VPAT Accessibility Conformance Report Available

We are pleased to share that we have completed a Voluntary Product Accessibility Template (VPAT) assessment against the Web Content Accessibility Guidelines (WCAG), affirming our commitment to an accessible experience for all students.

What This Means

Our VPAT documents how our platform conforms to WCAG success criteria, providing students, institutions, and procurement teams with a transparent view of our accessibility posture.

What This Means for You

Students can expect a platform designed with accessibility in mind. Our Accessibility Conformance Report (ACR) is available for download on our trust portal following completion of a mutual non-disclosure agreement.

To obtain a copy of the ACR, visit trust.joinhandshake.com.

This notice is intended for students and institutional partners who require accessibility documentation for procurement or accommodation purposes.

PCI DSS Attestation of Compliance Complete

We are pleased to inform you that we have successfully completed our PCI DSS assessment and received our Attestation of Compliance (AOC).

What This Means

Our AOC confirms that our cardholder data environment has been assessed and found to meet the requirements of the Payment Card Industry Data Security Standard. The assessment was conducted by a qualified security assessor.

What This Means for You

You can continue to rely on our controls for the secure handling of payment card data. Our AOC is available for download directly on our trust portal following completion of a mutual non-disclosure agreement.

To obtain a copy of the AOC, visit trust.joinhandshake.com.

This notice is intended for customers and partners who rely on our services for the processing or storage of payment card data.

SOC 2 Audit Complete: Unqualified Opinion Received

We are pleased to inform you that we have successfully completed our SOC 2 examination and received an unqualified opinion from our independent auditor.

What This Means

An unqualified opinion is the highest outcome achievable in a SOC 2 audit. It confirms that our controls were designed appropriately and operating effectively throughout the audit period, with no material exceptions identified by the auditor.

What We Evaluated

The audit covered our security, availability, and confidentiality controls across the systems and infrastructure that support your data. The examination was conducted in accordance with the AICPA Trust Services Criteria.

What This Means for You

You can continue to rely on our security posture with the assurance that an independent third party has reviewed and validated our controls. A copy of the SOC 2 report is available upon request under a mutual non-disclosure agreement.

To obtain a copy of the report, visit trust.joinhandshake.com.

This notice is intended for customers and partners who rely on our services for the processing or storage of their data.

Handshake Is Not Impacted — Security Response to LiteLLM Supply Chain Compromise

How We Found Out

Our security team identified the threat via an external advisory and immediately raised it for investigation. An incident was declared within minutes, and a live coordination bridge was spun up for real-time response.

What We Did

The response was fast and methodical. Within roughly four hours, the team completed the following:

• Dependency and usage audit — Reviewed dependency graphs across all codebases to identify direct and transitive usage of the compromised package.
• Production environment verification — Confirmed our primary deployment of the library was running a pinned, unaffected version via its lock file.
• Container build audit — Investigated all container image builds, confirming all builds predated the malicious publish window.
• Data platform investigation — Confirmed usage in our data platform was pinned to an older, unaffected version.
• Codebase-wide search — Traced all mentions of the library across internal repositories and related projects.
• Endpoint security review — Engaged our EDR provider to analyze endpoint telemetry for signs of compromise.
• Credential rotation — One engineer who ran a local build that likely pulled a compromised version rotated all environment variables available to that build agent, including LLM API keys.
• Proactive version pinning — Submitted PRs to pin all affected images to known-safe versions.

Two days later, our cloud provider proactively notified us that two credentials were identified in a malicious environment. These credentials were associated with an isolated research environment — not our production infrastructure. The team immediately revoked those credentials along with all associated API keys. Investigation of the affected environment concluded with no indicators of compromise identified.

Outcome

No customer data was accessed. No customer impact. No production systems were affected. Internal credentials were rotated as a precaution. The exposure was contained because most dependencies were already pinned to older, safe versions.

Update on the Salesforce–Drift Security Incident

We wanted to share a brief update regarding the Salesforce–Drift security incident.

Salesforce shared that a known threat actor, ShinyHunters, has claimed on a public Telegram channel that they intend to post data allegedly obtained from this incident. Salesforce confirmed that this issue did not stem from a vulnerability in the core Salesforce platform, and they are actively investigating in coordination with law enforcement.

There is no new evidence that any additional Handshake systems or customer data were impacted. We are continuing to monitor the situation closely and will share further updates if new information becomes available.

Handshake Security and Privacy Team

Handshake Security Update: Salesforce Drift Incident

Protecting customer data and maintaining transparency are at the core of Handshake’s mission. We are committed to keeping customers informed about security developments that may affect their organization and want to share a detailed update regarding the recent Salesforce Drift incident.

What Happened?

On Wednesday, August 27, Handshake learned of a compromise involving a third-party application, Salesloft’s Drift, which resulted in unauthorized access and exfiltration of data stored in our Salesforce environment. Once notified, Handshake took immediate action to secure the environment, disconnecting the application from its Salesforce instance and launching a comprehensive investigation with our internal security team.

The impact of this event is confined to our Salesforce environment and did not implicate Handshake’s core products, services, systems, or infrastructure.

What Information May Be Affected?

Our investigation determined that the exposed data is limited to business contact information and specific Salesforce-related content, which includes:

• Customer (company) name
• Business address and contracting information
• The name, job title, business phone number, and company email address of the customer representative

What Did Handshake Do?

Handshake took immediate steps to secure our environment and mitigate risks:

• Disconnected and revoked Salesloft Drift’s access to Handshake’s Salesforce instance. Out of an abundance of caution, we also disconnected all integrations of Drift with other applications, such as Handshake’s core product, marketing portal, and other internal sales applications.
• Rotated relevant API access tokens to prevent further access.
• Initiated a full investigation into the scope and impact of the breach, working closely with Salesforce and external experts.
• Prioritized additional safeguards and protocol enhancements to prevent similar incidents in the future.
• Activated continuous monitoring for any potential exposure or misuse of exfiltrated data tied to the incident.

Handshake will continue to provide updates should any new developments arise.

What You Can Do

We recommend the following actions to ensure your security:

• Exercise caution with unsolicited emails, phone calls, or requests for sensitive information. Always verify the source and do not disclose passwords or payment information through unverified channels.
• All communications from Handshake will come from trusted, official channels. Our email outreach will always come from @joinhandshake.com. Handshake Support will never ask for authentication or authorization details via unsolicited outreach, phone, or SMS.
• Report any suspicious activity to security@joinhandshake.com.

Need Assistance or Have Questions?

Handshake’s Customer Success and Support teams are available to assist you through all regular support channels. You may also contact the Handshake Security team directly at security@joinhandshake.com.

Your trust is paramount to us. Thank you for your continued partnership with Handshake.