Effective Date: January 1, 2026 | Last Updated: January 1, 2026
1. Introduction
Welcome to EdFiles.com (“EdFiles,” “we,” “us,” or “our”). EdFiles is a secure, cloudnative document management platform purpose-built to safeguard client data. We serve educational institutions, healthcare organizations, and enterprise clients who require strong data protection, availability, and governance.
This document constitutes the Privacy Policy and Terms of Service (“Terms”) governing your access to and use of the EdFiles platform, website, and all associated services (collectively, the “Services”). These Terms are a legally binding agreement between you (“User,” “you,” or “your”) and EdFiles. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by these Terms.
Security is a foundational principle of the EdFiles architecture, not an afterthought. Controls are applied at every layer of the stack — from network-level threat filtering and encrypted data transmission, to application-level access management and audit logging.
2. Definitions
The following definitions apply throughout this document:
| Term | Definition |
|---|---|
| Platform | The EdFiles cloud-native document management system and all associated services |
| User | Any individual or entity accessing or using the EdFiles platform |
| Client | An organization or institution that has entered into a service agreement with EdFiles |
| Education Records | Records directly related to a student, maintained by an educational institution, as defined under FERPA |
| Protected Health Information (PHI) | Individually identifiable health information as defined under HIPAA |
| Personal Data | Any information that identifies or can reasonably be used to identify an individual |
| Business Associate Agreement (BAA) | A written agreement establishing the responsibilities of EdFiles as a Business Associate under HIPAA |
| AWS | Amazon Web Services, the cloud infrastructure provider hosting the EdFiles platform |
3. Acceptance of Terms
By creating an account, accessing, or using the EdFiles platform, you confirm that:
- You are at least 18 years of age or have the legal authority to enter into this agreement on behalf of your organization.
- You have the authority to bind your organization to these Terms if you are acting on behalf of an institution or enterprise.
- You agree to comply with all applicable local, state, federal, and international laws and regulations in connection with your use of the Services.
If you do not agree to these Terms, you must immediately discontinue your use of the Services.
4. Privacy Policy
4.1 Information We Collect
EdFiles collects information necessary to provide, maintain, and improve our Services. The categories of information we collect include:
- Account and Identity Information. When you register for an account, we collect information such as your name, email address, organization name, job title, and login credentials. Passwords are stored using a cryptographic hashing algorithm; plaintext passwords are never stored or transmitted.
- Usage and Activity Data. We collect information about how you interact with the platform, including access logs, document upload and retrieval events, authentication events, and feature usage. This data is used for security monitoring, operational diagnostics, and service improvement.
- Documents and Files. Users upload documents and files to the platform for storage and management. EdFiles treats all uploaded content as confidential client data. We do not access, analyze, or use your documents for any purpose other than providing the agreed-upon Services.
- Technical and Device Information. We may collect technical information such as IP addresses, browser type, operating system, and session identifiers for security and operational purposes.
- Communications. If you contact us for support or other inquiries, we retain records of those communications to assist with your request and improve our Services.
4.2 How We Use Your Information
EdFiles uses the information we collect for the following purposes:
- Service Delivery: To authenticate users, manage accounts, store and retrieve documents, and provide all platform features.
- Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, data breaches, and other malicious activity. This includes the use of Web Application Firewall (WAF) logs, access logs, and anomaly monitoring.
- Compliance and Legal Obligations: To comply with applicable laws and regulations, including FERPA, HIPAA, and other applicable data protection requirements.
- Service Improvement: To analyze usage patterns and improve platform performance, reliability, and features.
- Communications: To send service-related notifications, security alerts, and updates regarding these Terms.
EdFiles does not sell, rent, or trade your personal data or client data to third parties for marketing or commercial purposes.
4.3 How We Share Your Information
EdFiles does not disclose your information to third parties except in the following circumstances:
- Service Providers. We engage trusted third-party service providers, including Amazon Web Services (AWS), to host and operate the platform. These providers are contractually obligated to protect your data and may only use it to provide services on our behalf.
- Legal Requirements. We may disclose information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of EdFiles, our users, or the public.
- Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and the choices available to you.
- With Your Consent. We may share your information with third parties when you have provided explicit consent to do so.
4.4 Data Retention
EdFiles retains personal data and client data for as long as necessary to provide the Services and fulfill the purposes described in these Terms, or as required by applicable law. Upon termination of a service agreement, client data will be retained for a defined period to support point-in-time recovery and then securely deleted in accordance with our data disposal procedures.
Backup data is retained for a defined period consistent with our backup and recovery policies and then purged from our systems.
4.5 Your Rights and Choices
Depending on your jurisdiction and applicable law, you may have the following rights regarding your personal data:
- Access: The right to request a copy of the personal data we hold about you.
- Correction: The right to request correction of inaccurate or incomplete personal data.
- Deletion: The right to request deletion of your personal data, subject to legal and contractual obligations.
- Portability: The right to receive your personal data in a structured, commonly used format.
- Objection: The right to object to certain processing activities.
To exercise any of these rights, please contact us using the information provided in Section 8. We will respond to your request within the timeframe required by applicable law.
5. Security
EdFiles implements a defense-in-depth security model, applying controls at every layer of the platform stack. The following sections describe the specific security controls in place.
5.1 Infrastructure Security
Web Application Firewall (WAF). EdFiles deploys AWS WAF attached to the Application Load Balancer (ALB) to inspect and filter all inbound HTTP/HTTPS traffic before it reaches application servers. The WAF provides the following protections:
| Protection | Description |
|---|---|
| SQL Injection (SQLi) Prevention | Blocks malicious database query patterns embedded in web requests |
| Cross-Site Scripting (XSS) Mitigation | Detects and blocks script injection attempts |
| Malicious Bot Filtering | Identifies and blocks automated scraping, credential stuffing, and scanning tools |
| IP Reputation-Based Blocking | Rejects traffic from known malicious IP ranges and threat intelligence feeds |
| Rate Limiting | Configurable request throttling to protect against abuse and brute-force attempts |
| Custom Security Rules | Tailored rule sets based on application-specific traffic patterns |
All WAF activity is logged and available for audit and incident investigation.
Application Load Balancer (ALB). The AWS ALB serves as the secure entry point to the EdFiles platform, performing TLS/HTTPS termination and serving as the required attachment point for AWS WAF. All client connections are encrypted; plaintext HTTP is not accepted.
DDoS Protection. EdFiles benefits from baseline DDoS mitigation inherent to the AWS platform, including WAF rate limiting, rule-based blocking, and AWS infrastructurelevel protections that mitigate common volumetric attacks at the network edge.
5.2 Data Security
Secure Document Storage (Amazon S3). All user documents are stored in Amazon S3 buckets configured for maximum privacy and access control:
- Buckets are strictly private — no public access is permitted at either the bucket or account level.
- Public access block is enforced at both the AWS account and individual bucket level, preventing accidental exposure.
- Access is controlled through tightly scoped AWS IAM policies, applying the principle of least privilege.
- Server-side encryption (SSE) is enabled to protect all data at rest.
Secure File Delivery via Pre-Signed URLs. Files are never served via static, public URLs. EdFiles uses time-limited pre-signed URLs to deliver documents securely:
- Pre-signed URLs are generated on demand for authenticated, authorized users only.
- Each URL carries a cryptographic signature and an expiration timestamp — access is automatically revoked after the defined period.
- Direct access to S3 storage is not possible without a valid, unexpired pre-signed URL.
- Pre-signed URLs grant read-only access, ensuring documents can be viewed but never modified or deleted through the delivery URL.
Encryption in Transit. All data in transit between clients, the application, and AWS services is encrypted using TLS (Transport Layer Security):
- Browser to Application: All user sessions are conducted over HTTPS. HTTP connections are not served.
- Application to AWS Services: Internal communication with S3, databases, and other AWS services is conducted over encrypted channels.
This ensures data cannot be intercepted or tampered with during transit, protecting against man-in-the-middle (MITM) attacks.
5.3 Application Security
Authentication and Access Control. EdFiles enforces the following authentication and access management controls:
- Secure Credential-Based Authentication: Passwords are stored using a cryptographic hashing algorithm; plaintext passwords are never stored or transmitted.
- Role-Based Access Control (RBAC): User permissions are determined by assigned roles, restricting access to only the features and data relevant to each user’s function.
- Session Management: Authenticated sessions carry secure, server-issued tokens with automatic expiration to reduce the risk of session hijacking.
Multi-Factor Authentication (MFA). EdFiles supports MFA, providing an additional security layer beyond username and password. When MFA is enabled:
- Users must verify their identity using a one-time passcode (OTP) delivered to their registered email address at each login.
- Access to the platform is denied even if primary credentials are compromised, unless the correct OTP is also presented.
- OTPs are single-use and time-limited, expiring automatically after a short window to prevent reuse or interception.
- MFA significantly mitigates the risk of account takeover via phishing, credential stuffing, and brute-force attacks.
5.4 Network Security
- The Application Load Balancer is the sole public-facing entry point — all traffic passes through the WAF and ALB before reaching the application.
- AWS Security Groups act as virtual firewalls, permitting only explicitly whitelisted traffic between components — no unnecessary ports or protocols are open.
- The principle of least privilege is applied to all network access rules — backend services only accept traffic from the ALB, not from the public internet directly.
- Internal service-to-service communication is restricted to defined, authorized traffic flows.
5.5 Logging, Monitoring, and Backup
Logging and Monitoring. EdFiles uses AWS-native monitoring and logging capabilities to maintain continuous visibility into system health, user activity, and potential security events:
| Log Type | Purpose |
|---|---|
| Access Logs | Records of all inbound requests, including authentication events and resource access |
| Application Error Logs | Captures application-level exceptions and failures for rapid diagnosis |
| WAF Logs | Detailed records of traffic evaluated and blocked by the WAF, including matched rules and attacker IP addresses |
Log data is used for both operational monitoring and post-incident forensic investigation.
Backup and Availability. EdFiles is designed for high availability and data durability:
- Amazon S3 Data Durability: S3 provides 99.999999999% (eleven nines) data durability through automatic redundant storage across multiple AWS facilities.
- Periodic Backups: Snapshots of the EC2 application instance, S3 bucket contents, and database are taken on a regular schedule.
- Backup Retention: Backups are retained for a defined period to support point-in-time recovery.
6. Regulatory Compliance
EdFiles is committed to helping our clients meet their regulatory compliance obligations. The following sections describe our approach to FERPA and HIPAA compliance.
6.1 FERPA Compliance
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. EdFiles is designed to support educational institutions in fulfilling their FERPA obligations.
EdFiles as a School Official. When EdFiles processes education records on behalf of an educational institution, EdFiles acts as a “School Official” with a “legitimate educational interest,” as permitted under FERPA. In this capacity, EdFiles:
- Uses education records solely for the purpose of providing the contracted Services to the institution.
- Does not re-disclose education records to unauthorized third parties.
- Maintains the confidentiality, integrity, and availability of education records through the security controls described in Section 5.
- Supports the institution’s ability to fulfill student rights under FERPA, including rights of access, amendment, and disclosure consent.
Data Handling Commitments. EdFiles does not use education records for any commercial purpose, including advertising or data mining. Access to education records is strictly controlled through RBAC and audit logging, ensuring that only authorized personnel can access student data.
Institutional Responsibility. Educational institutions retain primary responsibility for FERPA compliance. EdFiles provides the technical infrastructure and contractual commitments to support that compliance. Institutions are responsible for ensuring that their use of the EdFiles platform is consistent with their FERPA obligations, including obtaining any required consents from students or parents.
6.2 HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of Protected Health Information (PHI). EdFiles supports clients who are Covered Entities or Business Associates under HIPAA.
Business Associate Agreement (BAA). EdFiles will enter into a Business Associate Agreement (BAA) with clients who are Covered Entities or Business Associates and who use the EdFiles platform to store, transmit, or manage PHI. The BAA formally establishes EdFiles’s responsibilities regarding PHI and is a prerequisite for HIPAAcompliant use of the platform.
HIPAA Security Rule Compliance. EdFiles’s platform architecture is designed to support the requirements of the HIPAA Security Rule (45 CFR Part 164), including:
| HIPAA Safeguard Category | EdFiles Controls |
|---|---|
| Administrative Safeguards | Access management policies, workforce training, incident response procedures, and audit controls |
| Physical Safeguards | AWS data center physical security, including controlled facility access and environmental controls |
| Technical Safeguards | Encryption at rest (SSE) and in transit (TLS), RBAC, MFA, unique user identification, automatic session timeout, and audit logging |
Minimum Necessary Standard. EdFiles applies the principle of least privilege across all access controls, consistent with HIPAA’s minimum necessary standard. Users are granted access only to the PHI necessary to perform their assigned functions.
Breach Notification. In the event of a security incident that may constitute a breach of unsecured PHI, EdFiles will notify affected clients in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and the terms of the applicable BAA.
Client Responsibility. Clients are responsible for ensuring that their use of the EdFiles platform is consistent with their own HIPAA obligations, including implementing appropriate administrative and physical safeguards within their organizat class="bold-font"ions, and for executing a BAA with EdFiles prior to uploading any PHI to the platform.
7. Terms of Service
7.1 Eligibility
The EdFiles platform is intended for use by organizations and their authorized personnel. By using the Services, you represent and warrant that you are at least 18 years of age and have the legal capacity to enter into a binding agreement. Use of the platform by individuals under the age of 18 is not permitted without the express consent and oversight of a parent, guardian, or authorized institutional representative.
7.2 Account Registration and Responsibilities
You are responsible for maintaining the confidentiality of your account credentials, including your username, password, and any MFA codes. You agree to:
- Provide accurate, current, and complete information during registration.
- Maintain and promptly update your account information.
- Notify EdFiles immediately of any unauthorized use of your account or any suspected security breach.
- Accept responsibility for all activities that occur under your account.
EdFiles will not be liable for any loss or damage arising from your failure to maintain the security of your account credentials.
7.3 Acceptable Use
You agree to use the EdFiles platform only for lawful purposes and in accordance with these Terms. You agree not to:
- Upload, store, or transmit any content that is unlawful, harmful, defamatory, obscene, or otherwise objectionable.
- Attempt to gain unauthorized access to any part of the platform, other user accounts, or any systems or networks connected to the platform.
- Engage in any activity that disrupts, degrades, or interferes with the integrity or performance of the platform.
- Use the platform to transmit unsolicited communications, malware, or other harmful code.
- Circumvent, disable, or otherwise interfere with any security-related features of the platform.
- Use the platform in any manner that violates applicable laws or regulations, including FERPA, HIPAA, or other data protection laws.
EdFiles reserves the right to suspend or terminate access for any user found to be in violation of these acceptable use provisions.
7.4 Intellectual Property
All content, features, and functionality of the EdFiles platform, including but not limited to software, design, text, graphics, and logos, are the exclusive property of EdFiles and are protected by applicable intellectual property laws. You are granted a limited, non-exclusive, non-transferable license to access and use the platform solely for its intended purpose in accordance with these Terms.
You retain all ownership rights to the documents and files you upload to the platform. By uploading content, you grant EdFiles a limited license to store, process, and transmit that content solely as necessary to provide the Services.
7.5 Disclaimers and Limitation of Liability
Disclaimer of Warranties. The EdFiles platform is provided on an “as is” and “as available” basis. To the fullest extent permitted by applicable law, EdFiles disclaims all warranties, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement. EdFiles does not warrant that the platform will be uninterrupted, error-free, or completely secure.
Limitation of Liability. To the fullest extent permitted by applicable law, EdFiles shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of data, loss of profits, or business interruption, arising out of or in connection with your use of the platform, even if EdFiles has been advised of the possibility of such damages. EdFiles’s total aggregate liability to you for any claims arising under these Terms shall not exceed the amounts paid by you to EdFiles in the twelve (12) months preceding the event giving rise to the claim.
7.6 Indemnification
You agree to indemnify, defend, and hold harmless EdFiles, its officers, directors, employees, agents, and licensors from and against any claims, liabilities, damages, losses, and expenses, including reasonable attorneys’ fees, arising out of or in any way connected with your access to or use of the platform, your violation of these Terms, or your violation of any applicable law or regulation.
7.7 Termination
EdFiles reserves the right to suspend or terminate your access to the platform at any time, with or without cause, and with or without notice, if EdFiles reasonably believes you have violated these Terms or applicable law. Upon termination, your right to use the platform will immediately cease. Provisions of these Terms that by their nature should survive termination shall survive, including but not limited to intellectual property provisions, disclaimers, and limitations of liability.
7.8 Governing Law and Dispute Resolution
These Terms shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law provisions. Any dispute arising out of or relating to these Terms or the use of the EdFiles platform shall be resolved through binding arbitration in accordance with the rules of the American Arbitration Association, except that either party may seek injunctive or other equitable relief in a court of competent jurisdiction to prevent actual or threatened infringement of intellectual property rights or unauthorized use of confidential information.
7.9 Modifications to These Terms
EdFiles reserves the right to modify these Terms at any time. We will notify users of material changes by posting the updated Terms on our website and updating the “Last Updated” date at the top of this document. We may also provide notice via email or inplatform notification for significant changes. Your continued use of the platform following the posting of changes constitutes your acceptance of the revised Terms. If you do not agree to the revised Terms, you must discontinue your use of the platform.
8. Contact Information
If you have any questions, concerns, or requests regarding these Privacy & Terms of Service, or to request a Business Associate Agreement (BAA), please contact us:
- Website: www.edfiles.com
- Email: support@edfiles.com
- Address: P.O. Box 2434, Fullerton, CA 92837
For security-related concerns or to report a suspected vulnerability, please contact us immediately at support@edfiles.com.
This document was last reviewed and updated on January 1, 2026. EdFiles reserves the right to update this document periodically to reflect changes in our practices, services, or applicable law.
© 2026 EdFiles. All Rights Reserved.
