Security protocols for user safety
At TPT (originally known as Teachers Pay Teachers), we take our responsibility to provide a safe and secure site experience for teachers and schools very seriously. We are proud to be home to a global community of over 7 million educators, including individual visitors to the TPT marketplace and TPT School Access subscribers through their schools and districts. What these teachers share in common is a commitment to supporting students with the best educational resources to help them reach their full potential.
We have several security measures in place to protect users and their networks so that educators can focus on what they do best – help students learn.
Website protection measures
TPT uses industry-best virus/malware detection
TPT scans files using industry-best malware detection software at the point of file upload. Every file available on TPT has been scanned.If any file is flagged by our scanner at the upload stage, the file is quarantined and never made available to users. We also periodically rescan files. Additionally, if we receive a report or otherwise discover any issues with a file at any point in time, the file is disabled immediately. We suspend or terminate the account of the user who provided that file, and we will notifyusers who may have downloaded the file.
TPT undergoes regular vulnerability scanning
TPT’s website undergoes automated vulnerability scanning performed by a qualified third party on a regular basis. These scans check for any known vulnerabilities or misconfigurations that may be exploitable.
TPT conducts regular penetration tests led by industry experts
TPT works with experienced, independent penetration testers to deeply review our codebase and applications for security issues or vulnerabilities at least once a year. We review all results as a team, document them and prioritize anything discovered according to severity and exploitability. We urgently remediate any critical vulnerabilities.
TPT has 24/7 intrusion detection monitoring
TPT engages an industry-leading provider for support to continuously monitor for suspicious activity across our network and hosts.
TPT encrypts data
All web traffic to TPT is secured with HTTPS using TLS 1.2 or higher. Qualys’ SSL Labs can be used to verify the security of technologies in use, and you can always find our results here. We use AWS industry leading cloud services platform and our default configuration is to use encryption at rest.
TPT is protected by a web application firewall
In addition to securely configuring our production networks to only allow traffic from trusted sources, TPT deploys a Web Application Firewall (WAF) in front of our web applications to protect against attack traffic such as SQL Injection, XSS, DDoS and other common attacks.
TPT requires annual employee training
In order to ensure we’re able to provide a safe experience for users, all TPT employees undergo security and privacy awareness training annually, and as part of this commitment, all engineers working on our website also go through secure coding training. This training helps ensure we incorporate the most up-to-date security practices into our products in order to protect our users.
TPT Is assessed against trusted frameworks
TPT is annually assessed as a PCI-DSS Level 1 Merchant by a Qualified Security Assessor (QSA) and commits to maintaining compliance with PCI requirements. TPT also performs at least annual internal security assessments using the NIST Cybersecurity Framework to identify and prioritize improvements to our security program.
TPT accepts and investigates reports
We take security seriously and promptly investigate reports of security concerns. Reported issues are escalated to the appropriate team for review and to determine what action is necessary. You can always reach us directly at security@teacherspayteachers.com.
User privacy measures
TPT provides transparency through our privacy policy
TPT is committed to protecting the privacy of our community members. Our Privacy Policy provides transparent detail about our data privacy practices. Please visit our Privacy Center which can be found linked in the footer of our website. To highlight a few key details — we do not sell the data of our users, and have invested in tools to make it easy for users to exercise greater control over their data as provided under applicable laws.
TPT offers data processing agreements
TPT routinely enters into Data Processing Agreements (DPAs) with schools and districts around the US. We have developed a standard DPA as well as a version specifically geared towards the requirements of NY Ed Law 2d which we offer to any school that requests it. If you’d like to get a DPA in place with TPT, please reach out to privacy@teacherspayteachers.com.
TPT has been reviewed by third parties
TPT is also proud to be awarded the IMS Global TrustEd Apps Seal for Data Privacy as well as a signatory of the Student Privacy Pledge, each of which recognizes that our practices meet the elevated standards set by these independent third parties.