‘ON’ products are hosted in the cloud and provided to schools as a service (instead of a hosted on a local server in your school building). This enables your school and users to access the application even when they aren’t on your campus — so it is essential to keep hosting secure.
  • Our data centers are setup with an appropriate access control system.
  • For remote access, two factor authentication is required.
  • We use security information and event management (SIEM) software to store logs (including audit logs). These are aggregated and stored off site for up to one year. They are reviewed daily.
  • Separated private and public areas of our network are configured by firewall. These networks include public, parameter (or “DMZ”), and internal networks.
  • Our Web Application Firewall (WAF) provides multiple benefits. It’s also known as the Blackbaud K-12 Shield.
    • It’s a redundant cloud service custom built for the ‘ON’ products. This shield protects your hosted application from a variety of threats found on the Internet.
    • The shield detects, identifies, and mitigates Distributed Denial of Service (DDoS) and Application Layer attacks — such as SQL injection (Structured Query Language) and XSS (Cross Site Scripting).
    • Additionally, it improves site performance and availability, and it protects infrastructure. Because it can scale instantly, it keeps web applications up and running too. It preserves performance and filters attack traffic close to the source, before bad traffic ever reaches your Application.
  • We conduct a Network Penetration Test annually.
  • We conduct Web Vulnerability Scans quarterly.
  • All patches related to critical and high security issues from third party vendors are installed during the next available maintenance window.
  • Database backups are encrypted and stored off site using third party software that is designed specifically for protecting databases.
  • Our servers are hardened according to industry best practices, including System Auditing, Network Security Settings, System Password Policies, Anti Virus, and more.
  • For onMessage, we also provide the onMessage Accelerator. This cloud based service, built by K-12 Hosting, which provides the fastest possible page load times for onMessage Websites. It also helps deflect and protect against DDoS attacks by absorbing huge spikes in web requests without impacting customer web sites or servers.

Application Security
Your school uses the ‘ON’ products as software services. The application service is designed and developed to provide additional security. For example, our Engineers build the product in ways that ensure users within your community can’t elevate their privileges to gain unauthorized access to information. Additionally, Qualified Security
Analysts (QSAs) regularly check for vulnerabilities.
  • The ‘ON’ products store passwords using one-way encryption (Secure Hash Algorithm; SHA256).
  • User authentication processes are built to prevent brute force style attacks.
  • Within the ‘ON’ products, your school can configure password policies to determine how strong passwords should be.
  • Your school can use external authentication (identity providers), such as Active Directory.
  • By default, sessions will time out (screen lock) when a user is idle for 10 minutes.
  • We require SSL (Secure Sockets Layer) certificates (HTTPS) to access the ‘ON’ products. It’s also required for information shared between Blackbaud products via Web API (Application Program Interface).
    • The domain is configured with HSTS (HTTPS Strict Transport Security).
    • Our SSL scores are verified by Qualys SSL Labs.  ht tps://
  • The application database is encrypted for storing sensitive data.
  • We use a proprietary system, which is developed to inform Blackbaud K-12 resources in Hosting and RDO (Research, Delivery, and Operations) when a user attempts XSS and other types of common hacks. This system provides extra protection in addition to similar protections provided by the Web Application Firewall (WAF).
  • We keep an audit trail for all users who access Report Cards and other types of sensitive information.

Security Related Processes
We also ensure all Blackbaud employees follow industry best practices to maximize our security related processes.
  • Annually, our developers complete security training on OWASP (Open Web Application Security Project) Top 10 security vulnerability threats.
  • After this training, developers must pass a test to confirm they understand the latest information regarding best practices for secure coding.
  • Within our Blackbaud K-12 RDO group (Research,  Delivery, and Operations), duties for Engineering, Quality, and Production Deployments are performed by separate individuals to provide independant checks.
  • A third party Qualified Security Assessor (QSA) performs an Application Penetration Test (Pen Test) on a bi-annual basis. During the Pen Test, the QSA attempts to gain elevated access to the system using a combination of automated and manual hacks.
    • Any critical or high severity issues found during the Pen Test are assigned to development teams in RDO. Our teams address the issues and release improvements to schools via a Weekly Hot Fix Release.
    • Lower priority items are worked into our roadmap and addressed through our Monthly Releases.
  • Any changes to code areas related to security are checked via a code review process.
  • All Blackbaud staff are required to complete general security training on a regular basis.
  • Blackbaud performs background checks on all employees.

PCI Compliance
In terms of PCI, all our payment related activity goes through Blackbaud Payments, or for schools using  Diamond Mind, they go directly to Diamond Mind.  We do not have credit card data flowing through the servers that host the ON products.  
  • Blackbaud Payments goes through an annual level 1 PCI audit by a 3rd party Qualified Security Assessor (QSA).  
  • The onProdcuts will be using Blackbaud Payments and later this year after the completion of the annual audit. The onProducts is currently not listed as one of the PCI compliant products on the Blackbaud website, but this is only because we are waiting for the next annual audit for it to be official.