Aha Moments, Inc.
DATA PRIVACY AND SECURITY PLAN
This document outlines the data security and privacy practices implemented to protect Personally Identifiable Information (PII).
| 1 | Outline how you will implement applicable data security and privacy contract requirements over the life of the Contract. |
|
|---|---|---|
| 2 | Specify the administrative, operational, and technical safeguards and practices that you have in place to protect PII. |
|
| 3 | Address the training received by your employees and any subcontractors engaged in the provision of services under the Contract on the Federal and State laws that govern the confidentiality of PII. | Mandatory Annual Training Components:
Training Implementation:
|
| 4 | Outline contracting processes that ensure that your employees and any subcontractors are bound by written agreement to the requirements of the Contract, at a minimum. | All employees must sign employment agreements that include specific confidentiality and data protection clauses, along with explicit requirements to comply with privacy laws like FERPA and NY Education Law 2-d. These agreements detail security protocols employees must follow and their obligations for incident reporting. |
| 5 | Specify how you will manage any data security and privacy incidents that implicate PII and describe any specific plans you have in place to identify breaches and/or unauthorized disclosures, and to meet your obligations to report incidents to the School District. | We maintain 24/7 monitoring systems that automatically detect and alert our security team to potential unauthorized access or unusual data activity. Upon detection of any incident involving PII, our incident response team immediately activates our response protocol. The process includes immediate containment of potential breaches, followed by a thorough investigation using system logs and access records to determine the scope of affected data. We will notify the School District within 24 hours of discovering any breach or unauthorized disclosure involving student PII, providing details about the nature of the incident, affected data, and immediate containment measures taken. Our team maintains detailed incident logs and conducts root cause analysis to prevent future occurrences. We've established a dedicated incident hotline and email address for the School District to report any concerns, also, and we conduct regular tabletop exercises to ensure our response team is prepared for various incident scenarios. |
| 6 | Describe how data will be transitioned to the School District when no longer needed by you to meet your contractual obligations, if applicable. | Upon contract completion or when data is no longer needed, we will coordinate with the School District to ensure a secure and complete data transition. We will export all student data in an industry-standard format (such as CSV or JSON) that maintains data integrity and relationships. The transition will include all current and historical student performance data, along with associated metadata. |
| 7 | Describe your secure destruction practices and how certification will be provided to the School District. | After confirming successful data transition to the School District, we implement a secure destruction process following NIST guidelines. Our process uses Department of Defense-compliant data wiping software to permanently delete all student PII from our live systems, backups, and any development environments. Upon completion, we will provide the School District with a detailed certificate of destruction that includes the date, method of destruction, and scope of data destroyed. |
| 8 | Outline how your data security and privacy program/practices align with the School District's applicable policies. | See above. |
| 9 | Outline how your data security and privacy program/practices materially align with the NIST CSF v1.1 using the Framework chart below. | SEE THE TEMPLATE BELOW |
NIST CSF TABLE
Providers should complete the Contractor Response sections in the table below to describe how their policies and practices align with each category in the Data Privacy and Security Plan template. To complete these 23 sections, Provider may: (i) Demonstrate alignment using the National Cybersecurity Review ("NCSR") Maturity Scale of 1-7; (ii) Use a narrative to explain alignment (may reference its applicable policies); and/or (iii) Explain why a certain category may not apply to the transaction contemplated.
Further informational references for each category can be found on the NIST website at https://www.nist.gov/cyberframework/new-framework. Please use additional pages if needed.
| Function Category | Contractor Response | |
| IDENTIFY (ID) | ||
| Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. | Our platform maintains a comprehensive inventory of all system components that handle student PII. This includes our core application servers, databases storing student performance data, and user management systems. We use automated tools to track all devices and systems with access to student data, maintaining an up-to-date asset inventory. Access is strictly role-based, with each data asset categorized by sensitivity level. | |
| Business Environment (ID.BE): The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. | We prioritize data security in our business objectives and maintain clear documentation of all stakeholder requirements, particularly around student data protection. Our organizational structure clearly defines cybersecurity responsibilities, with dedicated security personnel overseeing PII protection. | |
| Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. | Our security governance framework includes specific policies for student data protection, aligned with FERPA, COPPA, and NY Education Law 2-d. We maintain a comprehensive policy library covering acceptable use, incident response, and data handling. All policies are reviewed annually and updated based on regulatory changes and emerging threats. | |
| Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. | We conduct quarterly risk assessments focused on student data protection. Our assessment process identifies potential vulnerabilities in our platform, evaluates the impact of potential breaches, and prioritizes risks based on likelihood and impact. We pay special attention to risks specific to educational technology, such as unauthorized access to student performance data or potential misuse of learning analytics. | |
| Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. | Our risk management strategy prioritizes student data protection above all other business considerations. We maintain strict risk tolerance levels for any systems handling PII, with automated controls to enforce these standards. Our strategy includes regular updates based on emerging threats in the education sector and evolving privacy regulations. | |
| Supply Chain Risk Management (ID.SC): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. | We carefully evaluate all third-party vendors who may have access to our systems or student data. Each vendor undergoes security assessment before engagement, and must meet our security requirements. We maintain an updated vendor risk register and conduct annual reassessments of all critical vendors. | |
| PROTECT (PR) | ||
| Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. | Our platform integrates with district-approved Single Sign-On solutions like Clever, Google Classroom, or Microsoft, allowing students and teachers to access our platform through their existing authentication solution, maintaining consistent security standards. All user account management is handled by these identity providers. | |
| Awareness and Training (PR.AT): The organization's personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. | All employees receive initial security training during onboarding and quarterly refreshers focused on student data protection. Training includes practical scenarios relevant to our AI tutoring platform, FERPA compliance, and secure handling of student PII. We track completion rates and test comprehension, requiring 100% completion for all staff with access to student data. | |
| Data Security (PR.DS): Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. | We implement end-to-end encryption for all student data, both in transit and at rest. Our AI tutoring platform uses AES-256 encryption, secure backup systems, and data loss prevention tools. We enforce strict data retention policies and maintain detailed audit logs of all data access and modifications. | |
| Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. | Our security procedures include documented processes for secure software development, change management, and data handling. We maintain detailed response plans for security incidents and conduct regular backups of all student data. Security configurations are standardized across our platform and regularly audited for compliance. | |
| Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. | We perform system maintenance during off-peak hours to minimize impact on tutoring services. All maintenance activities are logged and monitored, with special attention to any activities affecting student data storage or processing systems. Only authorized IT staff can perform maintenance, using secured admin accounts with full audit trails. | |
| Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. | Our technology stack includes next-generation firewalls, intrusion detection systems, and automated monitoring tools. Audit logs are secured and regularly reviewed for suspicious activity. We implement secure configurations for all system components and maintain detailed documentation of security controls. | |
| DETECT (DE) | ||
| Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood. | Our monitoring systems establish baseline normal activity for our platform and automatically flag unusual patterns, especially around student data access. We use advanced analytics to detect potential security events and correlate data from multiple sources to understand potential impacts. Any anomalies in student data access or system usage trigger immediate alerts. | |
| Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. | We maintain 24/7 monitoring of our network, systems, and database activities. Automated tools scan for unauthorized access attempts, unusual data transfers, or suspicious user behavior. Regular vulnerability scans check for potential system weaknesses, with special focus on components handling student PII. | |
| Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. | Our detection capabilities are regularly tested through scheduled penetration tests and security assessments. We continuously update our detection tools based on new threat intelligence and emerging risks in the education sector. Staff roles and responsibilities for monitoring and detection are clearly defined and regularly reviewed. | |
| RESPOND (RS) | ||
| Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents. | Our incident response plan specifically addresses student data breaches and follows a defined protocol for rapid response. The plan is tested quarterly through tabletop exercises and updated based on lessons learned from each test or actual incident. | |
| Communications (RS.CO): Response activities are coordinated with internal and external stakeholders (e.g., external support from law enforcement agencies). | We maintain clear communication protocols for security incidents, including dedicated channels for notifying school district officials within 24 hours of any breach. Our response team coordinates with relevant stakeholders, including legal counsel and law enforcement when necessary. | |
| Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities. | Our incident analysis process includes forensic investigation capabilities and root cause analysis procedures. We document all incidents affecting student data and maintain detailed records of our response activities and findings. | |
| Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. | Our team is trained to quickly contain and mitigate security incidents, with specific procedures for different types of breaches. We maintain the ability to quickly isolate affected systems while maintaining critical tutoring services. | |
| Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. | After each incident or exercise, we conduct detailed reviews to identify improvements. Lessons learned are documented and incorporated into updated procedures and training materials. | |
| RECOVER (RC) | ||
| Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. | Our recovery procedures prioritize the restoration of student data services while maintaining security. We maintain detailed recovery plans that include step-by-step procedures for system restoration, data validation, and service resumption. Regular backups ensure we can quickly restore any affected student data to a known good state. | |
| Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. | We document all lessons learned during recovery operations and use this information to strengthen our recovery procedures. After each incident or recovery exercise, we update our plans and procedures based on performance analysis and identified gaps. | |
| Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g., coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). | During recovery operations, we maintain clear communication with the school district about restoration progress and timelines. We coordinate with all relevant parties to ensure secure system restoration and validate data integrity. Our process includes final verification with stakeholders to confirm successful recovery before closing any incidents. | |