DBQ Online Data Breach Policy, Data Security and Privacy Plan
Adherence to State, Federal, and Local Data Security and Privacy Contract Requirements
The DBQ Project takes security and privacy seriously and understands that it is a priority for our user base, which includes states, districts, schools, and students. The DBQ Project reviews contract requirements, requests, and best practices to evaluate and determine the best way to manage and maintain security. The DBQ Project reviews policies and our security quarterly against industry standards and revises, updates, and tests to ensure our environment is maintained at the highest standards. The DBQ Project adheres to all federal and state legal requirements, as well as local contract requirements, to protect private student data. The DBQ Project has controls in place to prevent disclosure of student data other than to employees who need to access to the data to perform services unless the release is required pursuant to law or court order. The DBQ Project has controls in place, discussed in this document, to ensure that the data is protected in accordance with law and contract requirements and is used only for the purposes set forth in the local contract.
Data Storage and Access
All data is remotely stored in Amazon Web Services (AWS) facilities which support and utilize best practices in the industry for protecting and securing data. The DBQ Project also utilizes industry standards and limits access to data to approved personnel with reviews of team members quarterly. The DBQ Project utilizes Multi-Factor Authentication to insure only members with authorized devices can access or connect. The data are only utilized for support, testing upon request, and/or reporting to schools or districts who have authorized access.
Use of Best Practices and Industry Standards for Data Storage and Privacy and Protection
- Data are protected with Virtual Private Cloud (VPC) rules to allow only specific servers network access to its corresponding DB server, as well as database level security.
- Caching services are also restricted by VPC rules
- Web servers are protected by an AWS load balancer appliance, with Transport Layer Security (TLS) secure connections
- Authorized Staff can only connect over specified encrypted connections identified by public key. Authorization can be added or revoked per server/per Staff member.
By utilizing Amazon Web Services, we are able to utilize and take advantage of the security which can be reviewed at https://aws.amazon.com/security/
- TLS/SSL (HTTPS) encryption for all client connections
- One-way encrypted user passwords with salt, can never be read by The DBQ Project or vendors, etc.
- Follow the Open Web Application Security Project (OWASP) security recommendations
- Actively secure against XSS / CSRF / SQL Injection attacks
Our technology partner, Sealworks, Inc. manages and maintains DBQ Online infrastructure to insure we review and implement the latest standards.
Action Plan for Security Breaches
In the event of a data breach, which means an unauthorized disclosure, access, alteration, or use of School District data or circumstances that could have resulted in such unauthorized disclosure, access, alteration or use, The DBQ Project shall promptly do the following: (1) notify the School District by telephone and email as soon as practicable after The DBQ Project becomes aware of the data breach; (2) provide the School District with the name and contact information for an employee of The DBQ Project who shall serve as The DBQ Project’s primary security contact; (3) assist the School District with any investigation, including interviews with The DBQ Project employees and review of all relevant records; and (4) assist the School District with any notification the School District deems necessary related to the security breach. The DBQ Project shall not, unless required by law, provide any notices except to the School District without prior written permission from the School District. In the event that a Breach is attributable to The DBQ Project, DBQ shall pay the reasonable costs and fees, actually incurred by the district, for (1) notification to parents whose information was compromised and to regulatory agencies if required by law; (2) credit monitoring for a year for those students whose covered information was exposed in a manner during that the breach that a reasonable person would believe that it could impact his or her credit or financial security; and (3) any legal fees, audit costs, fines, and any other fees or damages imposed on the district as a result of the Breach. This provision is subject to the Damage Limitation as set forth in the DBQ Online Subscription Agreement. If you have any questions or concerns about this document, please contact firstname.lastname@example.org.