1. Purpose
The purpose of this Security Policy is to protect the confidentiality, integrity, and availability of EveryDay Labs’ systems and data—including sensitive student information—while supporting our mission to improve student attendance through data-driven solutions. This policy outlines the safeguards and procedures in place to reduce risk, comply with regulations (e.g., FERPA), and ensure secure operations.
2. Scope
This policy applies to all employees, contractors, vendors, and systems that access or process data owned or managed by EveryDay Labs. It covers:
Internal systems and infrastructure
Cloud services and third-party tools
Customer data (including student and district staff information)
Web applications and APIs
3. Data Protection
3.1 Data Classification
Data is classified as Public, Internal, Confidential, or Restricted.
Student data and personally identifiable information (PII) are treated as Restricted and handled with the highest security standards.
3.2 Data Encryption
All data at rest is encrypted using industry-standard protocols (e.g., AES-256).
All data in transit is protected using TLS 1.2 or higher.
Backups containing confidential data are encrypted at rest and stored securely.
3.3 Backups
Databases are backed up weekly and retained for 14 days.
Nightly backups are replicated to a separate geographic region.
CSV-format student data backups are stored in Box for recovery and auditing.
4. Access Control
Role-based access is enforced across all systems.
Least privilege is the default principle for granting access.
Access can require MFA (multi-factor authentication) based on district security requirements.
Districts can configure SSO to help control access.
District administrators are responsible for removing staff members no longer employed by the district. Annually, inactive users are purged from the system.
5. Network Security
Firewalls are configured to limit access to essential services only.
Web traffic is filtered to block malicious content and prevent data leakage.
All production infrastructure is isolated in VPCs with strict access rules.
6. Application Security
Code is peer-reviewed and tested prior to deployment.
Vulnerability scanning tools are used to identify and remediate risks.
Dependencies are kept up to date and monitored for known CVEs.
Secure coding guidelines are followed by all developers.
7. Incident Response
A formal incident response plan is in place for identifying, containing, and remediating security incidents.
All incidents are documented and reported to relevant stakeholders.
Impacted customers and regulatory bodies are notified promptly, as required by law.
8. Vendor Management
Third-party vendors are assessed for security and compliance risks.
Data processors must sign agreements ensuring confidentiality and security controls.
9. Employee Training
All team members receive FERPA data security awareness training upon onboarding.
10. Compliance
EveryDay Labs complies with applicable laws and regulations, including:
FERPA (Family Educational Rights and Privacy Act)
Relevant state-level data privacy laws
Contractual obligations with school districts
11. Review and Updates
This policy is reviewed at least annually or after any significant security incident or change in operations. Updates must be approved by the Head of Product and Engineering or the CEO.