1. Implementation of Data Security and Privacy Requirements
Runestone Academy implements all reasonable and appropriate administrative,
technical, and operational safeguards to ensure compliance with federal and state
privacy regulations, and alignment with its published
Privacy Policy. Since Runestone Academy is a
sole-proprietor operation, all system and data access are controlled exclusively by
the founder, ensuring a consistent and accountable application of policies over the
lifetime of the service.
2. Safeguards to Protect PII
Administrative: Access to personally identifiable information (PII) is restricted to the sole employee. No subcontractors or third parties are provided access.
Technical:
All systems enforce password-protected access, encrypted at rest and in transit (TLS for all web traffic, encrypted backups).
Databases are firewalled and accessible only through secured administrative channels.
Regular updates and patches are applied to servers and software.
The website is protected by CloudFlare Web Application Firewall.
Inter-server communication is inside a firewalled virtual private cloud.
Operational: Data collection is limited to the minimum necessary for educational use. Logs are monitored for unusual activity.
3. Training
As the sole employee and administrator, the founder maintains current knowledge of
relevant federal and state data protection regulations (FERPA, COPPA, Education Law
§ 2-d, GDPR principles where applicable) through ongoing professional development in
cybersecurity and compliance.
4. Contracting Processes
No subcontractors currently handle Runestone Academy data. If subcontractors or
service providers are engaged in the future, they will be required to sign written
agreements binding them to confidentiality, privacy, and security obligations at
least equivalent to this plan.
5. Incident Management
Runestone Academy maintains procedures to:
Immediately investigate suspected data security incidents.
Contain and mitigate any unauthorized access.
Notify affected educational agencies, users, and regulators as required by law within the mandated timelines.
Document the incident, actions taken, and lessons learned.
6. Data Transition
If an educational agency requests a transition of data, all relevant records will be
exported in a secure, industry-standard format (CSV/JSON) and transferred using
encrypted methods.
7. Secure Destruction
When data is no longer required:
Database entries will be securely deleted.
Backups containing PII will be encrypted and scheduled for secure overwriting.
Certification of destruction will be provided upon request.
8. Alignment with Educational Agency Policies
Runestone Academy will cooperate with each partner agency to align practices with
their data security and privacy policies. Any stricter provisions required by an
educational agency will be integrated into operations where applicable.
9. Alignment with NIST Cybersecurity Framework (v1.1)
Identify (ID)
Asset Management: Servers, databases, and applications are inventoried and reviewed quarterly.
Business Environment: Mission and objectives center on providing secure, free STEM education resources.
Governance: Policies follow federal/state privacy laws and Runestone's published privacy policy.
Risk Assessment: Risks (e.g., unauthorized access, data loss) are periodically assessed.
Risk Management: Security decisions balance availability and confidentiality needs.
Supply Chain: Minimal third-party dependencies; cloud/hosting providers are vetted for security compliance.
Protect (PR)
Access Control: Sole administrator access; strong authentication required.
Awareness & Training: Ongoing professional development for sole employee.
Data Security: Encryption in transit/at rest; role-based data minimization.
Processes & Procedures: Documented policies for updates, access, backups.
Maintenance: Regular patching and monitoring of systems.
Protective Technology: Firewalls, TLS, intrusion detection via log monitoring.
Detect (DE)
Anomalies & Events: Logs reviewed to identify suspicious access.
Continuous Monitoring: System and network monitoring tools in place.
Detection Processes: Incident response playbook documented and reviewed annually.
Respond (RS)
Response Planning: Formal incident response plan maintained.
Communications: Legal/agency notifications as required by law.
Analysis: Root-cause analysis after any incident.
Mitigation: Immediate containment procedures for suspected compromise.
Improvements: Incident reviews feed into security updates.