Security

Security built for institutional standards

OnboardConnect was designed with campus IT security requirements in mind — FERPA awareness, zero firewall changes, an outbound-only on-prem agent, and credentials that are encrypted before they ever leave your dashboard.

Security Pillars

Four layers of protection

Every layer is designed to meet the expectations of a higher-ed CISO or auditor, not just a consumer SaaS checklist.

Zero inbound exposure

The on-prem agent connects outbound only via an encrypted tunnel. No inbound firewall rules, no open ports, no VPN required. Your network never exposes a listening service to OnboardConnect.

  • Agent initiates outbound connection — never receives inbound connections
  • Cloudflare Tunnel technology with TLS 1.3 minimum
  • Agent token stored in the OS credential store, never on disk in plaintext
  • Connection revocable from the dashboard in under 30 seconds

Encrypted credentials at rest

AD bind credentials, LDAP passwords, and Microsoft Graph tokens are all encrypted with AES-256-GCM before storage. Encryption keys are never written to application logs.

  • AES-256-GCM symmetric encryption for all stored secrets
  • Credentials never appear in logs, error messages, or API responses
  • Graph API tokens refreshed on a short-lived rotation schedule

Append-only audit trail

Every provisioning action is logged with the actor, timestamp, trigger source, and outcome. The log is append-only by design — entries are written for every action and are not edited in normal operation.

  • Append-only by application design — records are added, not overwritten
  • Every entry includes actor identity, not just system attribution
  • Exportable to CSV or JSON for external compliance review
  • 365-day hot retention in the dashboard; automated export to cold storage archive beyond that

Role-based access control

Fine-grained permission boundaries ensure staff only access what their role requires. Help desk technicians can reset passwords without touching provisioning rules. All actions are attributed to named users — no shared credentials.

  • Four built-in roles: Owner, Admin, Technician, Read-only
  • API-level enforcement — UI restrictions cannot be bypassed
  • Every action attributed to the authenticated user who performed it
  • Custom roles with granular permissions on Enterprise plans

On-Prem Agent

How the on-prem agent works

The OnboardConnect agent is a lightweight Windows service that installs on any server inside your network with LDAP access to your Active Directory domain controllers.

It establishes a persistent outbound tunnel to the OnboardConnect cloud service. When a provisioning command is dispatched, it travels over this encrypted channel to the agent, which executes the LDAP operation and reports the result back.

The agent never listens for inbound connections. Your firewall does not need to be modified. There is no DMZ requirement, no reverse proxy, and no VPN.

Agent security details

  • Outbound-only tunnel

    Agent initiates the connection. The cloud service cannot push arbitrary commands — only queued provisioning tasks authenticated to your account.

  • Agent token

    Stored in the Windows Credential Manager or DPAPI-protected storage. Never written to a config file in plaintext.

  • Command signing

    Each provisioning command is signed with a per-account HMAC key. The agent rejects any command that fails signature verification.

  • Instant revocation

    Revoke the agent token from the dashboard and the tunnel is terminated within seconds. The agent cannot reconnect without a new token.

Data & Compliance

FERPA & Student Data

OnboardConnect stores the minimum student directory data required to provision and manage accounts — names, email addresses, recovery contacts, and Active Directory identifiers. That data is isolated per tenant, encrypted, and retained only for the duration of your contract. We are FERPA-aware by design and operate as a school official under the legitimate educational interest exception.

We provide a Data Processing Agreement (DPA) upon request.

About the Vendor

Built by Zentrosoft LLC

OnboardConnect is built and maintained by Zentrosoft LLC, a software company focused exclusively on higher education technology. We're reachable at solutions@zentrosoft.com — before, during, and after your trial.

Learn more about Zentrosoft →

Evaluating vendors with your security team?

Share this page with your CISO or security team →

Get Started

Security questions? We welcome the scrutiny.

Share our security overview with your CISO or send us your vendor security questionnaire. We'll respond in full.

Start Free Trial Send us your VSQ

90-day free trial — no credit card required.