Information Security Program

Effective April 1, 2026

1. Program Overview

Operator: Eccleston Education Consulting, LLC (DBA IEPVue)

Responsible Individual: Dr. Kristen Eccleston, Ed.D., Founder

This Information Security Program establishes a comprehensive framework to protect personal information collected, used, and disclosed by IEPVue, with special attention to the protection of information about children under 13 years of age. The program complies with the Children's Online Privacy Protection Act (COPPA) 2025 amendments and applies security standards appropriate to the sensitivity of the data handled.

IEPVue is a digital guidance platform that helps parents and guardians navigate Individualized Education Program (IEP) processes. The platform collects minimal personal information, including student profile data (nickname, grade level, school, county, and educational concerns) and account information (email and display name).

2. Risk Assessment

IEPVue has conducted a risk assessment to identify potential vulnerabilities and threats to personal information in its possession, particularly data about children. Key risks identified include:

  • Unauthorized Access: Risk that unauthorized parties could access accounts or personal data through compromised credentials or network vulnerabilities.
  • Data Interception: Risk that data transmitted over networks could be intercepted if not properly encrypted.
  • Vendor Breaches: Risk that third-party service providers (Stripe, Anthropic, Base44, Loops.so) could experience security incidents affecting IEPVue data.
  • Insider Threats: Risk that employees or contractors with system access could misuse personal information.
  • Inadequate Session Management: Risk that sessions with uploaded documents could persist longer than necessary, exposing sensitive content.
  • Loss of Data Integrity: Risk that personal information could be altered or corrupted by unauthorized parties.

Based on this assessment, IEPVue implements layered technical and administrative safeguards described below.

3. Technical Safeguards

3.1 Encryption in Transit

All data transmitted between users' devices and IEPVue's servers is protected using Transport Layer Security (TLS) version 1.2 or higher. This includes:

  • Login credentials and authentication tokens
  • Student profile information
  • Chat and conversation messages
  • Document uploads and processing requests
  • Payment and subscription data (transmitted to Stripe, not stored on IEPVue servers)

HTTPS is enforced on all pages. Browsers will display a security indicator confirming encrypted connection.

3.2 Encryption at Rest and Password Security

Passwords are never stored in plaintext. IEPVue uses industry-standard secure hashing algorithms to store passwords. Even IEPVue administrators cannot retrieve or view users' plaintext passwords.

Student profile data and account information stored in the database are secured through:

  • Restricted database access (principle of least privilege)
  • Regular security audits of data storage practices
  • Platform-level database security controls provided by our hosting infrastructure

3.3 Secure Authentication

IEPVue offers multiple authentication methods to reduce reliance on password-only security:

  • Google SSO (Single Sign-On): Allows users to log in using their existing Google account, with authentication managed by Google's security infrastructure.
  • Microsoft SSO: Allows users to log in using their existing Microsoft account, with authentication managed by Microsoft's security infrastructure.
  • Email/Password Authentication: For users who prefer traditional login, passwords are hashed and secured as described above. Session tokens are generated after successful authentication and expire after a period of inactivity (default: 24 hours).

Session cookies are marked as Secure and HttpOnly, preventing access via JavaScript and transmission over non-HTTPS connections.

3.4 Ephemeral Document Processing

Documents uploaded by users for guidance analysis are never stored permanently on IEPVue servers. Instead:

  • Documents are processed in a single session only, in memory.
  • Content is never written to persistent storage or database records.
  • When a session ends or expires (within 1 hour maximum), all document data is cleared from memory.
  • Users receive a session-specific PDF report of guidance; this PDF is generated on-demand and not retained server-side.
  • IEPVue does not create backups or archives of uploaded documents.

This design minimizes data retention risk and ensures documents are treated as ephemeral rather than archived.

3.5 Base44 Platform Security

IEPVue is hosted on Base44, a managed platform for no-code applications. Base44 provides:

  • Secure, redundant infrastructure with DDoS protection
  • Regular security patches and updates
  • Network segmentation and firewalls
  • Monitoring and intrusion detection
  • Data center security and physical access controls

IEPVue relies on Base44's security infrastructure for baseline application security. IEPVue is responsible for application-layer security (authentication, encryption, data handling).

3.6 Payment Data Security (Stripe PCI-DSS)

IEPVue does not collect, store, process, or transmit credit card details. All payment processing is delegated to Stripe, a PCI-DSS Level 1 compliant payment processor. Stripe handles:

  • Collection of payment card information
  • Tokenization and secure storage of payment methods
  • Fraud detection and prevention
  • Compliance with PCI-DSS standards

IEPVue receives only non-sensitive payment confirmations and subscription status from Stripe. Card data never touches IEPVue systems.

4. Administrative Safeguards

4.1 Access Controls

Access to IEPVue systems and data is limited to authorized personnel on a need-to-know basis. User roles include:

  • Admin: Full system access, including user management, account settings, and billing administration. Limited to Dr. Kristen Eccleston and authorized contractors.
  • User: Access only to their own account, student profiles, conversations, and subscription data.

All system access is logged and periodically reviewed.

4.2 Employee and Contractor Training

Any employees, contractors, or service providers with access to IEPVue systems or personal data receive training on:

  • Data protection practices and compliance obligations
  • Handling of sensitive information, especially data about children
  • COPPA requirements and privacy by design principles
  • Incident reporting procedures
  • Password security and authentication best practices

Training is provided before access is granted and refreshed annually.

4.3 Vendor Due Diligence and Data Processing Agreements

IEPVue uses third-party service providers and requires all to meet specified security and privacy standards. Key vendors include:

Anthropic (AI Processing)

  • Service: API-based AI model for generating IEP guidance and feedback.
  • Data Handling: User messages and student profile information are sent to Anthropic's API for processing. According to Anthropic's commercial API terms, API data is not used to train models and is retained only for system improvement and compliance purposes.
  • Security: Anthropic has implemented security standards for API communication. API calls are transmitted over TLS-encrypted HTTPS connections.
  • Data Processing Agreement: Commercial API terms are in effect; IEPVue has reviewed Anthropic's privacy and security policies.

Stripe (Payment Processing)

  • Service: Payment processing, billing, and subscription management.
  • Data Handling: IEPVue transmits only subscription and customer ID information to Stripe. Payment card data is collected and stored solely by Stripe.
  • Security: Stripe is a PCI-DSS Level 1 certified payment processor with comprehensive security infrastructure.
  • Data Processing Agreement: Stripe's Data Processing Agreement is in effect, addressing data protection and privacy obligations.

Loops.so (Email Marketing)

  • Service: Transactional email delivery for account confirmations, password resets, subscription updates, and newsletters.
  • Data Handling: IEPVue transmits only the user's email address and display name to Loops.so for email delivery.
  • Security: Loops.so maintains standard email service security practices.
  • Data Processing Agreement: Loops.so terms of service are in effect; IEPVue has reviewed their privacy practices.

Base44 (Application Hosting)

  • Service: Hosting, database management, and infrastructure for IEPVue application.
  • Data Handling: All IEPVue data (accounts, profiles, conversations, logs) is stored on Base44's managed infrastructure.
  • Security: Base44 provides enterprise-grade security, including DDoS protection, firewalls, intrusion detection, and regular security updates.
  • Data Processing Agreement: Base44's platform terms and security policies are in effect; IEPVue has reviewed infrastructure security documentation.

IEPVue periodically reviews vendors' security practices and compliance certifications. Any material changes to vendor security posture are communicated to IEPVue leadership.

4.4 Incident Response Procedures

IEPVue has established procedures to detect, investigate, and respond to security incidents or suspected breaches of personal information:

Detection and Assessment

  • IEPVue monitors logs and system alerts for suspicious activity, unauthorized access attempts, or data integrity issues.
  • Upon detection of a potential incident, investigation begins immediately to determine scope, nature, and affected individuals.
  • Assessment is completed within 24 hours of detection.

Notification and Reporting

  • If personal information has been, or is reasonably believed to have been, accessed or acquired without authorization, IEPVue will notify affected individuals without unreasonable delay (within 60 days).
  • Notification will include description of the incident, types of information involved, steps taken to investigate, and steps users can take to protect themselves.
  • If the incident affects Maryland residents (where Eccleston Education Consulting, LLC is based), the Maryland Attorney General's office will be notified if required by state law.
  • If the incident is material and affects children under 13, the Federal Trade Commission (FTC) will be notified within 60 days, as required by COPPA.

Remediation

  • Root cause analysis is conducted to identify how the incident occurred and what safeguards failed.
  • Remedial measures are implemented to prevent similar incidents, which may include software patches, policy changes, additional training, or enhanced monitoring.
  • Affected users are offered free credit monitoring or identity protection services if appropriate.

5. Data Minimization Practices

IEPVue collects only the personal information necessary to provide effective guidance, consistent with privacy by design principles:

What We Collect

  • Account Information: Email address and display name (not legal name).
  • Student Profile Data: Student nickname (not legal name), grade level, school name, county, and educational concerns (e.g., "math challenges," "reading support").
  • Conversation Data: Messages sent to the AI guidance system and AI-generated responses, retained for session duration and 12 months afterward for user reference.
  • Automatically Collected Data: IP address, device type, browser, and basic usage analytics (retained for 12 months).

What We Explicitly Don't Collect

  • Legal name or other personally identifying information beyond email
  • Social Security numbers or government IDs
  • Student diagnoses or medical information
  • Actual IEP documents or special education records (except ephemeral session uploads)
  • Credit card or payment card information (handled by Stripe only)
  • Biometric information

Feedback Alerts

IEPVue uses AI-driven feedback alerts to monitor for uncertainty or potential gaps in guidance. These alerts are completely anonymized and contain no personal information. IEPVue staff review alerts to identify systematic gaps or risks, but cannot trace an alert back to any individual user or student.

6. Third-Party Vendor Requirements Summary

All third-party vendors and service providers are required to maintain security standards consistent with this program. IEPVue conducts periodic due diligence reviews and updates this program if vendor security practices materially change.

7. Breach Response Plan

See Section 4.4 (Incident Response Procedures) above for comprehensive breach detection, assessment, notification, and remediation procedures.

8. Annual Review

This Information Security Program is reviewed, evaluated, and updated at least annually by Dr. Kristen Eccleston to ensure continued effectiveness and compliance with evolving security standards and legal requirements. The next scheduled review is April 2027.

Updates to this program are made if:

  • New vulnerabilities or threats are identified in IEPVue's risk assessment
  • Third-party vendors implement material changes to security practices
  • Legal or regulatory requirements change
  • Incidents occur that suggest safeguard improvements are needed
  • Technology changes are implemented that affect data security

9. Contact

Questions about this Information Security Program or privacy concerns should be directed to:

[email protected]

© 2026 Eccleston Education Consulting, LLC. All rights reserved.

IEPVue Information Security Program | Effective April 1, 2026