Protecting Your Data, One Policy at a Time—Your Trust, Transparency, and Security Matter to Us.
At strived.io, we recognize that the security of student data is paramount. Our comprehensive security policy outlines the measures and practices we employ to protect the confidentiality, integrity, and availability of all data entrusted to us.
Our approach to security is based on the following principles:
We leverage the robust security features of AWS and Google Cloud to host our infrastructure.
Our cloud providers maintain SOC 2 Type II, ISO 27001, PCI DSS Level 1, and HIPAA compliance certifications.
Virtual Private Clouds (VPCs) for isolated environments, cloud-provider and host-based firewalls, real-time intrusion detection and prevention, and DDoS mitigation services.
Regular patching within 30 days of release, CIS benchmarks for system hardening, antimalware software or systems rebuilt from scratch at every deployment.
Centralized logging for analysis, advanced SIEM tools for real-time threat detection, and 24/7 monitoring by our security team.
All data transmitted over the internet is encrypted using TLS 1.2 or higher. Remote access requires encrypted VPN connections. All API communications are encrypted and require authentication.
All databases are encrypted using AES-256. Stored files use envelope encryption. Cloud provider key management services handle secure key storage and rotation.
For highly sensitive data transmissions, we offer end-to-end encryption options to ensure data remains encrypted throughout its lifecycle.
We maintain strict access controls including Single Sign-On (SSO) with multi-factor authentication, Role-Based Access Control (RBAC), and the Principle of Least Privilege. Access rights are reviewed quarterly and automatically deprovisioned when employees leave.
Third-party vendors are given minimum necessary access, closely monitored, contractually bound to our security standards, and regularly audited.
Our incident response plan includes 24/7 monitoring, automated alerts, and user reporting channels. Incidents are classified by severity (Critical, High, Medium, Low) and follow a structured procedure: Identification, Containment, Eradication, Recovery, and Post-Incident Analysis.
We commit to initial notification within 72 hours of a confirmed breach and conduct regular incident response drills.
We maintain compliance with:
We align our practices with NIST Cybersecurity Framework, ISO 27001, and Cloud Security Alliance (CSA) STAR.
We conduct quarterly internal security reviews, continuous automated assessments, annual penetration testing by certified third-party firms, quarterly external vulnerability scans, and annual comprehensive risk assessments.
All code changes undergo peer review and automated static and dynamic code analysis before deployment.
All potential vendors undergo thorough security assessment and compliance verification. Vendors with access to student data must sign comprehensive data protection agreements, adhere to our security standards, provide regular compliance attestations, and promptly report any security incidents.
We subscribe to multiple threat intelligence feeds, actively participate in educational technology and cybersecurity communities, and monitor regulatory changes. All employees undergo mandatory annual security training with regular phishing simulations.
We do not have a physical office. All company-issued devices that handle sensitive data are managed through MDM solutions with full-disk encryption and remote wipe capability.