Security at Mainstay

Protecting what matters most to our partners and their users

At Mainstay, we strive to deliver solutions that are built thoughtfully to reinforce security, privacy, and confidentiality.

Why? To create and promote trust and confidence between Mainstay and our partners. Read on to learn more about our commitment to security.

Trusted by

College advising corps
Security Organization and Program

Our Commitment to Security

Mainstay maintains a risk-based assessment security program. The framework for Mainstay’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. 

Mainstay’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Mainstay’s business operations. Independent audits and assessments are performed by third parties.


Respect for Privacy

Mainstay has controls in place to maintain the confidentiality of Customer Data in accordance with Customer Agreements. All Mainstay employees and contract personnel are bound by Mainstay’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.

For the Mainstay Services, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard and (b) Customer Data is encrypted when in transit between Customer’s software application and the Services using TLS v1.2.

Mainstay performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.

Mainstay maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Mainstay uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Mainstay’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the Mainstay cluster over a predefined schedule. For high-risk patches, Mainstay will deploy directly to existing nodes through internally developed orchestration tools.

Mainstay has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.

The Mainstay Platform leverages Twilio for SMS communications channels and Twilio SendGrid for email communications. Twilio is certified under ISO/IEC 27001, has attestations to ISO/IEC 27017 and ISO/IEC 27018, and maintains SOC 2 compliance.

Mainstay will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, Mainstay will notify Customer of a Security Incident in accordance with a relevant Data Protection Addendum. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.

Mainstay performs regular backups of Customer Data, which is hosted on AWS’s data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using the Advanced Encryption Standard.