Runestone Logo
Legal & Compliance
← Legal & Compliance

Data Security & Privacy Plan

Last updated: August 2025

1. Implementation of Data Security and Privacy Requirements

Runestone Academy implements all reasonable and appropriate administrative, technical, and operational safeguards to ensure compliance with federal and state privacy regulations, and alignment with its published Privacy Policy. Since Runestone Academy is a sole-proprietor operation, all system and data access are controlled exclusively by the founder, ensuring a consistent and accountable application of policies over the lifetime of the service.

2. Safeguards to Protect PII

  • Administrative: Access to personally identifiable information (PII) is restricted to the sole employee. No subcontractors or third parties are provided access.
  • Technical:
    • All systems enforce password-protected access, encrypted at rest and in transit (TLS for all web traffic, encrypted backups).
    • Databases are firewalled and accessible only through secured administrative channels.
    • Regular updates and patches are applied to servers and software.
    • The website is protected by CloudFlare Web Application Firewall.
    • Inter-server communication is inside a firewalled virtual private cloud.
  • Operational: Data collection is limited to the minimum necessary for educational use. Logs are monitored for unusual activity.

3. Training

As the sole employee and administrator, the founder maintains current knowledge of relevant federal and state data protection regulations (FERPA, COPPA, Education Law § 2-d, GDPR principles where applicable) through ongoing professional development in cybersecurity and compliance.

4. Contracting Processes

No subcontractors currently handle Runestone Academy data. If subcontractors or service providers are engaged in the future, they will be required to sign written agreements binding them to confidentiality, privacy, and security obligations at least equivalent to this plan.

5. Incident Management

Runestone Academy maintains procedures to:

  • Immediately investigate suspected data security incidents.
  • Contain and mitigate any unauthorized access.
  • Notify affected educational agencies, users, and regulators as required by law within the mandated timelines.
  • Document the incident, actions taken, and lessons learned.

6. Data Transition

If an educational agency requests a transition of data, all relevant records will be exported in a secure, industry-standard format (CSV/JSON) and transferred using encrypted methods.

7. Secure Destruction

When data is no longer required:

  • Database entries will be securely deleted.
  • Backups containing PII will be encrypted and scheduled for secure overwriting.
  • Certification of destruction will be provided upon request.

8. Alignment with Educational Agency Policies

Runestone Academy will cooperate with each partner agency to align practices with their data security and privacy policies. Any stricter provisions required by an educational agency will be integrated into operations where applicable.

9. Alignment with NIST Cybersecurity Framework (v1.1)

Identify (ID)

  • Asset Management: Servers, databases, and applications are inventoried and reviewed quarterly.
  • Business Environment: Mission and objectives center on providing secure, free STEM education resources.
  • Governance: Policies follow federal/state privacy laws and Runestone's published privacy policy.
  • Risk Assessment: Risks (e.g., unauthorized access, data loss) are periodically assessed.
  • Risk Management: Security decisions balance availability and confidentiality needs.
  • Supply Chain: Minimal third-party dependencies; cloud/hosting providers are vetted for security compliance.

Protect (PR)

  • Access Control: Sole administrator access; strong authentication required.
  • Awareness & Training: Ongoing professional development for sole employee.
  • Data Security: Encryption in transit/at rest; role-based data minimization.
  • Processes & Procedures: Documented policies for updates, access, backups.
  • Maintenance: Regular patching and monitoring of systems.
  • Protective Technology: Firewalls, TLS, intrusion detection via log monitoring.

Detect (DE)

  • Anomalies & Events: Logs reviewed to identify suspicious access.
  • Continuous Monitoring: System and network monitoring tools in place.
  • Detection Processes: Incident response playbook documented and reviewed annually.

Respond (RS)

  • Response Planning: Formal incident response plan maintained.
  • Communications: Legal/agency notifications as required by law.
  • Analysis: Root-cause analysis after any incident.
  • Mitigation: Immediate containment procedures for suspected compromise.
  • Improvements: Incident reviews feed into security updates.

Recover (RC)

  • Recovery Planning: Nightly encrypted backups; restoration procedures tested.
  • Improvements: Lessons learned used to improve recovery.
  • Communications: Clear communication with agencies and affected users after incidents.

Security contact: [email protected]

© Copyright Runestone Academy Ltd  •  Privacy Policy  •  Terms of Service  •  Legal & Compliance