iTherapy Information Security and Privacy Policies

Comprehensive security framework protecting student data and ensuring compliance with federal and state education privacy laws Effective Date: 11/18/25 | Last Reviewed: 11/18/25 | Next Review Date: 5/18/26 Contact Privacy Officer Report Security Incident

1. Enterprise-Wide Computer Network and Information Security Policy
Purpose
To establish consistent and secure standards for iTherapy's computer networks and information systems, applicable to all employees, independent contractors, and third-party vendors, protecting both company and client data in compliance with federal and state education privacy laws including FERPA, COPPA, and state-specific student data privacy statutes.
Policy
iTherapy maintains a comprehensive information security policy that outlines protocols to safeguard data, including requirements for network access, device security, and handling of sensitive information including Student Data as defined under Education Law § 2-d and equivalent state statutes. All personnel, including contractors and third-party vendors, must comply with these security standards. Any access to iTherapy's network and information systems must be pre-approved by IT management and documented.
Data Encryption
AES-256 at rest via AWS KMS and TLS 1.2 or higher in transit
Password Security
Minimum 12 characters, complexity requirements, 90-day rotation
Multi-Factor Authentication
Required for all administrative access and systems containing Student Data or PHI
Access Control
Role-based access control ensuring least-privilege access
Infrastructure Standards
  • All production systems operate on AWS infrastructure with FedRAMP authorization
  • HIPAA Business Associate Agreement (BAA) in place with AWS for Bedrock services
  • Multi-AZ deployment for high availability
  • Regular security patching within 30 days of critical vulnerability disclosure
  • Automatic session timeout after 30 minutes of inactivity
  • Audit logging of all access to systems containing Student Data or PHI
Accessibility
This information security policy is published in the iTherapy Employee Handbook and accessible via the corporate intranet. Any updates will be communicated promptly within 5 business days, and employees will be required to review and confirm understanding of these updates within 10 business days.
Consequences of Non-Compliance

Violation of this policy may result in disciplinary action, up to and including termination, as well as potential legal consequences. Any violation involving Student Data must be reported to affected Educational Agencies within 72 hours.
2. Employee Information Security Training
Purpose
To ensure that all employees and contractors understand their specific responsibilities in maintaining information security within their roles, with particular emphasis on the protection of Student Data and compliance with FERPA, state education privacy laws, and HIPAA where applicable.
Policy
All iTherapy employees will receive mandatory annual training on their responsibilities related to information security, including recognizing and properly reporting security incidents.
1
FERPA Requirements
School official responsibilities and compliance obligations
2
State Privacy Laws
State-specific student data privacy laws for states where we operate
3
HIPAA Requirements
Handling Protected Health Information properly
4
Threat Recognition
Identifying phishing attempts and social engineering
5
Secure Data Transfer
Using secure channels for data transfer and protecting client information
6
Incident Reporting
Procedures for reporting security incidents and document handling
Training Requirements
New employees must complete security training within 7 days of starting employment and before being granted access to any systems containing Student Data or PHI. Additional training sessions will be provided as needed to address emerging security threats or updates to company policies, with no more than 30 days between identification of new threat and training deployment.
Training completion is tracked and documented, with certificates maintained for audit purposes.
Subcontractor Requirements
All subcontractors with potential access to Student Data or PHI must complete equivalent training and provide documentation of completion before access is granted.
Reporting Requirements

Employees are required to report any suspected security incidents immediately (within 1 hour of discovery) to [email protected] or management. Failure to report incidents may be considered a violation of this policy and may result in disciplinary action.
Documentation
All training activities are logged, including date, participant, topics covered, and assessment results. Training records are maintained for a minimum of 7 years.
3. Formal Privacy Policy
Purpose
To establish iTherapy's commitment to protecting client, student, and employee personal information and to ensure compliance with legal standards including FERPA (34 CFR Part 99), COPPA (15 U.S.C. § 6501-6506), HIPAA (45 CFR Parts 160 and 164), and state-specific education privacy laws.
Policy
iTherapy has a formal written privacy policy that details how we collect, use, store, and disclose personal information in compliance with applicable privacy laws and regulations. This policy has been reviewed and approved by legal counsel specializing in education privacy law to ensure it meets all required federal and state legal standards. Employees are required to review this policy annually and confirm their understanding in writing. This helps to ensure everyone is aware of the legal responsibilities regarding data privacy.
Data Minimization
We collect only the minimum personal information necessary to provide contracted services. For Student Data, this is limited to: student name, date of birth, sex/gender, and system-generated identifiers.
Purpose Limitation
Student Data is used exclusively for the educational services specified in our contracts with Educational Agencies. We do not use Student Data for marketing, advertising, or any commercial purpose beyond providing contracted services.
Transparency
We maintain public-facing privacy notices and provide Educational Agencies with detailed descriptions of our data practices.
Individual Rights
We facilitate Educational Agency compliance with parent/guardian and eligible student rights under FERPA, including the right to review, correct, and request deletion of Student Data.
Security
All personal information is protected with administrative, technical, and physical safeguards appropriate to the sensitivity of the information.
Student Data Specific Protections
  • Student Data is never sold, rented, leased, or traded to third parties
  • Student Data is never used for targeted advertising
  • Student Data is never used to develop commercial products beyond our contracted educational services
  • Student Data retention is limited to the duration necessary to provide services, with automatic deletion protocols (24-hour TTL for conversational data, deletion within 90 days of contract termination unless otherwise specified)
  • Access to Student Data is restricted to employees and subcontractors with legitimate educational interest and appropriate training
Consequences of Non-Compliance

Non-compliance with the privacy policy can result in disciplinary actions, up to termination, and may involve legal repercussions for both iTherapy and the individual involved. Any breach involving Student Data will be reported to affected Educational Agencies and regulatory authorities as required by law.
4. Customer Opt-Out Preferences for Data Sharing
Purpose
To respect and honor customer preferences concerning the sharing of their personal information with non-affiliated third parties, and to ensure compliance with Educational Agency data sharing restrictions.
Policy
iTherapy's information systems and business processes are designed to respect customer choices regarding the sharing of their personal information. Customers have the option to opt-out of sharing their non-public, personal information with non-affiliated third parties for non-essential purposes. Our information systems are structured to capture and enforce these preferences throughout data handling processes, ensuring that customer privacy preferences are honored.
Educational Agency Data
Student Data received from Educational Agencies is never shared with non-affiliated third parties except as explicitly authorized in writing by the Educational Agency or as required by law. Any subcontractors receiving Student Data must be documented, and Educational Agencies must be provided with current lists of all subcontractors upon request. Subcontractors are contractually prohibited from further disclosure of Student Data without explicit authorization.
Procedure
All employees handling customer data must verify opt-out preferences before sharing any non-public, personal information with third parties. If an employee is uncertain about a customer's preferences or an Educational Agency's data sharing restrictions, they must consult with the designated privacy officer ([email protected]) before proceeding. Any proposed new subcontractor relationship that would involve access to Student Data must be approved by the Privacy Officer and communicated to affected Educational Agencies before access is granted.
5. Transmission of Sensitive Customer Information
Purpose
To establish secure methods for the handling and transmission of sensitive customer data, including Student Data, Protected Health Information, financial data, and other personal details.
Policy
All transmission of personal customer information, including Student Data and financial data, must occur through encrypted channels using TLS 1.2 or higher for data in transit. Sensitive customer data should only be shared as part of essential business services as defined in contractual agreements. Unauthorized transmission or mishandling of this information is strictly prohibited. Employees must verify the security of any channels or software used to handle sensitive data, ensuring compliance with industry-standard encryption and security practices.
Approved Transmission Methods
  • AWS-hosted secure web applications (HTTPS with TLS 1.2+)
  • Encrypted email services with end-to-end encryption for sensitive attachments
  • Secure file transfer protocols (SFTP, FTPS) with encryption
  • AWS S3 with server-side encryption (SSE-KMS) for file storage and sharing
Prohibited Transmission Methods
  • Unencrypted email for Student Data or PHI
  • Consumer file-sharing services (Dropbox, Google Drive personal accounts, etc.) unless covered by Business Associate Agreement
  • Text messages or SMS for Student Data or PHI
  • Physical media (USB drives, external hard drives) unless encrypted and necessary for service delivery
Special Considerations for Student Data
  • Student Data transmitted to or from Educational Agencies must maintain encryption standards
  • Any data export functionality must include audit logging of who exported data, when, and what data was included
  • Bulk data exports require additional authorization from Educational Agency
Consequences of Non-Compliance

Mishandling of sensitive customer information will be met with disciplinary action, including potential termination and reporting to relevant regulatory authorities. Unauthorized disclosure of Student Data will be reported to affected Educational Agencies within 72 hours.
6. Data Classification, Retention, and Disposal Policy
Purpose
To define how company and client data is categorized, how long it must be kept, and the secure methods for its destruction to comply with legal, regulatory, and contractual requirements, including FERPA record retention requirements and state education privacy laws.
Policy
Data Classification
All data must be classified to determine appropriate handling and security controls:
Public
Information intended for public distribution (marketing materials, public website content)
Internal
Business information not intended for public distribution but not sensitive (internal memos, general business communications)
Confidential
Sensitive business information requiring protection (business strategy documents, financial records, employee information)
Highly Confidential
Student Data, Protected Health Information, financial account information, social security numbers, or other information subject to regulatory protection
Retention Periods
Student Data
  • Active Service Period: Retained for duration of contract with Educational Agency
  • Post-Contract: Deleted within 90 days of contract termination unless Educational Agency requests earlier deletion or specifies longer retention for specific purposes
  • Conversational Data (ChatSLP): Automatic 24-hour deletion via DynamoDB TTL
  • Audit Logs: Retained for 7 years to comply with federal record-keeping requirements
Business Records
  • Financial Records: 7 years (IRS requirement)
  • Contracts and Agreements: 7 years after expiration or termination
  • Employee Records: 7 years after separation
  • Security Incident Records: 7 years from incident resolution
Audio Files and Documents
  • Original Audio Recordings: Deleted per Educational Agency direction, typically within 90 days of report generation unless otherwise specified
  • Uploaded Documents (IEPs, Reports): Deleted per Educational Agency direction, typically within 90 days of contract termination
  • Generated Reports: Retained per Educational Agency direction or deleted within 90 days
Disposal Procedures
Digital Data
  • Student Data in Production Databases: Secure deletion using NIST SP 800-88 compliant methods (cryptographic erasure of encryption keys followed by secure deletion)
  • Backup Data: Secure overwriting or cryptographic erasure of encryption keys
  • AWS S3 Objects: Lifecycle policies enforce automatic deletion; manual deletion uses S3 Delete with verification
  • Database Records: Hard delete (not soft delete) followed by verification query
  • Development/Testing Environments: No production Student Data permitted; any test data must be completely de-identified or synthetic
Physical Media
  • Hard Drives/Storage Devices: Physical destruction (shredding, degaussing) using NIST SP 800-88 Rev. 1 compliant methods when devices are decommissioned
  • Paper Records: Cross-cut shredding (minimum P-4 security level per DIN 66399)
  • Backup Tapes: Physical destruction or degaussing before disposal
Disposal Verification
All data disposal activities involving Student Data must be logged, including:
  • Date and time of disposal
  • Type of data disposed
  • Method of disposal
  • Individual who performed disposal
  • Verification of completion
Educational Agencies may request written certification of data disposal upon contract termination.
Cloud Data Disposal
  • AWS S3: Verified deletion with lifecycle policies and deletion confirmation
  • DynamoDB: TTL-based automatic deletion with CloudWatch monitoring
  • RDS Snapshots: Encrypted snapshots deleted with key destruction verification
  • CloudWatch Logs: Retention period enforcement with automatic deletion
7. Formal Security Incident Response Plan (SIRP)
Purpose
To establish a clear, documented process for preparing for, detecting, analyzing, containing, eradicating, and recovering from information security incidents, with specific procedures for incidents involving Student Data as required by state education privacy laws.
Scope
This plan applies to any security incident that may compromise the confidentiality, integrity, or availability of iTherapy information systems or data, including but not limited to:
Unauthorized Access
Unauthorized access to systems or data
Malware Infections
Malware infections and compromised systems
Data Breaches
Data breaches or unauthorized disclosure
Denial of Service
Denial of service attacks
Physical Security
Physical security breaches
Lost Devices
Lost or stolen devices containing sensitive data
Insider Threats
Insider threats or policy violations
Incident Response Team (IRT)
Core Team Members
  • Technical Lead: [IT Lead Name/Contact]
Extended Team (as needed)
  • AWS Support (for infrastructure incidents)
  • Forensics specialist (for complex incidents)
  • Law enforcement liaison (for criminal incidents)
8. Preparation
01
Contact List Maintenance
Maintain an up-to-date Incident Response Team contact list (reviewed quarterly)
02
Team Training
Ensure all IRT members receive annual incident response training
03
Response Toolkit
Maintain incident response toolkit including forensics software, communication templates, documentation templates, and contact lists
04
Tabletop Exercises
Conduct annual tabletop exercises to test incident response procedures
05
Data Inventory
Maintain current data inventory identifying location and classification of all Student Data
Incident Response Toolkit Components
Technical Resources
  • Forensics software and procedures
  • System backup and recovery tools
  • Network monitoring and analysis tools
  • Malware analysis capabilities
Documentation & Communication
  • Communication templates for Educational Agency notification
  • Documentation templates for incident tracking
  • Contact lists for Educational Agencies, law enforcement, regulatory authorities
  • Legal and regulatory guidance documents
9. Detection & Analysis
Initial Detection
Incidents may be detected through:
  • Automated monitoring alerts (CloudWatch, GuardDuty, CloudTrail)
  • Third-party notifications (AWS, security researchers)
  • Customer reports
Initial Assessment (within 1 hour of detection)
Incident Response Coordinator notified immediately. Preliminary assessment to determine:
  • Nature and scope of incident
  • Systems and data affected
  • Whether Student Data or PHI is involved
  • Whether incident constitutes a "breach" under applicable law
Investigation
Preserve evidence, identify root cause, determine extent of unauthorized access
Documentation
Document timeline of events and identify affected Educational Agencies
Breach Determination
Assess legal definition of "breach" and consult with legal counsel
Investigation Process
  • Preserve evidence (logs, system images, network captures)
  • Identify root cause
  • Determine extent of unauthorized access or disclosure
  • Identify which Educational Agencies' data may be affected
  • Document timeline of events
Breach Determination
Assess whether incident meets legal definition of "breach" under applicable state laws. For Student Data incidents, determine if unauthorized access compromised security, confidentiality, or integrity of data. Consult with legal counsel on notification requirements.
10. Containment & Eradication
Short-term Containment (immediate)
  • Isolate affected systems from network
  • Revoke compromised credentials
  • Block malicious IP addresses or domains
  • Disable compromised user accounts
  • Implement additional monitoring on potentially affected systems
Long-term Containment
  • Apply security patches
  • Implement additional security controls
  • Rebuild compromised systems from known-good backups
Eradication
1
Remove Threats
Remove malware or unauthorized access tools from all affected systems
2
Close Vulnerabilities
Close security vulnerabilities that enabled the incident
3
Credential Rotation
Change all credentials with access to affected systems
4
Verification
Verify threat is completely removed through scanning and monitoring
11. Recovery
System Restoration
Restore from Backups
Restore affected systems from secure backups
Verify Integrity
Verify integrity of restored systems
Gradual Return
Gradually return systems to production with enhanced monitoring
Confirm Operations
Confirm normal operations resumed
Enhanced Monitoring

Post-Recovery Monitoring Requirements:
  • Implement additional logging and alerting
  • Monitor for signs of incident recurrence
  • Continue enhanced monitoring for minimum 30 days post-incident
12. Notification
Internal Notification
  • Incident Response Team notified immediately upon detection
  • Executive management notified within 4 hours for significant incidents
  • All employees notified if incident affects company operations or requires awareness
Educational Agency Notification (for Student Data breaches)
Timeline
Within 72 hours of confirmation that incident constitutes a breach under applicable law
Exception: Notification may be delayed if law enforcement requests delay; notification provided within reasonable time after investigation allows
Content of Notification
Contact Information
Name and contact information for iTherapy incident response coordinator
Incident Description
Description of incident (date, estimated date, or date range)
Data Types
Types of Student Data involved in breach
Impact Scope
Number of students affected (if known)
Response Actions
Steps iTherapy is taking to investigate and remediate
Additional Information
Contact information for Educational Agency to obtain additional information, date of notification, and whether notification was delayed
Parent/Guardian Notification
  • Educational Agency maintains responsibility for parent notification
  • iTherapy will provide Educational Agency with information needed for notification
  • iTherapy will cooperate with Educational Agency notification efforts
Regulatory Notification
Notifications to state education departments or other regulatory authorities as required by applicable state law. Timeline and content as specified by applicable regulations. Privacy Officer coordinates regulatory notifications with legal counsel.
Law Enforcement Notification
Contact law enforcement for incidents involving criminal activity. Coordinate investigation to avoid compromising evidence.
13. Post-Incident Activity
Incident Documentation
Comprehensive incident report including:
  • Timeline of events
  • Systems and data affected
  • Root cause analysis
  • Response actions taken
  • Lessons learned
  • Recommendations for improvement
Post-Incident Review
Conducted within 2 weeks of incident resolution. All IRT members participate.
What Happened?
What happened and why?
Detection
Were detection mechanisms adequate?
Response Time
Was response timely and effective?
Improvements
What could be done better?
Changes Needed
What process or technical changes are needed?
Notifications
Were notification requirements met?
Remediation Actions
  • Implement technical improvements identified in post-incident review
  • Update security policies or procedures as needed
  • Provide additional training if human error contributed
  • Set timeline and assign responsibility for each remediation action
  • Track remediation completion
Metrics and Reporting
Track key incident metrics:
  • Time to detection
  • Time to containment
  • Time to notification
  • Time to resolution
  • Number of records affected
Report incidents and metrics to executive management quarterly. Include incident trends in annual security review.
14. Special Considerations for Student Data Incidents
Breach vs. Non-Breach Determination

Good faith acquisition by employee for legitimate educational purpose is not a breach if:
  • Data used only for purposes permitted by law and contract
  • Data restricted from further unauthorized disclosure
Cost Responsibility
For breaches attributable to iTherapy or our subcontractors:
  • iTherapy bears costs of Educational Agency notification to parents
  • iTherapy may bear costs of investigation and remediation per contract terms
Documentation Requirements
  • Maintain detailed records of all Student Data incidents for 7 years
  • Provide incident documentation to Educational Agencies upon request
  • Provide incident summaries to state education departments if required
Coordination with Educational Agencies
Regular Updates
Provide regular updates during incident investigation
Notification Consultation
Consult with Educational Agency on notification language
Timing Coordination
Coordinate timing of notifications
Technical Assistance
Provide technical assistance for Educational Agency's incident response
15. Access Control and Authentication Policy
Purpose
To establish standards for user authentication and authorization to ensure that only authorized individuals can access iTherapy systems and data, with particular emphasis on protecting Student Data and PHI.
Policy
Authentication Requirements
Password Standards
  • Minimum 12 characters
  • Must include uppercase, lowercase, numbers, and special characters
  • Cannot reuse last 5 passwords
  • Must be changed every 90 days
  • Account lockout after 5 failed login attempts
  • Passwords must not contain username or common dictionary words
Multi-Factor Authentication (MFA)
Required for:
  • All administrative access
  • Any access to systems containing Student Data or PHI
  • Remote access to corporate network
  • Access to AWS Management Console
Acceptable MFA Methods
Hardware Security Keys
(preferred)
Authenticator Apps
(TOTP)
SMS
(acceptable but not preferred)
Not Acceptable
  • Email-based MFA
  • Security questions alone
Authorization and Access Control
Principle of Least Privilege
  • Users granted minimum access necessary to perform job functions
  • Access rights reviewed quarterly
  • Temporary elevated access requires documented approval and automatic expiration
Role-Based Access Control (RBAC)
Defined roles with associated permissions:
End User
Educational Agency personnel: Access only to their agency's data
Clinical Support
Read-only access for customer support purposes (with MFA)
Developer
Access to development/staging environments only (no production data)
System Administrator
Full access to production systems (requires MFA and logging)
Privacy Officer
Access to audit logs and compliance documentation
Access Request Process
01
Submit Request
All access requests submitted via formal process
02
Manager Approval
Manager approval required
03
Privacy Officer Approval
Privacy Officer approval required for Student Data access
04
Access Granted
Access granted within 24 hours of approval
05
Automatic Review
Access automatically reviewed at 90 days
Access Termination
  • All access revoked within 4 hours of employment termination
  • Access revoked within 24 hours when no longer needed for job function
  • Contractor access expires automatically at contract end date
Session Management
Session Timeouts
  • Automatic logout after 30 minutes of inactivity
  • Re-authentication required after timeout
  • Warning provided 5 minutes before timeout
Concurrent Session Limits
  • Maximum 2 concurrent sessions per user
  • Prevents credential sharing
System Access Logging
Audit Trail Requirements
All access to systems containing Student Data or PHI logged via CloudTrail. Logs include:
  • User identity
  • Date and time
  • Type of access (read, write, delete)
  • Data accessed
  • Source IP address
  • Success or failure
Logs retained for 7 years. Logs reviewed monthly for unusual activity.
Automated Alerts
Automated alerts for:
  • Access outside business hours
  • Failed login attempts (5+ in 1 hour)
  • Bulk data exports
  • Access from unusual geographic locations
  • Administrative actions
16. Physical and Environmental Security Policy
Purpose
To establish standards for protecting physical access to facilities, equipment, and media containing sensitive data.
Policy
Facility Access Control
Office Security
  • Office facilities secured with key card or biometric access systems
  • Access logs maintained and reviewed monthly
  • Visitor sign-in required with escort by authorized employee
  • Security cameras monitoring entry/exit points
  • After-hours access restricted to authorized personnel only
Server Room Security
  • iTherapy uses AWS cloud infrastructure; no on-premise servers containing Student Data
  • Any local backup media stored in locked, access-controlled area
  • Fire suppression and environmental controls in place for physical storage areas
Device Security
Workstation Standards
  • Full disk encryption required on all devices accessing Student Data
  • Screen lock after 5 minutes of inactivity
  • Workstations must not be left unattended while logged in
  • Workstations positioned to prevent shoulder surfing in public areas
Mobile Device Management
  • Company-issued devices enrolled in MDM solution
  • Remote wipe capability enabled
  • Automatic updates enforced
  • Lost or stolen devices reported immediately and remotely wiped within 4 hours
Removable Media
  • USB drives and external hard drives must be encrypted if used for business data
  • Use of removable media for Student Data requires Privacy Officer approval
  • All removable media physically destroyed when no longer needed (not reformatted)
Clean Desk Policy
Secure Storage
Sensitive documents locked away when not in use
Screen Locking
Screens locked when leaving desk
Overnight Security
No sensitive information left visible on desks overnight
Proper Disposal
Documents containing Student Data or PHI shredded (not discarded in regular trash)
Equipment Disposal
  • All storage media sanitized per NIST SP 800-88 before disposal or reuse
  • Hard drives physically destroyed (shredding, drilling, degaussing)
  • Certificates of destruction maintained for audit purposes
  • Equipment disposal logged with serial numbers and destruction method
17. Third-Party and Vendor Management Policy
Purpose
To ensure that third-party vendors and subcontractors who have access to iTherapy systems or data maintain security and privacy standards consistent with our own policies and contractual obligations.
Policy
Vendor Assessment
Pre-Engagement Security Assessment
All vendors who will access Student Data or PHI must:
  • Complete security questionnaire
  • Have security practices reviewed and approved by Privacy Officer before engagement
  • Demonstrate compliance with applicable security frameworks
  • Undergo risk assessment that is documented
Required Vendor Capabilities
Encryption
Encryption of data at rest and in transit
Access Controls
Access controls and authentication mechanisms
Incident Response
Incident response procedures
Business Continuity
Business continuity and disaster recovery plans
Compliance
Compliance with applicable regulations (FERPA, COPPA, state privacy laws)
Contractual Requirements
Required Contract Terms for Vendors with Student Data Access
  • Written agreement signed before data sharing
  • Explicit limitation on use of Student Data (only for contracted services)
  • Prohibition on further disclosure without authorization
  • Requirement to implement reasonable security measures
  • Incident notification requirements (within 72 hours)
  • Audit rights for iTherapy and Educational Agencies
  • Data return or destruction upon contract termination
  • Indemnification for vendor-caused breaches
  • Compliance with all applicable privacy laws
Subcontractor Requirements
  • iTherapy must approve all vendor subcontractors in writing before Student Data access
  • Same contractual protections flow down to subcontractors
  • Vendor remains responsible for subcontractor compliance
Vendor Monitoring
Ongoing Oversight
  • Annual security assessment for critical vendors
  • Review of vendor security incidents that could affect iTherapy
  • Periodic audits of vendor security practices
  • Tracking of vendor access to Student Data
Vendor List Maintenance
Current list of all vendors with Student Data access maintained. List provided to Educational Agencies upon request and updated at least twice annually (January and July). List includes: vendor name, services provided, type of data accessed, contract expiration date.
Current Approved Vendors with Student Data Access
Amazon Web Services (AWS)
Services: Cloud infrastructure, data storage, computation
Data Access: All Student Data processed through AWS infrastructure
Security: FedRAMP authorized, HIPAA Business Associate Agreement in place
Compliance: SOC 2 Type II, ISO 27001 certified
Vendor Incident Response
  • Vendors required to notify iTherapy within 24 hours of security incident
  • iTherapy assesses impact on Student Data
  • Educational Agencies notified within 72 hours if Student Data affected
  • Vendor cooperation required for incident investigation
  • Vendor non-compliance may result in contract termination
18. Business Continuity and Disaster Recovery Policy
Purpose
To ensure continuity of operations and rapid recovery of systems and data following a disaster or significant disruption.
Policy
Business Continuity Planning
Critical Function Identification
  • EASI platform availability (language sample analysis, report generation)
  • ChatSLP clinical reasoning assistant
  • Customer support services
  • Data backup and recovery capabilities
Recovery Time Objectives (RTO)
  • Critical systems: 4 hours
  • Standard systems: 24 hours
  • Non-critical systems: 72 hours
Recovery Point Objectives (RPO)
  • Student Data: Maximum 15 minutes of data loss (DynamoDB point-in-time recovery)
  • Configuration and code: Maximum 24 hours (daily backups)
  • Audit logs: No data loss (continuous replication)
Data Backup
Backup Schedule
DynamoDB
Continuous backups with point-in-time recovery
RDS
Daily automated backups with 7-day retention
S3 Data
Versioning enabled, cross-region replication for critical buckets
Application Code
Version controlled in Git with multiple redundant repositories
Backup Testing
  • Quarterly restoration tests to verify backup integrity
  • Annual full disaster recovery exercise
  • Documentation of test results and any issues identified
Disaster Recovery Procedures
AWS Infrastructure Failure
  • Multi-AZ deployment provides automatic failover
  • Cross-region replication for critical data
  • CloudFormation templates enable rapid infrastructure rebuild in alternate region
  • Disaster recovery procedures documented and updated quarterly
Data Center Failure
  • AWS handles data center redundancy
  • iTherapy maintains documentation for rapid rebuild in alternate AWS region
Ransomware or Major Security Incident
  • Isolated backups protected from production environment compromise
  • Incident response procedures (see Section 7) followed
  • System rebuild from clean backups
  • Forensic investigation before restoration
Communication During Disaster
  • Status page maintained for customer communication
  • Emergency contact list for all Educational Agencies maintained
  • Communication protocols documented and tested annually
Business Continuity Testing
Annual DR Exercise
  • Full disaster recovery scenario tested annually
  • All IRT members participate
  • Results documented and improvement actions identified
  • Updates to DR procedures completed within 30 days of exercise
19. Compliance Monitoring and Audit Policy
Purpose
To ensure ongoing compliance with security policies, contractual obligations, and regulatory requirements through regular monitoring and auditing.
Policy
Internal Audits
Regular Review Schedule
1
Quarterly Reviews
Access rights, security policy compliance, training completion
2
Annual Reviews
Vendor compliance, incident response procedures, business continuity plans
Audit Documentation
  • All audits documented with findings and remediation plans
  • Audit reports reviewed by executive management
  • Remediation action items tracked to completion
  • Audit documentation retained for 7 years
External Audits
Educational Agency Audit Rights
  • Educational Agencies may audit iTherapy security and privacy practices upon 10 business days' notice
  • iTherapy will cooperate reasonably with audit activities
  • iTherapy will provide access to facilities, systems, personnel, and documentation as appropriate
  • Confidentiality agreement may be required for access to sensitive business information
Regulatory Audits
  • Full cooperation with audits by state education departments or other oversight agencies
  • Privacy Officer coordinates regulatory audit responses
  • Documentation provided as requested within reasonable timeframes
Compliance Reporting
Internal Reporting
  • Quarterly compliance report to executive management
  • Annual comprehensive security review
  • Incident metrics and trends reported quarterly
External Reporting
  • Annual attestation of compliance provided to Educational Agencies upon request
  • Security incident reports as required by contract and law
  • Certification of data destruction upon contract termination
Policy Review and Updates
Annual Policy Review
All security and privacy policies reviewed annually. Updates made to reflect:
  • Changes in law or regulation
  • Changes in business operations
  • Lessons learned from incidents
  • Industry best practice evolution
  • Educational Agency feedback
Updated policies communicated to all employees within 5 business days. Employees required to review and acknowledge updates within 10 business days.
Trigger-Based Updates
Policies updated within 30 days following:
  • New legal requirements
  • Significant security incidents
  • Changes in business operations affecting data handling
  • Educational Agency requests for specific policy provisions
20. Alignment with NIST Cybersecurity Framework v1.1
Purpose
To document iTherapy's alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1, which serves as the standard for data security and privacy practices in the education sector.
Policy
iTherapy's security program is designed to align with all five core functions of the NIST CSF: Identify, Protect, Detect, Respond, and Recover.
Framework Implementation
IDENTIFY (ID)
Asset Management: Maintained inventory of all systems, data, and devices; classified by sensitivity level
Business Environment: Clear understanding of educational mission and stakeholder obligations
Governance: Formal policies reviewed annually; legal and regulatory requirements documented
Risk Assessment: Annual risk assessments conducted; vulnerabilities tracked and remediated
Risk Management Strategy: Risk tolerance defined; risk decisions documented
Supply Chain Risk Management: Vendor assessment process; contractual protections for third parties
PROTECT (PR)
Access Control: Role-based access; MFA for sensitive data; principle of least privilege enforced
Awareness and Training: Annual mandatory security training; specialized training for data handlers
Data Security: Encryption at rest and in transit; data categorized and protected accordingly
Information Protection Processes: Comprehensive security policies; baseline security configurations
Maintenance: Regular patching and updates; maintenance performed by authorized personnel
Protective Technology: Firewalls, intrusion detection, endpoint protection, audit logging
DETECT (DE)
Anomalies and Events: CloudWatch monitoring; GuardDuty threat detection; log analysis
Security Continuous Monitoring: Real-time monitoring of infrastructure; automated alerting
Detection Processes: Defined detection procedures; regular review of detection effectiveness
RESPOND (RS)
Response Planning: Formal incident response plan (Section 7); procedures tested annually
Communications: Internal and external communication protocols; notification templates
Analysis: Forensic capabilities; root cause analysis procedures
Mitigation: Containment procedures; vulnerability remediation processes
Improvements: Post-incident reviews; lessons learned incorporated into procedures
RECOVER (RC)
Recovery Planning: Business continuity and disaster recovery plans (Section 11)
Improvements: Recovery procedures updated based on lessons learned
Communications: Stakeholder communication during recovery; restoration status reporting
This alignment is documented in detail in our Data Security and Privacy Plan provided to Educational Agencies and is reviewed and updated annually to maintain alignment with framework updates and evolving best practices.
Employee Acknowledgment
Policy Compliance Requirements
To reinforce the importance of these policies, all employees will be required to:
1
Review Policies
Review each policy upon hire and annually thereafter
2
Complete Training
Complete security and privacy training within 7 days of hire and annually thereafter
3
Sign Acknowledgment
Complete a sign-off indicating they have read, understood, and agreed to comply with these policies
4
Report Incidents
Report any incidents or issues related to information security or privacy to the designated officer without delay (within 1 hour of discovery)
Contact Information
For any questions regarding these policies or for clarification on procedures, employees and Educational Agencies are encouraged to reach out to:
IT and Security Support
For technical security issues, access problems, and security incident reporting
Privacy Officer
For questions about Student Data privacy, FERPA compliance, data sharing, and policy interpretation
Incident Reporting (Urgent)
For immediate reporting of security incidents (within 1 hour of discovery)
General Information
For general inquiries about iTherapy services and policies
Business Hours
Monday-Friday, 8:00 AM - 5:00 PM Pacific Time
Emergency Contact
For after-hours security incidents: [707-651-9915]
Document Control
2.0
Version
Current policy version
1
Annual Review
Policies reviewed yearly
7
Years Retained
Documentation retention period
Policy Information
Revision History
Commitment to Security and Trust
These policies are designed not only to protect iTherapy's information systems and client data but also to foster a culture of security and trust within the organization and with our Educational Agency partners.
Compliance with these policies is mandatory, and any breaches or issues should be reported promptly for appropriate action. These policies demonstrate iTherapy's commitment to maintaining the highest standards of data security and privacy in service to the educational community.

Remember: Security is everyone's responsibility. By following these policies and procedures, you help protect the sensitive information entrusted to iTherapy by students, families, and educational institutions.
Contact Privacy Officer