Schools: Jumpstart your data projects this month! 20 hrs of a fractional data analyst for $1,500.Sign up now →

Security Policy

Protecting Your Data, One Policy at a Time—Your Trust, Transparency, and Security Matter to Us.

1. Introduction

At strived.io, we recognize that the security of student data is paramount. Our comprehensive security policy outlines the measures and practices we employ to protect the confidentiality, integrity, and availability of all data entrusted to us.

Our approach to security is based on the following principles:

  • Defense in Depth: We implement multiple layers of security controls
  • Least Privilege: Access to data is granted on a need-to-know basis
  • Continuous Improvement: We regularly assess and enhance our security measures
  • Transparency: We are open about our security practices and promptly communicate any issues

2. Infrastructure Security

We leverage the robust security features of AWS and Google Cloud to host our infrastructure.

2.1 Cloud Provider Security

Our cloud providers maintain SOC 2 Type II, ISO 27001, PCI DSS Level 1, and HIPAA compliance certifications.

2.2 Network Security

Virtual Private Clouds (VPCs) for isolated environments, cloud-provider and host-based firewalls, real-time intrusion detection and prevention, and DDoS mitigation services.

2.3 System Security

Regular patching within 30 days of release, CIS benchmarks for system hardening, antimalware software or systems rebuilt from scratch at every deployment.

2.4 Monitoring and Logging

Centralized logging for analysis, advanced SIEM tools for real-time threat detection, and 24/7 monitoring by our security team.

3. Data Encryption

3.1 Encryption in Transit

All data transmitted over the internet is encrypted using TLS 1.2 or higher. Remote access requires encrypted VPN connections. All API communications are encrypted and require authentication.

3.2 Encryption at Rest

All databases are encrypted using AES-256. Stored files use envelope encryption. Cloud provider key management services handle secure key storage and rotation.

3.3 End-to-End Encryption

For highly sensitive data transmissions, we offer end-to-end encryption options to ensure data remains encrypted throughout its lifecycle.

4. Access Control

We maintain strict access controls including Single Sign-On (SSO) with multi-factor authentication, Role-Based Access Control (RBAC), and the Principle of Least Privilege. Access rights are reviewed quarterly and automatically deprovisioned when employees leave.

Third-party vendors are given minimum necessary access, closely monitored, contractually bound to our security standards, and regularly audited.

5. Incident Response

Our incident response plan includes 24/7 monitoring, automated alerts, and user reporting channels. Incidents are classified by severity (Critical, High, Medium, Low) and follow a structured procedure: Identification, Containment, Eradication, Recovery, and Post-Incident Analysis.

We commit to initial notification within 72 hours of a confirmed breach and conduct regular incident response drills.

6. Compliance

We maintain compliance with:

  • Family Educational Rights and Privacy Act (FERPA)
  • Children's Online Privacy Protection Act (COPPA)
  • Student Online Personal Information Protection Act (SOPIPA)
  • General Data Protection Regulation (GDPR) for EU data subjects
  • California Consumer Privacy Act (CCPA)
  • Illinois Student Online Personal Protection Act (SOPPA)
  • New York's Education Law 2-d

We align our practices with NIST Cybersecurity Framework, ISO 27001, and Cloud Security Alliance (CSA) STAR.

7. Regular Audits and Assessments

We conduct quarterly internal security reviews, continuous automated assessments, annual penetration testing by certified third-party firms, quarterly external vulnerability scans, and annual comprehensive risk assessments.

All code changes undergo peer review and automated static and dynamic code analysis before deployment.

8. Vendor Management

All potential vendors undergo thorough security assessment and compliance verification. Vendors with access to student data must sign comprehensive data protection agreements, adhere to our security standards, provide regular compliance attestations, and promptly report any security incidents.

9. Continuous Improvement

We subscribe to multiple threat intelligence feeds, actively participate in educational technology and cybersecurity communities, and monitor regulatory changes. All employees undergo mandatory annual security training with regular phishing simulations.

10. Physical Security

We do not have a physical office. All company-issued devices that handle sensitive data are managed through MDM solutions with full-disk encryption and remote wipe capability.

Strived.io

Strived.io transforms complex education data into clear, actionable insights, showing teachers the 'so what' behind the numbers. Its AI-powered platform delivers classroom-ready recommendations, making data easy to find and use.

LinkedInX

© 2026 Strived.io. All rights reserved