Security & Compliance

Corvus DM Security Architecture

Corvus DM is deployed as a dedicated, FERPA-ready evaluation environment with an isolated database, encrypted storage, and multi-factor authentication. All client data is completely separate from development systems. Every action is recorded in an immutable audit trail. At the end of an evaluation period, we can transition the environment into production or securely destroy all data per your institution's data retention policy.

FERPA ReadyAES-256 EncryptionMFA EnabledSOC 2 InfrastructureAudit Trail

Security Overview

Corvus DM is a dissertation and committee management platform built for higher education. Security is foundational rather than an afterthought. The platform is designed to handle FERPA-protected student educational records with institutional-grade controls at every layer.

Encryption at rest and in transit
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Immutable audit trail for every action
Isolated database per client environment
Automated vulnerability scanning
Security headers on every response
Bot and exploit path blocking

Cloud Infrastructure (AWS)

Corvus DM runs entirely on Amazon Web Services (AWS), inheriting AWS's extensive compliance certifications and physical security controls. AWS maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, FedRAMP, and HIPAA compliance across its infrastructure.

ComponentAWS ServiceSecurity Features
ComputeAmazon ECS (Elastic Container Service)Non-root container execution, private subnets, no SSH access to containers
DatabaseAmazon RDS (PostgreSQL)AES-256 encryption at rest, SSL/TLS connections, automated backups, point-in-time recovery
File StorageAmazon S3Server-side encryption (SSE-S3/SSE-KMS), versioning, access logging, bucket policies
AuthenticationAmazon CognitoTOTP-based MFA, brute-force protection, password policies, JWT token verification
EmailAmazon SESDKIM/SPF authentication, domain verification, TLS transport
Load BalancerApplication Load Balancer (ALB)TLS 1.2/1.3 termination, AWS Certificate Manager (ACM) certificates, DDoS protection via AWS Shield
Container RegistryAmazon ECRImage scanning for CVEs, private repository, IAM-based access
DNSAmazon Route 53 (or registrar DNS)DNSSEC support, DDoS resilient

AWS compliance certifications: aws.amazon.com/compliance/programs

Encryption

Encryption at Rest

  • Database — Amazon RDS uses AES-256 encryption via AWS Key Management Service (KMS). All data, automated backups, read replicas, and snapshots are encrypted.
  • File storage — Amazon S3 objects are encrypted using server-side encryption (SSE-S3 or SSE-KMS). Each object is encrypted with a unique key, which is itself encrypted with a regularly rotated master key.
  • Session tokens — JWT session tokens are signed with HMAC-SHA256 using a per-environment secret. Tokens are stored in HttpOnly, Secure, SameSite cookies and are inaccessible to client-side JavaScript.

Encryption in Transit

  • HTTPS everywhere — all traffic is served over TLS 1.2 or 1.3 via AWS Certificate Manager certificates on the Application Load Balancer. HTTP requests are redirected to HTTPS.
  • Database connections — Prisma ORM connects to PostgreSQL over SSL/TLS (sslmode=require).
  • Email — Amazon SES uses TLS for outbound email delivery.
  • Strict-Transport-Security — enforced via security headers to prevent protocol downgrade attacks.

Authentication & Multi-Factor Authentication

Authentication Flow

  • Primary SSO — Amazon Cognito User Pools with hosted UI. Supports SAML, OIDC, and social identity providers for institutional SSO integration.
  • Session management — JWT tokens signed with HMAC-SHA256, stored in HttpOnly Secure cookies. Tokens are verified on every request by edge middleware before reaching application code.
  • Password policy — enforced via Cognito: minimum 8 characters, mixed case, numbers, special characters. Brute-force protection with account lockout after repeated failures.

Multi-Factor Authentication (MFA)

  • TOTP-based MFA — users enroll with an authenticator app (Google Authenticator, Microsoft Authenticator, Authy, or any TOTP-compatible app).
  • Enforcement level — configurable per environment. Client environments are set to Required, meaning all users must enroll in MFA on first login.
  • SMS fallback — optional SMS-based verification via Amazon SNS for users without an authenticator app.
  • Handled by Cognito — MFA challenges are managed by the Cognito hosted UI before the user is redirected to the application. No MFA codes are processed by application code.

Session Security

  • Cookies are HttpOnly (no JavaScript access), Secure (HTTPS only), and SameSite=Lax (CSRF protection).
  • Session secrets are unique per environment, so a compromised secret in one environment does not affect others.
  • Impersonation sessions are logged separately with mandatory reason fields and are included in the audit trail.

Access Control

Role-Based Access Control (RBAC)

Every user is assigned a role that determines their permissions across the system. Permissions are checked server-side on every API request. Client-side UI enforcement is a convenience layer and not a security boundary.

RoleAccess Level
Application AdminFull system access. User management, configuration, data exports, impersonation.
Group AdminGroup-level management. Content moderation within assigned groups.
Committee ChairOversight of assigned students. Scoring, feedback, milestone approval.
Faculty / Committee MemberRead/score assigned student work. Provide feedback within committee scope.
StudentAccess own dashboard, documents, milestones, and committee communications only.
GuestRead-only access to public content. No student data visibility.

Access Policies

  • Configurable access duration per audience and content scope (e.g., alumni access expires after 24 months).
  • Download permissions are separately controllable, allowing view-only access to be enforced for sensitive content.
  • Student data is scoped to the student's own records. Faculty only see students assigned to their committee.

Audit Trail & Logging

Application Audit Trail

Every significant action in the system is recorded as an immutable AuditEvent with:

  • Who — the user ID and role of the actor
  • What — the action type (login, create, update, delete, approve, score, impersonate, export, etc.)
  • When — ISO 8601 timestamp
  • Where — the resource type and resource ID affected
  • Context — additional metadata (IP address, user agent, before/after values where applicable)

Logged Actions Include

  • User login and logout (including failed attempts)
  • Document uploads, views, and downloads
  • Scoring and feedback submissions
  • Milestone status changes and approvals
  • Committee assignments and changes
  • User creation, modification, and deprovisioning
  • Impersonation sessions (start/end, reason, actions performed)
  • Data exports and API access
  • Configuration changes (settings, policies, retention rules)
  • Forum moderation actions (flags, resolutions, category changes)

Infrastructure Logging

  • AWS CloudWatch — container logs, application errors, and performance metrics from ECS.
  • ALB Access Logs — every HTTP request to the load balancer is logged with client IP, request path, response code, and latency.
  • RDS Audit Logs — database query logging available for compliance investigations.
  • S3 Access Logs — file access is logged at the bucket level.

Retention

Audit logs are retained for the lifetime of the environment. They are included in archive packages when a student is archived and are never purged while the environment is active.

Network Security

Edge Security (Middleware)

A server-side middleware layer runs on every request before it reaches application code, enforcing multiple security controls:

  • Bot blocking — known scanner and exploit tool user agents (sqlmap, nikto, nmap, masscan, nuclei, gobuster, etc.) are blocked with 403 responses.
  • Exploit path blocking — requests to known exploit paths (/cgi-bin, /shell, /cmd, /etc/passwd, /.aws, etc.) return 404.
  • Directory traversal prevention — requests containing .. or encoded traversal sequences are blocked.
  • Session verification — protected routes require a valid JWT session cookie, verified using HMAC-SHA256 before the request is forwarded.

Security Headers

Every response includes the following security headers:

HeaderValuePurpose
X-Content-Type-OptionsnosniffPrevents MIME-type sniffing
X-Frame-OptionsDENYPrevents clickjacking via iframes
X-XSS-Protection1; mode=blockEnables browser XSS filtering
Referrer-Policystrict-origin-when-cross-originControls information sent in Referer header
Permissions-Policycamera=(), microphone=(), geolocation=()Disables device APIs not needed by the app
Content-Security-Policydefault-src 'self'; frame-ancestors 'none'; ...Restricts script/resource origins, blocks embedding

DDoS Protection

AWS Shield Standard is enabled by default on all ALB and Route 53 resources, providing protection against common DDoS attack vectors (SYN floods, UDP reflection, etc.) at no additional cost.

Data Isolation

Each client environment is fully isolated. There is no shared database, no shared file storage, and no shared authentication pool between environments.

ResourceIsolation Level
DatabaseSeparate RDS instance (or separate database with distinct credentials). No cross-environment queries are possible.
File StorageSeparate S3 bucket with independent IAM access policies. Development buckets cannot access client buckets.
AuthenticationSeparate Cognito User Pool. Users, passwords, and MFA enrollments are environment-specific.
Session SecretsUnique HMAC signing secret per environment. A compromised secret in one environment does not affect others.
Environment VariablesEach environment has its own set of credentials and configuration. No secrets are shared.
Container ImageSame application code deployed to all environments (consistency), but promoted manually after testing.

Ownership

Ownership of data and intellectual property is clearly separated between the client institution and Corvus Software Group.

  • Client data — all user-related data entered into the environment is owned exclusively by the university. This includes student records, faculty profiles, uploaded documents, forum content, committee assignments, milestones, scores, feedback, audit logs, and any other data created by or about the institution's users. Corvus Software Group makes no claim to this data.
  • No data mining — Corvus Software Group does not access, analyze, sell, share, or otherwise mine client data for any purpose. Client data is used solely to provide the application's functionality to the institution and its authorized users.
  • Application codebase — the Corvus DM software, including all source code, architecture, design, and proprietary algorithms, is the intellectual property of Corvus Software Group. The client is granted a license to use the application for the duration of the agreement.

Data Portability & Destruction

  • The university may export its data at any time using the built-in data export tools (CSV, JSON, ZIP formats).
  • At the end of an evaluation period, the client chooses: transition to production (keep everything) or secure destruction (all data, files, backups, and logs are permanently deleted).
  • Destruction includes: RDS instance deletion (with final snapshot if requested), S3 bucket emptying and deletion, Cognito User Pool deletion, and CloudWatch log group deletion.
  • Upon request, Corvus Software Group will provide written confirmation that all client data has been destroyed.

Compliance & Regulatory

FERPA (Family Educational Rights and Privacy Act)

  • Student educational records are accessible only to the student, their assigned committee, and authorized administrators.
  • All access to student records is logged in the audit trail.
  • Impersonation requires a documented reason and is fully audited.
  • Forum categories can display FERPA banners reminding users not to share protected information.
  • Data export is restricted to authorized admin roles and logged.
  • Legal hold functionality freezes student data and generates tamper-evident archive packages.

AWS Compliance Inheritance

By running on AWS, Corvus DM inherits the following infrastructure compliance certifications:

  • SOC 1, SOC 2, SOC 3 (Service Organization Control)
  • ISO 27001, ISO 27017, ISO 27018 (Information Security Management)
  • FedRAMP (Federal Risk and Authorization Management Program)
  • HIPAA (Health Insurance Portability and Accountability Act) eligible
  • PCI DSS Level 1 (Payment Card Industry)
  • CSA STAR (Cloud Security Alliance)

Data Processing

  • Corvus Software Group acts as a data processor. The client institution is the data controller.
  • A Data Processing Agreement (DPA) or Business Associate Agreement (BAA) is available upon request.
  • Data residency: all data is stored in AWS US-West-2 (Oregon). Alternative regions are available upon request.

Vendor Security Questionnaire

The following questions and answers address common vendor security assessment requirements for higher education institutions.

QDoes this application/service involve handling / processing student or employee information?

Yes. Corvus DM processes student educational records as defined by FERPA, including: student names, university-assigned IDs, email addresses, program enrollment, dissertation documents, milestone progress, committee assignments, faculty feedback, and scoring data.

Employee (faculty/staff) information is limited to: name, email, role, and committee assignments. No payroll, SSN, or HR data is stored.

All student and employee data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access is controlled via role-based permissions and logged in the audit trail.

QIs this product cloud hosted or does it include any hosted services on premise?

Cloud hosted exclusively. Corvus DM runs entirely on Amazon Web Services (AWS) with no on-premise components. The infrastructure consists of:

  • Amazon ECS for containerized application hosting
  • Amazon RDS (PostgreSQL) for the database
  • Amazon S3 for file storage
  • Amazon Cognito for authentication and MFA
  • Amazon SES for transactional email
  • Application Load Balancer with ACM-managed TLS certificates

All infrastructure runs in the AWS US-West-2 (Oregon) region. No software is installed on university systems or networks.

QDoes this product or service connect to a university network or run as software on a university system?

No. Corvus DM is a web-based SaaS application accessed via standard web browsers (Chrome, Firefox, Safari, Edge). It does not require:

  • Installation of any software on university computers or servers
  • VPN or network tunnel connections to university infrastructure
  • Direct database connections to university systems
  • Firewall rule changes or port openings on the university network

Optional SSO integration: If the university wishes to use their existing identity provider (e.g., Microsoft Entra ID, Okta, Shibboleth), Corvus DM supports SAML 2.0 and OIDC federation through Amazon Cognito. This is a standard outbound HTTPS integration and does not require inbound network access.

Optional API integration: Corvus DM provides a REST API that university systems can use to programmatically exchange data with the platform (e.g., syncing student progress to an LMS or SIS). Full API documentation is available at /api-docs. This integration is entirely optional and is not required to use the system.

QDoes this purchase involve a system that stores or transmits any financial data (e.g., account numbers, credit card numbers or budgetary/forecasting information)?

No. Corvus DM does not collect, store, process, or transmit any financial data. There are no payment forms, credit card fields, account number fields, or financial reporting features in the application.

The system is exclusively focused on dissertation management, academic milestones, committee collaboration, and document workflows.

QDoes the system or process involve communication with students, employees or third parties via email, text or other communication methods?

Yes. Corvus DM sends system-generated email notifications via Amazon SES for:

  • Retention status change notifications (student and committee)
  • Committee review SLA escalation alerts
  • Defense scheduling confirmations
  • System event announcements

All emails are sent from a verified domain with DKIM/SPF authentication. Email content is controlled by admin-configurable notification templates with variable interpolation — no free-text email composition is available. The application does not send SMS or text messages (except optional MFA verification codes via Amazon SNS).

The application also includes internal forum/discussion boards for committee-student communication. These are in-app only and do not generate external communications unless notification templates are configured.

User control over communications: Users can manage their own notification preferences and control the types and frequency of communications they receive. Administrators can also configure notification templates, enable or disable notification categories, and set delivery rules at the system level. No unsolicited or marketing communications are sent by the platform.

QDoes this purchase involve a system that requires students or employees to authenticate (login)?

Yes. All users must authenticate to access the system. Authentication supports:

  • Amazon Cognito — primary authentication provider with password policies, brute-force protection, and required MFA (TOTP via authenticator app)
  • Institutional SSO — optional SAML 2.0 or OIDC federation with the university's identity provider (Microsoft Entra ID, Okta, Shibboleth, etc.)
  • Database login — fallback credential-based login for environments without Cognito or SSO

Sessions are managed via signed JWT tokens in HttpOnly Secure cookies. Session verification occurs at the middleware layer on every request. There is no anonymous access to any protected content.

QWho will be managing the users and inputting them into the application?

University-designated administrators. The university assigns one or more Application Admin users who manage all aspects of the system, including:

  • Individual user creation — admins create users one at a time via a form (name, email, role, program, account type)
  • Bulk CSV import — admins upload a CSV file to create hundreds of users at once. The system assigns unique 950/951 IDs and validates all fields before import.
  • User editing — admins can update user profiles, change roles, reassign programs, and deactivate accounts
  • Deprovisioning — when a user leaves the institution, admins can deactivate the account, which triggers an automatic archive package (ZIP) containing all the user's data
  • API provisioning — the REST API can also be used to programmatically create, update, and deprovision user accounts, enabling integration with existing university identity management or HR systems for automated user lifecycle management

Corvus Software Group does not have access to user data in client environments unless explicitly granted for support purposes (with audit logging).

QWhat policies and expectations will be put in place for proper use of this application?

The following policies are enforced by the system and configurable by administrators:

  • Acceptable Use — forum categories support FERPA banners and sensitive keyword scanning to prevent inappropriate sharing of protected information
  • Content Moderation — flagging system for reported content with admin review workflow. All moderation actions are logged.
  • Access Duration — configurable time-limited access policies per audience (e.g., alumni access expires after N months)
  • Download Control — administrators can disable file downloads per audience/scope, enforcing view-only access where appropriate
  • Retention Pipeline — a 5-step automated retention system monitors student activity and escalates inactive students through configurable thresholds, with notifications at each step
  • Legal Hold — administrators can freeze student accounts for investigation/discovery, blocking all writes while preserving data integrity
  • Compliance Checklists — configurable checklists that gate document submission and approval, ensuring students complete required steps before proceeding
  • Impersonation Policy — all impersonation requires a documented reason and is fully audited. The system is designed for FERPA-aware troubleshooting.

Institutional branding: Universities can brand the application with their own logo, which appears in the upper left of every page, and customize the primary banner color used throughout the interface. The Corvus name and logo will remain in the application footer at all times.

The university is encouraged to establish its own Acceptable Use Policy (AUP) for the platform and communicate expectations to users during onboarding.

QWhat is needed from a university's IT department to make this a functioning application?

Very little. Because Corvus DM is a fully hosted SaaS application, the university IT department does not need to provision, install, or maintain any infrastructure. Specifically:

Required (minimal):

  • Web browser access — users need a modern web browser (Chrome, Firefox, Safari, or Edge). No plugins, extensions, or software installation required.
  • Internet access — outbound HTTPS (port 443) to *.corvussg.com. No inbound firewall rules, VPN, or special network configuration needed.

Optional (for enhanced integration):

  • SSO federation — if the university wants single sign-on, IT provides SAML 2.0 or OIDC metadata from their identity provider (Microsoft Entra ID, Okta, Shibboleth, etc.). This is a one-time configuration exchange.
  • Email allowlisting — adding corvussg.com to the email allowlist ensures system notifications are not filtered by spam protection.
  • DNS (if using custom subdomain) — if the university wants a custom domain (e.g., dm.university.edu), IT creates a CNAME record pointing to our load balancer.
  • API integration — the Corvus DM REST API allows university systems (LMS, SIS, HR) to programmatically sync student data, provision and deprovision user accounts, and retrieve progress reports. Documentation is available at /api-docs.

No database access, server provisioning, network configuration, or ongoing IT maintenance is required from the university.

Questions about our security posture?

We're happy to discuss security requirements, provide additional documentation, or schedule a call with your IT/security team.

security@corvussg.com