Need to contact our Privacy Officer?
For questions about Student Data privacy, FERPA compliance, or policy interpretation.
1. Enterprise-Wide Computer Network and Information Security Policy
Purpose
To establish consistent and secure standards for iTherapy's computer networks and information systems, applicable to all employees, independent contractors, and third-party vendors, protecting both company and client data in compliance with federal and state education privacy laws including FERPA, COPPA, and state-specific student data privacy statutes.
Policy
iTherapy maintains a comprehensive information security policy that outlines protocols to safeguard data, including requirements for network access, device security, and handling of sensitive information including Student Data as defined under Education Law § 2-d and equivalent state statutes.
Data Encryption
AES-256 at rest via AWS KMS and TLS 1.2 or higher in transit
Password Security
Minimum 12 characters, complexity requirements, 90-day rotation
Multi-Factor Authentication
Required for all administrative access and systems containing Student Data or PHI
Access Control
Role-based access control ensuring least-privilege access
Infrastructure Standards
- All production systems operate on AWS infrastructure with FedRAMP authorization
- HIPAA Business Associate Agreement (BAA) in place with AWS for Bedrock services
- Multi-AZ deployment for high availability
- Regular security patching within 30 days of critical vulnerability disclosure
- Automatic session timeout after 30 minutes of inactivity
- Audit logging of all access to systems containing Student Data or PHI
2. Employee Information Security Training
Purpose
To ensure that all employees and contractors understand their specific responsibilities in maintaining information security within their roles, with particular emphasis on the protection of Student Data and compliance with FERPA, state education privacy laws, and HIPAA where applicable.
Training Topics
FERPA Requirements
School official responsibilities and compliance obligations
State Privacy Laws
State-specific student data privacy laws for states where we operate
HIPAA Requirements
Handling Protected Health Information properly
Threat Recognition
Identifying phishing attempts and social engineering
Secure Data Transfer
Using secure channels for data transfer
Incident Reporting
Procedures for reporting security incidents
Training Requirements
- New employees must complete security training within 7 days of starting employment
- Training required before being granted access to any systems containing Student Data or PHI
- Additional training provided within 30 days of identifying new threats
- All subcontractors must complete equivalent training before access is granted
- Training records maintained for a minimum of 7 years
Reporting Requirements
Employees are required to report any suspected security incidents immediately (within 1 hour of discovery) to admin@itherapyllc.com or management. Failure to report incidents may result in disciplinary action.
3. Formal Privacy Policy
Purpose
To establish iTherapy's commitment to protecting client, student, and employee personal information and to ensure compliance with legal standards including FERPA (34 CFR Part 99), COPPA (15 U.S.C. § 6501-6506), HIPAA (45 CFR Parts 160 and 164), and state-specific education privacy laws.
Data Minimization
We collect only the minimum personal information necessary to provide contracted services. For Student Data, this is limited to: student name, date of birth, sex/gender, and system-generated identifiers.
Purpose Limitation
Student Data is used exclusively for the educational services specified in our contracts with Educational Agencies. We do not use Student Data for marketing or commercial purposes.
Transparency
We maintain public-facing privacy notices and provide Educational Agencies with detailed descriptions of our data practices.
Student Data Specific Protections
- Student Data is never sold, rented, leased, or traded to third parties
- Student Data is never used for targeted advertising
- Student Data is never used to develop commercial products beyond our contracted educational services
- Student Data retention is limited to the duration necessary to provide services (24-hour TTL for conversational data, deletion within 90 days of contract termination)
- Access to Student Data is restricted to employees and subcontractors with legitimate educational interest
6. Data Classification, Retention, and Disposal Policy
Data Classification
Public
Information intended for public distribution
Internal
Business information not intended for public distribution
Confidential
Sensitive business information requiring protection
Highly Confidential
Student Data, PHI, SSNs, or regulated information
Retention Periods
Student Data
- Active Service Period: Retained for duration of contract with Educational Agency
- Post-Contract: Deleted within 90 days of contract termination unless otherwise specified
- Conversational Data (MySLP): Automatic 24-hour deletion via DynamoDB TTL
- Audit Logs: Retained for 7 years to comply with federal record-keeping requirements
Disposal Procedures
Digital data disposal follows NIST SP 800-88 compliant methods including cryptographic erasure. Physical media undergoes destruction via shredding or degaussing. All disposal activities involving Student Data are logged and verified.
7. Formal Security Incident Response Plan (SIRP)
Scope
This plan applies to any security incident that may compromise the confidentiality, integrity, or availability of iTherapy information systems or data, including unauthorized access, malware infections, data breaches, denial of service attacks, physical security breaches, lost devices, and insider threats.
Incident Response Team
- Incident Response Coordinator: Matthew Guggemos (matthew@itherapyllc.com)
- Privacy Officer: admin@itherapyllc.com
- Extended Team: AWS Support, Forensics specialists, Law enforcement liaison (as needed)
Response Process
Detection & Analysis
Within 1 hourIncident Response Coordinator notified, preliminary assessment conducted
Containment
ImmediateIsolate affected systems, revoke credentials, block threats
Eradication
As neededRemove malware, close vulnerabilities, verify complete removal
Recovery
4-72 hoursRestore from backups, verify integrity, resume operations
Notification Requirements
Educational Agency Notification (for Student Data breaches)
- Timeline: Within 72 hours of confirmation that incident constitutes a breach
- Content: Contact information, incident description, data types involved, number of students affected, response actions taken
- Parent Notification: Educational Agency maintains responsibility; iTherapy provides information needed
15. Access Control and Authentication Policy
Authentication Requirements
Password Standards
- Minimum 12 characters
- Must include uppercase, lowercase, numbers, and special characters
- Cannot reuse last 5 passwords
- Must be changed every 90 days
- Account lockout after 5 failed attempts
Multi-Factor Authentication
Required for:
- All administrative access
- Systems containing Student Data or PHI
- Remote access to corporate network
- AWS Management Console access
Role-Based Access Control
End User
Educational Agency personnel: Access only to their agency's data
Clinical Support
Read-only access for customer support (with MFA)
Developer
Access to development/staging environments only
System Admin
Full production access (requires MFA and logging)
20. Alignment with NIST Cybersecurity Framework 2.0
iTherapy's security program is designed to align with all six core functions of the NIST CSF 2.0 (February 2024): Govern, Identify, Protect, Detect, Respond, and Recover.
GOVERN (GV)
- Organizational Context
- Risk Management Strategy
- Roles & Responsibilities
- Policy & Procedures
- Oversight & Accountability
- Supply Chain Risk Management
IDENTIFY (ID)
- Asset Management
- Business Environment
- Risk Assessment
- Improvement
PROTECT (PR)
- Identity Management & Access Control
- Awareness and Training
- Data Security
- Platform Security
- Technology Infrastructure Resilience
DETECT (DE)
- Continuous Monitoring
- Adverse Event Analysis
RESPOND (RS)
- Incident Management
- Incident Analysis
- Incident Response Reporting
- Incident Mitigation
RECOVER (RC)
- Incident Recovery Plan Execution
- Incident Recovery Communication
National Student Data Privacy Agreement (NDPA)
iTherapy participates in the Student Data Privacy Consortium's National Data Privacy Agreement (NDPA) framework, supporting standardized data privacy agreements across multiple states.
Supported States
Key NDPA Provisions
- Provider acts as School Official with legitimate educational interest under FERPA
- Student Data remains property of the LEA
- No sale, rental, or trading of Student Data to third parties
- Prohibition on targeted advertising using Student Data
- Data breach notification within 72 hours
- Data disposition within 60-90 days of contract termination
- Annual audits available upon request
Request NDPA Documentation
Educational agencies can request complete NDPA documentation including state-specific exhibits.
Request NDPA DocumentsDocument Control
Policy Owner: Matthew Guggemos, Chief Technology Officer and Privacy Officer
Approval Authority: Executive Management and Legal Counsel
Version: 2.0
Effective Date: November 18, 2025
Last Review: November 18, 2025
Next Scheduled Review: May 18, 2026
Commitment to Security and Trust
These policies are designed to protect iTherapy's information systems and client data while fostering a culture of security and trust with our Educational Agency partners. Security is everyone's responsibility.