TS TradeSchool Manager
Trust

Security

Last updated: May 21, 2026

TradeSchool Manager is a self-hosted WordPress plugin. That means the strongest defenses live on your server, configured by you and your host. This page describes what we build into the Software, what we expect of you, and how to report a vulnerability.

What we do

  • Capability checks. Every administrative action is gated by an explicit WordPress capability. Students, parents, teachers, and admins are assigned distinct roles with the minimum privileges needed for each.
  • Nonces and sanitization. Form submissions are protected with WordPress nonces; inputs are sanitized and outputs are escaped following WordPress coding standards.
  • Private file storage. Uploaded student documents are stored outside the public web root with hashed filenames and a deny rule for direct HTTP access. Files are served only through authenticated PHP handlers that re-check the requesting user's capability.
  • Audit trail. Every upload, download, and deletion of a student document is recorded with the actor, IP address, user-agent, and timestamp. Tuition-contract e-signatures capture the same evidence.
  • Password handling. Authentication relies on WordPress's built-in password hashing (phpass / bcrypt). We do not store plain-text passwords and we do not transmit credentials to any third-party service.
  • Payment data minimization. Card numbers are entered directly into Stripe Elements and never touch your server. We store only Stripe-issued identifiers needed to reconcile a payment.
  • Encryption in transit. All connections to and from this website use HTTPS. Plugin-to-Stripe, plugin-to-Freemius, and plugin-to-Brevo traffic is encrypted in transit by those providers.

What you are responsible for

  • Hosting and TLS. Choose a reputable WordPress host. Keep HTTPS enabled site-wide.
  • WordPress and PHP updates. Apply WordPress core, theme, and plugin updates promptly. Stay on a PHP version that still receives security updates (PHP 8.1+ is recommended).
  • Backups. Maintain off-site, encrypted backups of your database and the private uploads directory. We do not store copies of your installation.
  • Account hygiene. Use unique, strong passwords for every admin and teacher account. Enable two-factor authentication for administrators (any reputable WordPress 2FA plugin works).
  • Encryption at rest. Choose a host that encrypts disk volumes. Database-column encryption of student records is the school's responsibility if your jurisdiction requires it.
  • Third-party plugins. Other plugins or themes on the same WordPress install can introduce vulnerabilities that affect TradeSchool Manager. Audit what you install.
  • Network access. Limit administrative access to trusted networks where possible (IP allowlists, VPN, or your host's WAF).

FERPA-friendly design, not FERPA certification

The Software is designed to support FERPA-conscious workflows: role separation, audit logging, capability-checked downloads, and minimal data exposure in portals. We do not claim FERPA certification (there is no such thing) and we do not warrant that any specific installation is FERPA compliant. Compliance depends on policies, training, and operations that only the school can control.

Incident handling

If we become aware of a security incident affecting data we control (such as customer billing data on this website), we will investigate, take reasonable steps to contain and remediate the incident, and notify affected customers without undue delay and in any case as required by applicable law.

If your installation is compromised, you are responsible for notifying your students, parents, employees, and any regulators who require notice. We will assist with technical questions to the extent we are able.

Reporting a vulnerability

If you believe you have found a security vulnerability in the Software, please email [email protected] with the subject line "Security report". Please include a description, reproduction steps, and (if possible) the affected version. We acknowledge reports within 5 business days and aim to ship a patch for confirmed high-severity issues within 30 days. Please do not publicly disclose the issue until we have had a reasonable opportunity to fix it.

This document is not legal advice. TradeSchool Manager is a software tool sold by CJs Web Service, LLC. Schools are responsible for verifying that their use of the software complies with FERPA, state private career-school laws, COPPA, and any other regulation that applies to their operations. Consult qualified counsel for advice specific to your situation.

More legal documents:
Terms of Service · Privacy Policy · Cookie Policy · Refund Policy · Acceptable Use · E-Sign Consent · DMCA / Copyright · Accessibility