Trust Center

Your Trust, Our Commitment. Security, Privacy, and Compliance for Every Customer.”

  • Overview
  • Security
  • Privacy
  • Availability
  • Accessibility
  • Compliance

Overview

Welcome to the Cedar Mountain Software Trust Center

PantrySoft is a cloud-based application provided by Cedar Mountain Software, Inc. Security, privacy, availability, and compliance are built into how we design, operate, and support PantrySoft for our customers. We focus on transparency, accountability, and continuous improvement to help keep your data protected.

This Trust Center centralizes information about our security controls, data protection practices, system reliability and uptime commitments, and our approach to regulatory and contractual compliance relevant to our customers.

Contact Us

For security-related inquiries, compliance questions, or requests for documentation, contact our Security & Compliance Team: [email protected]

Security

Security at Cedar Mountain Software

Our Approach

We maintain a comprehensive, risk-based security program designed to protect the confidentiality, integrity, and availability of your data. While we are a growing startup, we hold ourselves to the same high standards as larger organizations. Our program is guided by ISO/IEC 27001 practices and the NIST Cybersecurity Framework.

Key Security Practices

  • Annual Governance, Risk, and Compliance (GRC) Assessment
    • Annual security controls assessments aligned with frameworks such as NIST Cybersecurity Framework and CIS Controls.
    • We identify areas for improvement and implement a remediation plan prioritized by risk.
  • Annual Independent Penetration Testing
    • We engage third-party security experts to perform annual penetration tests on our application and AWS-hosted infrastructure.
    • All vulnerabilities are remediated, with retesting to verify resolution and documented evidence of closure.
  • Cloud Security (AWS)
    • We follow AWS security best practices, leveraging services such as CloudTrail, GuardDuty, and Security Hub to monitor for threats and anomalous activity.
    • Data isolation, IAM best practices, and strict network segmentation are in place.
  • Encryption
    • In Transit: TLS 1.2+ encryption for all communications.
    • At Rest: AES-256 encryption within AWS managed storage solutions.
  • Access Controls
    • Role-Based Access Control (RBAC) and Principle of Least Privilege (PoLP) are applied across all systems.
    • Multi-Factor Authentication (MFA) is enforced for administrative and privileged access, and access reviews are conducted on a regular basis.
  • Secure Software Development Lifecycle (SSDLC)
    • Code reviews, static application security scanning (SAST), and secure coding training ensure security is built into our development processes.
    • Dependency and software composisition scanning (SCA) are used to identify known vulnerabilities in third-party libraries and images.
    • Changes follow a documented change management process, including testing and approval, before deployment to production.

Vendor and Third-Party Risk Management

We rely on carefully selected third-party vendors and require them to meet our security and privacy standards.

  • Vendor Security Reviews
    • We conduct risk-based security assessments of all critical vendors and sub-processors at onboarding and at least annually thereafter.
    • Reviews consider data classification, service criticality, and the vendor’s own certifications or attestations (such as SOC 2 or ISO 27001, where available).
  • Sub-processor List
    • Available in our public documentation or upon request, including the services provided and the types of data processed.
  • Contractual Safeguards
    • We require DPAs, confidentiality agreements, and security obligations in all vendor contracts, including breach notification and data protection requirements.

Security Awareness & Training

Our employees are trained to recognize and prevent security threats.

  • Security Awareness Training
    • Mandatory training for all staff on security best practices, phishing, and data privacy at onboarding and regularly thereafter.
    • Periodic phishing simulations and targeted reinforcement for higher-risk roles.
  • Developer Training
    • Secure coding practices and OWASP Top 10 vulnerabilities are covered in role-specific training for engineers.
  • Incident Response Drills
    • Tabletop exercises and role-based scenarios are conducted to validate our Incident Response Plan and clarify roles and responsibilities.

Privacy

Privacy and Data Protection

We are committed to protecting your privacy and handling your data responsibly throughout its lifecycle. Our services and internal controls are designed to support compliance with major data privacy regulations relevant to our customers and services.

Our Privacy Practices

  • HIPAA Compliance (Business Associate)
    • We implement safeguards required under HIPAA, including administrative, physical, and technical controls.
    • We are capable of signing Business Associate Agreements (BAAs) with Covered Entities when PantrySoft processes Protected Health Information (PHI) on their behalf.
    • We process PHI only in accordance with our customers’ written instructions, applicable BAAs, and our internal security and privacy policies.
  • FERPA Compliance
    • Our systems and processes are designed to safeguard student education records in compliance with FERPA requirements.
    • We only collect, process, and store education data for the purposes authorized by our clients.
    • We acknowledge that student education records remain the property of the educational institution. PantrySoft acts as a “school official” with a legitimate educational interest and does not sell or use student data for any reason.
  • CCPA Compliance
    • We follow California Consumer Privacy Act (CCPA) requirements to protect the privacy rights of California residents when PantrySoft acts as a service provider to covered organizations.
    • We do not “sell” personal information as that term is defined under the CCPA and do not use your data for cross-context behavioral advertising.
    • We support customer processes for honoring consumer privacy rights, including access and deletion requests, through in-application capabilities and support-assisted requests.
  • Data Residency and Sovereignty
    • Customer data for PantrySoft Cloud is hosted in U.S. based AWS Regions and operated in the United States. Processing is subject to U.S. law and the enforcement authority of U.S. regulators.
    • Each customer’s production data is logically isolated within its own database instance. We work with customers to address institutional and contractual data residency requirements through configuration and agreements.
  • Data Storage, Retention, and Access
    • Customer data is encrypted at rest and in transit and is stored in dedicated database instances, isolated from other PantrySoft Cloud customers.
    • Operational backups are retained for a defined period to support recovery from accidental deletion or unforeseen events, and additional long-range backups are maintained for business continuity and disaster recovery purposes.
    • Data is stored redundantly in multiple locations to help ensure service availability and integrity.
    • You may request assistance from our support team for additional data access or correction needs.
  • Use and Sharing of Personal Information
    • PantrySoft does not use your users’ or clients’ personal information for its own marketing or for targeted advertising, and we do not sell personal information.
    • We may share limited personal information with third-party service providers who act as our sub-processors and who are contractually required to protect that information and use it only to provide services to PantrySoft and our customers.
    • We may share information when required to comply with law, protect the safety of individuals, or respond to lawful requests from authorities, consistent with our legal and contractual obligations.
  • Exercising Privacy Rights and Contacting Us
    • Customers and end users can exercise applicable privacy or data subject rights (such as access, correction, or deletion) through in-application tools or by working with their institution’s PantrySoft administrator.
    • For privacy-related inquiries, Data Processing Agreements, BAAs, or assistance with data subject or consumer rights requests, contact our Security & Compliance team at: [email protected]

Availability

System Status & Availability

We are committed to delivering highly available services and transparent communications.

System Status (Live Status by Uptime Robot)

  • Uptime Target: 99.7% service availability on an annual basis for the PantrySoft cloud-hosted application, consistent with our Service Level Agreement.
  • Disaster Recovery
    • RTO (Recovery Time Objective): < 4 hours for restoration of core PantrySoft application services following a declared disaster.
    • RPO (Recovery Point Objective): < 1 hour for production database data under normal operating conditions.
    • Our Disaster Recovery and Business Continuity plans define roles, responsibilities, and step-by-step procedures for restoring services, including verification of security controls prior to returning systems to normal operation.
    • Disaster recovery capabilities are built on AWS infrastructure using multiple availability zones to reduce the impact of localized failures.
  • Backup and Data Recovery
    • Daily backups of customer production databases with geo-redundant storage across AWS Availability Zones.
    • Backups are encrypted, access-controlled, and managed in accordance with our Data Integrity and Encryption Policy.
    • Backups are used to restore the most current known-good instance of data in the event of data loss, corruption, or major incident.
    • Backup and restoration procedures are periodically tested as part of our Disaster Recovery and Business Continuity exercises to help ensure recoverability.

Accessibility

Our Commitment to Accessibility

Cedar Mountain Software is committed to making PantrySoft accessible to all users, including those who rely on assistive technologies or keyboard-only navigation. We work toward conformance with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA across the PantrySoft University Edition, in alignment with updated obligations under Title II of the ADA.

Accessibility Conformance Report (VPAT)

We publish a Voluntary Product Accessibility Template (VPAT) Accessibility Conformance Report (ACR) that documents our current conformance posture across WCAG 2.0, 2.1, and 2.2 at Levels A, AA, and AAA.

Download VPAT/ACR

Key Points

  • Annual Accessibility Audit
    • PantrySoft undergoes an annual structured accessibility review combining automated scanning and manual testing, including keyboard-only operation and screen reader evaluation using NVDA and other assistive technologies.
    • Our audit has historically focused on the student facing Client Portal and Kiosk interfaces. In response to updated Title II requirements, we have expanded our review to include all staff and administrator facing Dashboard screens.
  • Ongoing Remediation
    • Known accessibility gaps are tracked in our accessibility roadmap and treated as software defects, prioritized and addressed in accordance with the remediation commitments in our Service Level Agreement.
    • The VPAT is updated frequently reflect remediated issues and new findings as testing of additional screens is completed.
  • Scope
    • This conformance report applies to the University Edition of PantrySoft and its core features as made available by default. It does not cover customer-specific customizations or configurations that may affect the accessibility of content or workflows.
  • Title II Alignment
    • Our current accessibility program is oriented toward achieving full WCAG 2.1 Level AA conformance across all University Edition interfaces in advance of the applicable Title II compliance deadline. The VPAT documents our current posture and known gaps transparently.

Compliance

Compliance and Certifications

We maintain a robust compliance and governance program tailored to our industry and client needs. Our policies and controls are mapped to widely recognized frameworks to help support our regulatory and contractual obligations.

Current Compliance Commitments

  • HIPAA: We sign Business Associate Agreements (BAAs) and have implemented required safeguards to protect Protected Health Information (PHI).
  • FERPA: We comply with the privacy and security provisions for education records.
  • CCPA: Privacy compliance for California residents.
  • HECVAT: Our Higher Education Community Vendor Assessment Toolkit is available to higher education and K–12 customers.
  • VPAT: An Accessibility Conformance Report (ACR) provides additional transparency into our accessibility standards and controls.

In Progress

  • Tx-RAMP Certification
    • We are actively working towards Tx-RAMP Level 1 certification.
    • Our application and controls are undergoing security assessments required by the Texas Department of Information Resources (DIR) to support Texas state agencies and higher education customers.
  • GovRAMP Certification
    • Upon completing our TX-RAMP certification we plan to join the effort to standardize nationwide government compliance around the ISO 800-53 Framework by participating in GovRAMP certification.
Terms of Service
Service Level Agreement
Privacy Policy