Coming to ASU-GSV? Got data? We do. And it’s yours! Sign up now → Grab a Starbucks coffee on us!

See what you can do when we show you the power of your data — public (state-sourced) & private (dummy for now). Real insights. Real impact. Yours to explore.

Security Policy

Protecting Your Data, One Policy at a Time—Your Trust, Transparency, and Security Matter to Us.

1. Introduction

At strived.io, we recognize that the security of student data is paramount. Our comprehensive security policy outlines the measures and practices we employ to protect the confidentiality, integrity, and availability of all data entrusted to us.

1.1 Security Philosophy

  • Our approach to security is based on the following principles:
  • Defense in Depth: We implement multiple layers of security controls
  • Least Privilege: Access to data is granted on a need-to-know basis
  • Continuous Improvement: We regularly assess and enhance our security measures
  • Transparency: We are open about our security practices and promptly communicate any issues

1.2 Scope of Policy

This policy applies to all systems, people, and processes that constitute strived.io’s information systems, including board members, employees, contractors, and other third parties who have access to our systems.

2. Infrastructure Security

We leverage the robust security features of AWS and Google Cloud to host our infrastructure, ensuring a solid foundation for our security practices.

2.1 Cloud Provider Security

Our cloud providers (AWS and Google Cloud) maintain the following certifications:

  • SOC 2 Type II
  • ISO 27001
  • PCI DSS Level 1
  • HIPAA compliance

2.2 Network Security

  • Virtual Private Clouds (VPCs): All our services run within isolated network environments
  • Firewalls: We use both cloud-provider firewalls and host-based firewalls to control traffic
  • Intrusion Detection and Prevention: Real-time monitoring and blocking of suspicious activities
  • DDoS Protection: Leveraging cloud provider DDoS mitigation services

2.3 System Security

  • Regular Patching: All systems are updated with the latest security patches within 30 days of release
  • Hardening: We follow CIS benchmarks for system hardening
  • Antimalware: All systems run regularly updated antimalware software or are rebuilt from scratch at every deployment – multiple times per week 

2.4 Monitoring and Logging

  • Centralized Logging: All system and application logs are centralized for analysis
  • Security Information and Event Management (SIEM): We use advanced SIEM tools for real-time threat detection
  • 24/7 Monitoring: Our security team provides round-the-clock monitoring of our systems

3. Data Encryption

Encryption is a cornerstone of our data protection strategy. We employ strong encryption methods to protect data both in transit and at rest.

3.1 Encryption in Transit

  • TLS: All data transmitted over the internet is encrypted using TLS 1.2 or higher
  • VPN: Remote access to our systems is only allowed through encrypted VPN connections
  • API Security: All API communications are encrypted and require authentication

3.2 Encryption at Rest

  • Database Encryption: All databases are encrypted using AES-256
  • File Encryption: Stored files are encrypted using envelope encryption
  • Key Management: We use cloud provider key management services for secure key storage and rotation

3.3 End-to-End Encryption

For highly sensitive data transmissions, we offer end-to-end encryption options to ensure data remains encrypted throughout its lifecycle.

4. Access Control

We maintain strict access controls to ensure that only authorized individuals can access sensitive data and systems.

4.1 Identity and Access Management

  • Single Sign-On (SSO): We use SSO with multi-factor authentication for all internal systems
  • Role-Based Access Control (RBAC): Access rights are assigned based on job roles and responsibilities
  • Principle of Least Privilege: Users are granted the minimum levels of access required for their roles

4.2 Authentication

  • Multi-Factor Authentication (MFA): Required for all user accounts, both internal and customer-facing
  • Password Policies: We enforce strong password requirements, including minimum length, complexity, and regular changes

4.3 Access Reviews

  • Regular Reviews: Access rights are reviewed quarterly to ensure they remain appropriate
  • Automated Deprovisioning: Access is revoked when an employee leaves the organization

4.4 Third-Party Access

  • Limited Access: Third-party vendors are given the minimum access necessary to perform their functions
  • Monitoring: All third-party access is closely monitored and logged
  • Contractual Obligations: Third parties are contractually bound to adhere to our security standards
  • Regular Audits: We conduct regular audits of third-party access and security practices

5. Incident Response

Our incident response plan is designed to quickly detect, respond to, and mitigate any security incidents that may occur.

5.1 Incident Detection

  • 24/7 Monitoring: Our security operations center (SOC) provides round-the-clock monitoring
  • Automated Alerts: We use advanced threat detection tools to generate real-time alerts
  • User Reporting: We maintain channels for users and employees to report suspected security issues

5.2 Incident Classification

  • We classify incidents based on severity:
  • Critical: Immediate threat to critical systems or sensitive data
  • High: Significant impact on operations or data integrity
  • Medium: Limited impact, can be contained quickly
  • Low: Minimal impact, routine security event

5.3 Incident Response Procedure

  • Identification and Assessment
  • Containment
  • Eradication
  • Recovery
  • Post-Incident Analysis

5.4 Communication Protocol

  • Internal Communication: Clear escalation procedures for notifying management and relevant teams
  • External Communication: Process for notifying affected parties, including customers and regulators
  • Timelines: Commitment to initial notification within 72 hours of a confirmed breach

5.5 Incident Drills

We conduct regular incident response drills to ensure our team is prepared to handle various scenarios effectively.

6. Compliance

We are committed to maintaining compliance with industry standards and regulatory requirements relevant to educational technology and data protection.

6.1 SOC 2 Compliance

  • Annual Audits: We undergo SOC 2 Type II audits annually
  • Continuous Monitoring: We use automated tools to ensure ongoing compliance between audits

6.2 Educational Data Protection Laws

  • We maintain compliance with:
  • Family Educational Rights and Privacy Act (FERPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Student Online Personal Information Protection Act (SOPIPA)
  • General Data Protection Regulation (GDPR) for EU data subjects

6.3 State-Specific Regulations

  • We adhere to various state-level student data privacy laws, including but not limited to:
  • California Consumer Privacy Act (CCPA)
  • Illinois Student Online Personal Protection Act (SOPPA)
  • New York’s Education Law 2-d

6.4 Industry Standards

  • We align our practices with:
  • NIST Cybersecurity Framework
  • ISO 27001 Information Security Management
  • Cloud Security Alliance (CSA) STAR

6.5 Compliance Monitoring

  • Regular Self-Assessments: Quarterly internal reviews of our compliance status
  • Automated Compliance Checks: Use of tools to continuously monitor compliance with key standards
  • Documentation: Maintaining up-to-date compliance documentation and evidence

7. Regular Audits and Assessments

We conduct a variety of audits and assessments to ensure the ongoing effectiveness of our security measures.

7.1 Internal Audits

  • Quarterly Security Reviews: Comprehensive review of our security posture
  • Continuous Automated Assessments: Regular automated scans and checks of our systems

7.2 External Audits

  • Annual Penetration Testing: Conducted by certified third-party security firms
  • Vulnerability Assessments: Quarterly external vulnerability scans

7.3 Risk Assessments

  • Annual Comprehensive Risk Assessment: Identifying and evaluating potential risks to our systems and data
  • Targeted Risk Assessments: Conducted for new projects or significant changes to existing systems

7.4 Code Reviews

  • Peer Code Reviews: All code changes undergo peer review before deployment
  • Automated Code Analysis: Use of static and dynamic code analysis tools

8. Vendor Management

We recognize that our security is only as strong as our weakest link, which includes our vendors and partners.

8.1 Vendor Selection Process

  • Security Assessment: All potential vendors undergo a thorough security assessment
  • Compliance Verification: We verify vendors’ compliance with relevant standards and regulations

8.2 Contractual Requirements

  • We require all vendors with access to student data to:
  • Sign comprehensive data protection agreements
  • Adhere to our security standards and practices
  • Provide regular compliance attestations

8.3 Ongoing Monitoring

  • Annual Reassessments: We reassess vendor security annually
  • Incident Reporting: Vendors are required to promptly report any security incidents
  • Right to Audit: We maintain the right to audit our vendors’ security practices

9. Continuous Improvement

Our commitment to security is ongoing, and we continuously strive to enhance our practices.

9.1 Staying Informed

  • Threat Intelligence: Subscription to multiple threat intelligence feeds
  • Industry Participation: Active involvement in educational technology and cybersecurity communities
  • Regulatory Monitoring: Keeping abreast of changes in relevant laws and regulations

9.2 Employee Training and Awareness

  • Annual Security Training: Mandatory for all employees
  • Phishing Simulations: Regular phishing tests to maintain employee vigilance
  • Security Newsletter: Monthly internal newsletter highlighting security best practices and trends

9.3 Technology Updates

  • Regular Technology Reviews: Assessing new security technologies for potential adoption
  • Planned Upgrades: Maintaining a roadmap for upgrading our security infrastructure

9.4 Feedback Loop

  • Bug Bounty Program: Encouraging responsible disclosure of security vulnerabilities
  • User Feedback: Actively seeking and incorporating user feedback on security features

10. Physical Security

While our primary focus is on digital security, we also maintain robust physical security measures to protect our assets and data. We do not have a physical office. 

10.1 Device Management

Remote Wipe: Capability to remotely wipe lost or stolen devices that hande sensitive data

Mobile Device Management (MDM): All company-issued devices that handle sensitive data are managed through MDM solutions. Right now all 

Encryption: Full-disk encryption is mandatory for all company devices that handle sensitive data.