Security at ACEware

ACEware Systems, Inc. takes the protection of customer and student data seriously. This page summarizes the security program that supports our products (Student Manager and CourseGet) and the corporate systems we use to operate our business.

This page describes the controls ACEware maintains. It does not replace the security and privacy obligations that each of our customers (continuing education providers and educational institutions) has to their own students and staff. For details on how we collect and use personal data, see our Privacy Notice .

1. Compliance and attestations

ACEware maintains a SOC 2 program. A copy of our most recent SOC 2 report is available to current and prospective customers under a non-disclosure agreement through the ACEware Trust Center (see section 11).

In addition:

We align our handling of personal data with the principles described in our Privacy Notice , including provisions relevant to the GDPR and the CCPA.
Our products are designed to support our customers' obligations under FERPA. FERPA applies to the educational institution; ACEware acts as a service provider and processes student data on the institution's behalf.
Cardholder data is processed directly by our payment processors (Stripe and Authorize.net) and is never stored on ACEware systems.

2. Data protection

Encryption in transit — all customer-facing connections use TLS.
Encryption at rest — customer data stored in our products is encrypted at rest using industry-standard algorithms managed through Amazon Web Services (AWS).
Tenant separation — each customer's data is logically segregated and accessible only to that customer's authorized users.
Payment data — full payment card numbers are handled exclusively by Stripe and Authorize.net. ACEware retains only limited payment metadata (card type, last four digits, transaction IDs).

3. Infrastructure security

Production infrastructure is hosted on Amazon Web Services (AWS) in the United States.
Network access to production systems is restricted through firewall rules and segmentation.
Servers are built from hardened base images and patched on a regular cadence.
We rely on AWS for physical security, environmental controls, and the security of the underlying cloud platform. AWS publishes its own compliance reports (SOC 2, ISO 27001, and others) at aws.amazon.com/compliance.

4. Identity and access

Multi-factor authentication is required for ACEware administrative access to production systems.
Access to customer data is granted on a least-privilege basis, scoped to the role required to perform a specific task (such as support or operations).
Employees use unique, named accounts. Shared accounts are not permitted for production access.
Access rights are reviewed on a periodic basis and revoked promptly when an employee changes roles or leaves the company.

5. Application security

Code changes are reviewed by a second engineer before being merged to the main branch.
Third-party dependencies are scanned for known vulnerabilities, and updates are applied as part of our regular maintenance cycle.
Production and non-production environments are separated. Real customer data is not used in development or testing environments.
Releases are tested before they reach production.

6. Monitoring and incident response

We collect centralized application and infrastructure logs and monitor them for security-relevant events.
ACEware maintains a documented incident response procedure that defines roles, communication paths, and remediation steps.
If we confirm a security incident that affects customer data, we will notify affected customers in a manner consistent with our contractual commitments and applicable law.

7. Backups and resilience

Customer data is backed up automatically on a regular schedule.
Backups are stored on AWS infrastructure with geographic redundancy.
We periodically test our ability to restore from backup.

8. Personnel security

ACEware employees sign confidentiality agreements as a condition of employment.
Employees receive security awareness training appropriate to their role.
Access to customer data is provisioned during onboarding only as required by the role and is removed promptly on departure.

9. Subprocessors

ACEware uses a small number of vetted service providers to operate our products and run our business. The current list, including the purpose of each subprocessor, is maintained in section 3 of our Privacy Notice and includes:

Amazon Web Services (cloud hosting and infrastructure)
Stripe and Authorize.net (payment processing for CourseGet)
Zoho CRM (customer relationship management)
Zoho Desk (customer support)
AWS SES (email delivery)

10. Customer responsibilities

Security is a shared responsibility. To get the full benefit of the controls described above, customers should:

Use strong, unique passwords and enable multi-factor authentication where available.
Limit administrative access to staff who require it, and remove access promptly when staff change roles or leave.
Keep their own browsers and operating systems patched.
Report suspected compromise of credentials or accounts to ACEware promptly using the contact information in section 12.

11. ACEware Trust Center

For our SOC 2 report, completed security questionnaires, and additional documentation about our security and privacy program, please visit the ACEware Trust Center:

app.conveyor.com/profile/aceware-systems-inc

Some materials are available only under a non-disclosure agreement. The Trust Center will guide you through that process.

12. Reporting a security concern

If you believe you have discovered a security vulnerability in an ACEware product, or if you have a question about our security program, please contact us. We appreciate responsible disclosure and will work with you to acknowledge receipt and coordinate remediation.

Email: it@aceware.com
Phone: 800-925-2493

Mail:

ACEware Systems, Inc.
7255 W 98th Ter., Suite 158
Overland Park, KS 66212
United States

13. Updates to this page

ACEware reviews this page periodically and posts updates here as our program evolves. This page was last updated on May 4, 2026.