1. Purpose
This Policy describes the administrative, technical, and physical safeguards that My Progress Bridge, Inc. maintains to protect the confidentiality, integrity, and availability of personal information processed in connection with the My Progress Bridge analytics platform (the “Service”), including Student Data entrusted to us by school districts and other local educational agencies (each, an “LEA”).
2. Governance
Our Chief Executive Officer is ultimately responsible for the information security program, which is operated day-to-day by the Chief Information Security Officer or designee (the “Security Officer”). The Security Officer maintains the policies, controls, risk register, and metrics that comprise the program.
3. Frameworks and Compliance
Our information security program is designed and operated to align with:
- AICPA SOC 2 Trust Services Criteria (Security; Availability and Confidentiality where applicable);
- NIST Cybersecurity Framework and, where applicable, NIST SP 800-53 / 800-171;
- FERPA and, for New York LEAs, Education Law § 2-d and 8 NYCRR Part 121 § 121.5;
- NY SHIELD Act, N.Y. Gen. Bus. Law § 899-bb;
- COPPA for information collected from children under 13 in the LEA-authorized school context.
4. Risk Management
We maintain a documented risk-assessment methodology and conduct a formal enterprise-wide risk assessment at least annually, with additional targeted assessments following material changes.
5. Data Classification and Handling
We classify data into tiers (Public, Internal, Confidential, Restricted), with Student Data treated as Restricted. Student Data is processed exclusively in environments designed for Restricted data and is logically segregated by LEA tenant.
6. Access Control
6.1 Authorization
Access is granted on the principle of least privilege. Privileged access is approved in writing, time-limited, and reviewed at least quarterly.
6.2 Authentication
All personnel access to production systems requires multi-factor authentication. Customer-facing access supports SSO via SAML 2.0 / OpenID Connect.
6.3 Role-Based Access Control
The Service implements RBAC with granular permissions configurable by the LEA, with separation of duties between development, operations, and security functions.
7. Encryption
Personal information is encrypted in transit using TLS 1.2 or higher with modern cipher suites, and at rest using AES-256 or equivalent. Cryptographic keys are managed in dedicated key-management services with defined rotation, separation of duty, and access logging.
8. Network and Infrastructure Security
- Segregated production, staging, and development environments;
- Network segmentation, firewalls, and security groups configured to default-deny;
- DDoS protection at the edge;
- Intrusion-detection and traffic-anomaly monitoring;
- Endpoint protection on all personnel devices, including disk encryption and anti-malware;
- Hardening baselines aligned to CIS Benchmarks.
9. Secure Software Development
We follow a documented SDLC including threat modeling, secure coding standards, mandatory peer code review, automated SAST and dependency scanning, and pre-deployment security testing.
10. Vulnerability Management & Penetration Testing
We perform continuous vulnerability scanning, with remediation timelines based on severity (Critical: 7 days; High: 30 days; Medium: 60 days; Low: 90 days). An independent third party conducts an application and infrastructure penetration test at least annually.
11. Logging, Monitoring, and Detection
Security-relevant events are logged across infrastructure and application layers, forwarded to a centralized logging system, and retained for the period required by applicable law and contract.
12. Incident Response
We maintain a written Incident Response Plan defining roles, severity classification, escalation paths, and communication procedures. The plan is tested at least annually. We notify affected LEAs without unreasonable delay and within timeframes required by contract and law.
13. Business Continuity & Disaster Recovery
We maintain BCP and DR plans with defined RTO/RPO, geographically separated backups, and at least annual recovery testing. Backups are encrypted and integrity-checked.
14. Vendor and Subprocessor Risk Management
Subprocessors processing personal information undergo documented due-diligence review covering security posture, compliance attestations, and breach-notification obligations. Subprocessors are reassessed at least annually.
15. Personnel Security
- Background checks consistent with applicable law and position sensitivity;
- Confidentiality and acceptable-use agreements;
- Privacy and security training upon hire and annually, including FERPA-specific training;
- Disciplinary action for violations, up to and including termination.
16. Physical Security
Production data centers are operated by enterprise cloud providers maintaining biometric access controls, 24×7 staffing, and audited compliance with industry standards.
17. Data Retention and Destruction
Personal information is retained only as long as necessary. Upon termination, Student Data is returned or destroyed within the contracted period (within 60 days for NY LEAs). Destruction follows NIST SP 800-88 Rev. 1.
18. Audit and Assurance
We engage a qualified independent firm to perform a SOC 2 Type II examination. Reports are made available to LEAs under non-disclosure.
19. Contact
Security questions or vulnerability reports may be directed to:
My Progress Bridge, Inc.
Attn: Chief Information Security Officer
Email: contact@myprogressbridge.com