Data Privacy and Security Plan
Provider: Classroom Hero (Classroom Hero, LLC)
Date: January 2025
1. How we implement applicable data security and privacy contract requirements over the life of the Contract
Classroom Hero maintains comprehensive data security and privacy controls throughout the contract lifecycle:
- Continuous Monitoring: Real-time security monitoring through Sentry and PostHog analytics
- Regular Security Reviews: Quarterly security assessments and penetration testing
- Compliance Updates: Annual review and updates to security policies and procedures
- Vendor Management: Ongoing assessment of third-party service providers (Stripe, DigitalOcean, PostHog)
- Incident Response: 24/7 monitoring with aggressive response timelines (see section 5)
2. Administrative, operational and technical safeguards and practices to protect PII
Classroom Hero maintains comprehensive data security and privacy controls throughout the contract lifecycle:
- Continuous Monitoring: Real-time security monitoring through Sentry and PostHog analytics
- Regular Security Reviews: Quarterly security assessments and penetration testing
- Compliance Updates: Annual review and updates to security policies and procedures
- Vendor Management: Ongoing assessment of third-party service providers (Stripe, DigitalOcean, PostHog)
- Incident Response: 24/7 monitoring with aggressive response timelines (see section 5)
- Access Control: Role-based access control (RBAC) with principle of least privilege
- Employee Screening: Background checks for all employees with access to PII
- Security Policies: Comprehensive security policies and procedures documented and regularly updated
- Incident Response Plan: Documented procedures for security incidents and data breaches
- MFA Enforcement: Multi-factor authentication required for all admin accounts and infrastructure access
- Session Management: Secure session handling with automatic timeout and secure cookie settings
- Audit Logging: Comprehensive logging of all system access and data modifications
- Backup Procedures: Automated daily backups with encryption and secure storage
- Encryption at Rest: All data encrypted using encryption at rest
- Encryption in Transit: TLS 1.3 encryption for all data transmission
- API Security: REST API with JWT authentication and rate limiting
- Webhook Security: Stripe webhook signature verification with key rotation
- Database Security: Connection encryption and access controls
- Application Security: Built-in security middleware
3. Training received by employees and subcontractors on federal and state laws governing PII confidentiality
Classroom Hero provides comprehensive training on data privacy and security:
- FERPA Compliance: Family Educational Rights and Privacy Act training for all staff
- COPPA Compliance: Children's Online Privacy Protection Act training
- New York Education Law §2-d: State-specific data privacy requirements
- GDPR Awareness: General Data Protection Regulation training for international compliance
- Security Best Practices: Annual cybersecurity awareness training
- New Employee Training: Within 30 days of hire
- Annual Refresher: Yearly mandatory training updates
- Incident Response Training: Quarterly tabletop exercises
- Subcontractor Training: Required before access to any systems or data
- Online learning modules with completion tracking
- In-person workshops for complex topics
- Regular security newsletters and updates
- Knowledge assessments and certifications
4. Contracting processes to ensure employees and subcontractors are bound by written agreement to Contract requirements
Classroom Hero maintains strict contracting processes for data protection:
- Confidentiality Agreements: All employees sign comprehensive confidentiality agreements
- Data Handling Policies: Written acknowledgment of data privacy and security policies
- Acceptable Use Policies: Clear guidelines for system and data access
- Termination Procedures: Immediate revocation of access upon employment termination
- Data Processing Agreements: All subcontractors sign DPAs with strict data protection requirements
- Security Requirements: Contractual obligations for security controls and incident reporting
- Audit Rights: Right to audit subcontractor security practices
- Liability Provisions: Clear liability for data breaches and security incidents
- Security Assessments: Regular security reviews of all third-party vendors
- Contract Reviews: Annual review of vendor contracts and security requirements
- Performance Monitoring: Ongoing monitoring of vendor security performance
5. Data security and privacy incident management and breach response procedures
- 0-1 hour: Initial incident detection and immediate containment
- 1-4 hours: Incident assessment and initial response team activation
- 4-24 hours: Detailed investigation and stakeholder notification
- 24-72 hours: Complete incident analysis and remediation planning
- 1 week: Full incident report and lessons learned documentation
- Automated Monitoring: 24/7 security monitoring through Sentry and PostHog
- Log Analysis: Real-time analysis of system logs and access patterns
- User Reporting: Anonymous incident reporting system for staff and users
- Vendor Alerts: Integration with vendor security alert systems
- Immediate Containment: Isolate affected systems and prevent further data exposure
- Evidence Preservation: Secure and preserve all evidence for investigation
- Stakeholder Notification: Notify affected users, EA, and regulatory authorities as required
- Remediation: Implement fixes and security improvements
- Post-Incident Review: Document lessons learned and update procedures
Josh Nussbaum
Chief Technology Officer
Email: josh@classroomhero.com
Phone: 650-207-8426
Available: 24/7 for security incidents
6. Data transition procedures when no longer needed to meet contractual obligations
Classroom Hero maintains clear procedures for data transition and disposal:
- Data Export: Export all PII in standardized, machine-readable formats
- Secure Transfer: Use encrypted channels for data transfer to EA
- Verification: Confirm successful data transfer with EA
- Documentation: Maintain detailed records of all data transfers
- Secure Deletion: Use industry-standard secure deletion methods
- Backup Cleanup: Remove all data from backup systems and archives
- Third-Party Cleanup: Ensure all third-party systems are cleaned
- Destruction Certification: Provide written certification of data destruction
7. Secure destruction procedures for data no longer needed
Classroom Hero implements comprehensive data destruction procedures:
- Secure Deletion: Use DoD 5220.22-M compliant deletion methods
- Database Cleanup: Complete removal from all database systems
- Log Cleanup: Secure deletion of all related log files
- Backup Destruction: Secure deletion of all backup copies
- Hard Drive Destruction: Physical destruction of all storage media
- Document Shredding: Cross-cut shredding of all printed materials
- Certification: Written certification of destruction completion
8. Backup and Recovery Plan
Classroom Hero maintains a comprehensive backup and recovery plan to ensure data availability and compliance:
- Database Backups: Daily automated backups with point-in-time recovery capability
- Application Backups: Weekly full backups of application code and configurations
- Configuration Backups: Daily backups of system configurations and settings
- User Data Backups: Real-time replication for critical user data
- Primary Storage: Encrypted storage in DigitalOcean's secure data centers
- Secondary Storage: Cross-region replication for disaster recovery
- Retention Policy: 90-day retention for operational backups, 1-year for compliance
- Encryption: All backups encrypted at rest and in transit
- Recovery Time Objective (RTO): 4 hours for critical systems
- Recovery Point Objective (RPO): 1 hour for critical data
- Testing: Monthly recovery testing and validation
- Documentation: Detailed recovery procedures and runbooks
Did this answer your question?
😞
😐
🤩