Data Security Policy

Updated October 9, 2025

This policy applies to all products built and maintained by X9 Studios Inc, doing business as Almanack (referred to as "Almanack" in this document).

1. Purpose & Scope

The purpose of this plan is to protect user and student data, ensure compliance with FERPA, PIPEDA, GDPR principles, and the Student Data Privacy Consortium (SDPC) NDPA Standard Version 1.0, and maintain trust with schools, educators, students, and families.

Scope includes:

• All data collected, processed, or stored through Almanack's applications, APIs, and applets.
• All employees, contractors, and third-party service providers.
• All systems, including cloud infrastructure, internal tools, and end-user environments.

2. Data Classification & Handling

• Sensitive data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access follows the principle of least privilege.
• Sensitive fields are minimized whenever possible.

3. Data Collection, Storage & Retention

Data Collected:

• Student names, course grades, and teacher feedback on performance.

Storage:

• All student data is stored within the United States or approved territories (Canada, EU, UK, Australia, New Zealand).
• A list of subprocessors and storage locations is available to LEAs upon request.
• Sensitive datasets are accessible only to essential personnel and services.

Retention:

• Data is retained only as long as required to deliver educational services.
• Inactive accounts older than 12 months are purged or anonymized.
• Upon written request from an LEA, Almanack will securely delete or return student data within 60 days, except where retention is legally required.

4. Access Control

• Role-Based Access Control (RBAC) governs permissions for internal systems and services.
• Multi-factor authentication (MFA) is required for engineering and administrative accounts.
• Session timeouts, IP monitoring, and logging are implemented to detect unauthorized access.
• All internal access to sensitive data is logged and subject to internal review.

5. Technical Safeguards

• Encryption: TLS 1.2+ in transit, AES-256 at rest.
• Network Security: Firewalls, private subnets, WAF, DDoS protection.
• API Security: OAuth 2.0 and scoped access tokens.
• Data Backups: Encrypted, versioned, and tested regularly.
• Monitoring: Centralized logging and anomaly alerting.
• Access Restrictions: Only authorized personnel may access student PII, with role-specific permissions.

6. Privacy Principles

• Almanack follows Privacy by Design and Data Minimization.
• Consent-first collection: Data is collected only with clear purpose and institutional consent.
• No targeted advertising or sale of student data.
• Transparent Privacy Policy is maintained and updated as required.
• Users and institutions have control over data access, correction, and deletion.

7. Regulatory & Compliance Alignment

Almanack's security and privacy practices are aligned with:

• FERPA (U.S.)
• PIPEDA (Canada)
• GDPR principles (where applicable)
• NIST CSF and CIS Top 20 security controls as operational guides.
• NDPA Standard 1.0 (MA-ME-IL-IA-MO-NE-NH-NJ-NY-OH-RI-TN-VT-VA-WA).

Data Processing Agreements (DPAs) with schools and districts govern handling of student data.

8. Employee & Vendor Policies

• All employees sign confidentiality agreements.
• Security awareness training is mandatory for all staff.
• Employees with access to student data undergo criminal background checks in compliance with applicable state laws.
• Access is revoked immediately upon termination.
• Vendor and subprocessor access is limited to essential functions.
• Almanack will maintain and provide an up-to-date list of subprocessors to LEAs upon request.

9. Incident Response & Breach Management

Almanack maintains a structured Incident Response Plan (IRP):

• Detection – Identify and log the incident.
• Containment – Isolate affected systems or data flows.
• Eradication – Remove malicious or compromised elements.
• Recovery – Restore operations and verify integrity.

Notification Timelines:

• Almanack will notify LEAs within 72 hours of confirmation of a breach.
• If a state law requires faster notification, Almanack will comply with the shortest applicable timeline.
• Each incident is followed by root cause analysis, internal review, and documentation of mitigation steps.

10. Data Subject & LEA Rights

• Ownership: LEAs retain full ownership and control of Student Data.
• Access: LEAs may request access to or export of data in a readable format.
• Correction / Deletion: Student data can be corrected or deleted upon verified request.

Audit Rights:

• LEAs may request reasonable security documentation or evidence of controls.
• Almanack may provide SOC summaries, architecture overviews, or virtual security reviews in lieu of on-site audits.
• All requests must be reasonable and respect the confidentiality of other customers.

11. Continuous Improvement

• Almanack regularly reviews security posture internally.
• Code and dependency security checks are integrated into CI/CD workflows.
• Vendor security posture is periodically reassessed.
• Policies are updated to reflect changes in law or operational risk.

12. Business Continuity & Disaster Recovery

• Daily encrypted backups are stored in multiple availability zones.
• Redundancy is built into core infrastructure to minimize service interruption.
• Restoration procedures are documented and periodically verified.
• Priority during disruptions is to restore core educator and student services first.

13. Plan Review & Updates

• This plan is reviewed annually or whenever there are material changes to the platform, law, or operational environment.
• Updates are communicated to staff, institutional partners, and relevant stakeholders.
• Version history is maintained for accountability.

Contact Information

Have any questions, comments, or concerns about this data security policy? Please get in touch by emailing us at privacy@almanack.ai and we'll be happy to try to answer them!