IEPVue — Information Security Program
Effective: July 3, 2026 · Owner: Dr. Kristen C. Eccleston · Annual review: July 3, 2027
1. Purpose & Scope
This Program describes the administrative, technical, and physical safeguards Eccleston Education Consulting LLC maintains to protect the information processed by IEPVue, a service handling sensitive special-education information about students. It applies to all IEPVue systems, personnel, and sub-processors.
2. Governance
- Designated security coordinator: Dr. Kristen C. Eccleston (or her delegate).
- Risk assessment: conducted at least annually and on material change, identifying reasonably foreseeable risks to confidentiality, integrity, and availability, with corresponding safeguards.
- Annual evaluation: the Program is reviewed and updated at least annually; the next scheduled review is noted above.
- Service-provider oversight: sub-processors are vetted for adequate safeguards and bound by contractual data-protection and breach-notification obligations (Anthropic, Base44, Stripe, Loops.so, GoHighLevel, PostHog, Sentry).
3. Technical Safeguards
- Encryption in transit: TLS 1.2+ for all data.
- Encryption at rest: data stored on our behalf is encrypted at rest using AES-256. Encryption keys are managed within a cloud key-management service (KMS), with data-encryption keys protected by separately-managed key-encryption keys, so key material is safeguarded independently of the data it protects.
- Credentials: passwords stored only as salted hashes; no plaintext storage. SSO supported (Google/Microsoft).
- Ephemeral document handling: uploaded documents/photos are processed in memory only and cleared promptly (target: within 1 hour); they are never written to persistent storage.
- Access control: role-based access. Administrative access is limited to the security coordinator; users can access only their own data (owner-scoped row-level security on user data tables).
- Payment isolation: all card processing is handled by Stripe (PCI-DSS Level 1); no card data touches IEPVue systems.
- Monitoring: error and security monitoring with review of anomalous activity.
- Audit logging: privileged and data-subject-rights actions (export, deletion, retention purges, reminders) are recorded in an append-only audit log retained for evidentiary purposes.
4. Administrative & Physical Safeguards
- Personnel with data access receive data-protection training appropriate to their role.
- Vendor due-diligence and written data-protection terms are maintained for each sub-processor.
- Least-privilege access; credentials are rotated and de-provisioned on role change.
5. Data Minimization
We collect only what is reasonably necessary to provide guidance — student nickname (not legal name), grade, plan type, jurisdiction, and concerns. We do not collect or store the student's full legal name, date of birth, student ID, Social Security number, diagnoses, or assessment scores in our systems; the most sensitive content (uploaded documents) is processed ephemerally and never stored. To help you generate advocacy letters and personalize guidance, the profile you create does store the parent/guardian's name and the school, principal, and case-manager/coordinator names you choose to enter; these are protected the same way as the rest of your profile data and are deletable at any time.
6. Incident Response & Breach Notification
We maintain a written Breach-Response Runbook. On discovery of a potential security incident:
- We assess within 24 hours whether a breach of security involving unsecured identifiable health information has occurred.
- Where the FTC Health Breach Notification Rule is triggered, we notify affected individuals without unreasonable delay and within 60 calendar days, and notify the FTC and prominent media where 500 or more individuals are affected.
- Sub-processor incidents are treated as our notification obligation; sub-processor contracts require prompt notice to us.
- Breach counsel and forensic support are engaged through our cyber-insurance program.
7. Compliance Posture
This Program supports IEPVue's obligations and commitments under FTC Act §5, the FTC Health Breach Notification Rule, and applicable state privacy laws (notably the Maryland Online Data Privacy Act, Md. Com. Law §§14-4701–14-4714). COPPA does not apply to IEPVue (we collect information from adults, not from children); the controls here nonetheless meet or exceed the COPPA information-security standard as a voluntary baseline for sensitive children's education data.
8. Limitations
No system is completely secure. This Program describes safeguards designed to reduce risk; it is not a guarantee against all incidents.