Data Security & Privacy Plan

SpellingJoy implements data security and privacy requirements through:

• Privacy by Design: Student accounts require only a first name and optional last initial. No email, password, phone number, date of birth, or other PII is collected from students. Authentication uses a system-generated UUID session token (httpOnly cookie), not passwords. This approach is COPPA-compliant by design.
• Data Minimization: We collect only the minimum data necessary to provide the spelling practice service: student first name, last initial, class membership, and practice performance data (words attempted, accuracy, time spent).
• Access Controls: All database access is governed by Supabase Row Level Security (RLS) policies. Teachers can only access data for their own classes. Students can only access their own practice data. Admin access is restricted to designated personnel.
• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase/AWS).
• Contractual Compliance: We maintain Data Processing Agreements with all subprocessors that access Student Data, requiring protections no less stringent than our DPA obligations.

Administrative

• Two-person leadership team (CEO + COO) with defined security responsibilities
• Written Incident Response Plan maintained and reviewed annually
• Data Processing Agreements with all third-party subprocessors
• This Data Security and Privacy Plan, reviewed and updated annually

Operational

• Least-privilege access: Only designated personnel have direct database access
• Soft-delete architecture: Data is marked as deleted before permanent removal, providing a recovery window
• Regular review of access logs via Supabase Dashboard
• All code changes tracked via Git version control with review

Technical

• Authentication: Teachers use OTP (one-time password) email codes or Google OAuth — no stored passwords. Students use system-generated UUID tokens — no credentials at all.
• Encryption in Transit: All connections use HTTPS/TLS 1.2+. No unencrypted data transmission.
• Encryption at Rest: Database encrypted via AES-256 (Supabase/AWS managed encryption).
• Row Level Security: PostgreSQL RLS policies enforce data isolation between teachers.
• No Student PII in Analytics: Analytics tracking is excluded from all student-facing pages. No student names, identifiers, or performance data are sent to any analytics service.
• Rate Limiting: API endpoints implement rate limiting to prevent abuse.
• Session Management: httpOnly cookies with secure flags. Teacher sessions via NextAuth JWT.

All personnel with access to Student Data or Teacher Data are trained on:

• FERPA requirements for protecting student educational records
• COPPA requirements for protecting children's online privacy
• State-specific student data privacy laws applicable under the 16-state DPA
• SpellingJoy's data handling procedures, incident response plan, and access controls
• Obligations under the DPA including no re-disclosure, no selling of data, and no targeted advertising

Training is conducted upon onboarding and reviewed annually. Training records are maintained internally.

All employees and subcontractors are bound by written agreement to comply with data privacy requirements:

• Employees/Leadership: Bound by company policies and this Data Security and Privacy Plan.
• Subprocessors: Each subprocessor has a signed Data Processing Agreement that prohibits use of Student Data beyond the contracted service, prohibits disclosure to subsequent third parties, and requires reasonable security procedures.

See our subprocessor list for current third-party services and their data processing roles.

SpellingJoy maintains a written Incident Response Plan that covers:

• Detection: Monitoring via Supabase dashboard alerts, Vercel deployment logs, and GitHub security alerts.
• Classification: Four severity levels (Critical, High, Medium, Low).
• Containment: Immediate isolation of affected systems, credential rotation.
• Notification: School district notification within 72 hours of confirmed breach (24 hours for Virginia districts). Notification includes: types of data affected, date/date range of breach, description of incident, number of records affected, point of contact, and steps taken.
• Remediation: Root cause analysis, patching, hardening.
• Post-Incident Review: Lessons learned within 14 days, plan updates as needed.

A summary of the Incident Response Plan is available to school districts upon written request.

When data is no longer needed or upon written request from a school district:

• Data Export: SpellingJoy can export Student Data in machine-readable format (CSV/JSON) for transfer to the district within 30-60 days of request.
• Data Scope: Export includes all student records, practice history, and performance data associated with the requesting district's teachers and classes.

Upon termination of the DPA or written request from a school district:

• Method: Student Data is permanently deleted from the database. The hosting provider (Supabase/AWS) handles secure destruction of underlying storage media.
• Scope: All Student Data associated with the requesting district's teachers and classes, including practice history, scores, and student records.
• Backups: Database backups containing the data are automatically rotated and overwritten per the hosting provider's retention policy.
• Certification: SpellingJoy will provide written confirmation to the district within 30 days of data destruction, describing the date of destruction and the method used.
• De-Identified Data: Aggregate, de-identified data that cannot be linked to individual students is not subject to destruction requirements per the DPA.

SpellingJoy's data security and privacy practices are designed to align with school district policies by:

• Operating as a "School Official" under FERPA with a legitimate educational interest
• Complying with district data governance requirements as specified in the DPA
• Accepting the district's Parents Bill of Rights for Data Security and Privacy (where applicable)
• Providing transparency about data collection, use, and sharing through this plan and our Privacy Policy
• Directing parent complaints to the district per relationship guidelines

SpellingJoy's security practices align with the five core functions of the NIST Cybersecurity Framework:

Identify

SpellingJoy maintains an inventory of data assets and subprocessors. As a focused EdTech SaaS, our attack surface is limited to the web application, database, and API integrations. Risk is managed through vendor selection (Supabase, Vercel, Anthropic — all SOC 2 certified) and minimal data collection.

Protect

Strong authentication (OTP/OAuth for teachers, UUID tokens for students), encryption at rest and in transit, Row Level Security database policies, and least-privilege access controls. No student passwords are stored. Analytics tracking is excluded from student pages.

Detect

Monitoring via Supabase dashboard, Vercel deployment logs, and GitHub security alerts. Regular manual review of access patterns and system configurations.

Respond

Written Incident Response Plan with 72-hour school district notification (24 hours for Virginia). Defined escalation procedures, containment protocols, and communication templates.

Recover

Supabase provides automated database backups with point-in-time recovery. Vercel enables instant deployment rollback. Recovery procedures are documented in the Incident Response Plan.