Skip to main content
We are a 2025 startup building the future of school software. Join our Beta Program
Flagship Security Feature

Guardian Security Perimeter

Zero-Trust Protection Against Vendor Breaches. When third-party vendors get hacked, your students' data stays safe. Cryptographic tokenization replaces student PII before data leaves your network.

How It Works Security Whitepaper

The Problem

Third-Party Vendor Breaches Expose Student Data

Traditional Approach

Schools send complete student records to third-party vendors:

  • Full names and addresses
  • Birthdates and SSNs
  • Special education status (IEP)
  • Medical information
  • Disciplinary records

When vendors are breached, everything is exposed.

Guardian Approach

Vendors receive only cryptographic tokens:

  • Unique vendor-specific tokens
  • Minimum required data only
  • No real student identities
  • Isolated per-vendor tokens
  • Breach containment built-in

Vendor breaches expose useless tokens, not student data.

How Guardian Works

Three-Zone Security Model

External Zone

Internet / Third-Party Vendors

  • Vendor A (tokenized)
  • Vendor B (tokenized)
  • Vendor C (tokenized)
  • Parent Portal (tokenized)

Guardian Perimeter

Zero-Trust Gateway

  • Token Generation (SHA-256 HMAC)
  • Token Vault (AES-256 encrypted)
  • Vendor Token Service
  • Audit Logging

Internal Zone

School Network

  • Heronix SIS (full access)
  • Teacher Portal (role-based)
  • Student Portal (role-based)
  • Admin Dashboard (full access)

Real-World Example

How Vendor Isolation Protects Students

Student: Emily Rodriguez

Internal System (Full Data)

Full Name:"Emily Rodriguez"
DOB:"05/15/2010"
Address:"123 Main St"
SSN:"XXX-XX-1234"
IEP Status:"Yes"
Vendor A

Student ID: VNDA_7H4K9D2X

Name: "Emily R." | Grade: "A"

Vendor B

Student ID: VNDB_3M8P5K1Q

Name: "E. Rodriguez" | Grade: "B+"

Vendor C

Student ID: VNDC_6N2H9L4X

Name: "E. R." | Score: "245"

Vendor A Suffers Data Breach

Attackers steal vendor database containing: VNDA_7H4K9D2X, "Emily R.", Grade: "A"

Tokens Only - No Real PII

What Attackers CANNOT Access

  • Full name (only "Emily R.")
  • Address (never sent)
  • SSN (never sent)
  • IEP status (never sent)
  • Vendor B data (uses VNDB_* tokens)
  • Vendor C data (uses VNDC_* tokens)

Technical Specifications

Enterprise-Grade Cryptographic Security

Token Generation

  • Algorithm: SHA-256 HMAC
  • Salt: 32 bytes cryptographically random
  • Format: TKN_XXXXXXXXXXXXXXXX
  • Collision: 2^-64 probability

Encryption

  • Algorithm: AES-256-GCM
  • Key Storage: Environment vars / HSM
  • Key Rotation: Automated monthly
  • At Rest: Encrypted vault

Audit Logging

  • Scope: All tokenization ops
  • Vendor API: All calls logged
  • Detokenization: Request tracking
  • Search: By user, student, vendor

Compliance Benefits

Built for Educational Privacy Requirements

FERPA

Minimized PII disclosure to third parties

COPPA

Parental consent enforcement

State Laws

Data stays local to your jurisdiction

Breach Notification

Reduced scope (tokens, not PII)

Protect Your Students Today

Guardian Security Perimeter is available as an add-on module for Heronix SIS. Contact us for pricing and implementation details.

Contact Sales Whitepaper