• We maintain a comprehensive Digital Security Plan that includes:

    • A formal Information Security Policy covering acceptable use, access controls, incident response, and data protection.

    • Annual risk assessments and ongoing vulnerability management.

    • Role-based access controls and multi-factor authentication (MFA).

    • Continuous monitoring of infrastructure using automated threat detection systems.

    • Regular training for all staff on cybersecurity awareness and best practices.

  • We have a documented and tested Incident Response Plan to address cybersecurity breaches, including:

    • A dedicated incident response team (IRT) that can be activated within minutes.

    • Predefined roles and communication protocols, including legal, PR, and executive escalation.

    • Logging and audit trails for forensic analysis.

    • A 72-hour notification timeline to stakeholders and, if applicable, regulators.

    • Post-incident reviews to improve defenses

    • We use government-grade or FedRAMP-moderate equivalent infrastructure, hosted on: Amazon Web Services (AWS)  in secure, geographically distributed data centers.

    • All servers are hardened according to CIS Benchmarks.

    • Data encryption at rest (AES-256) and in transit (TLS 1.2+).

  • Sensitive data is handled with strict controls, including:

    • Data minimization: Only the necessary data is collected and retained.

    • Encryption: All PII, PHI, and financial data is encrypted both at rest and in transit.

    • Segregated data environments for test and production.

    • Audit logging and fine-grained permissions for data access.

    • Regular third-party penetration tests and privacy impact assessments

  • Our security architecture includes:

    • Application Security: Code scanning (SAST), dependency scanning (SCA), and regular security reviews.

    • Endpoint Protection: EDR/XDR on all company devices.

    • Network Security: Web application firewalls (WAF), intrusion detection systems (IDS), and DDoS protection.

    • Authentication: SSO via SAML 2.0, MFA enforced for all privileged users.

    • Monitoring: 24/7 security operations center (SOC) support and centralized logging (SIEM).

  • We align our practices with industry and regulatory frameworks:

    • SOC 2 (Type I): We are pursuing a SOC 2 attestation, demonstrating security, availability, and confidentiality controls (anticipated completion in 2025)

    • HIPAA: For health-related data, we enforce HIPAA safeguards including signed Business Associate Agreements (BAAs), access logging, and encryption.

    • FERPA: Data access policies restrict student data to authorized users; logs are maintained for educational record access.

    • All third-party vendors undergo a security due diligence process, including review of SOC reports and DPAs.

    • Data Processing Agreements (DPAs) are executed with vendors handling sensitive data.

    • Vendors are re-evaluated annually or upon significant changes.

    • Regular backups with tested recovery procedures.

    • Recovery Time Objective (RTO): 4 hours.

    • Recovery Point Objective (RPO): 1 hour.

    • Annual disaster recovery tests with documented outcomes.

    • Role-based access and least-privilege enforced via IAM.

    • Immediate revocation of credentials upon termination.

    • Periodic access reviews conducted quarterly.

  • Security is a continuous process. We:

    • Perform quarterly vulnerability assessments.

    • Engage with external auditors for compliance validation.

    • Collect threat intelligence and adjust posture accordingly.

Security Postures