Data Security & Privacy Plan
We built Knoword to ensure that student data and privacy are protected by default. This page outlines our infrastructure and security practices, showing how the platform aligns with the NIST Cybersecurity Framework (CSF) v1.1 and meets state and federal regulations, including NYS Education Law § 2-d.
Platform Privacy & Security Questionnaire
This questionnaire addresses general data protection requirements regarding student personal information, administrative access, and data destruction.
| Requirement | Response |
|---|---|
| Outline how you will implement applicable data security and privacy contract requirements over the life of the Contract. | Contractual requirements are fulfilled over the life of the agreement by continuously aligning platform updates with the NIST CSF, conducting periodic access control reviews, and executing a proactive patch management schedule. |
| Specify the administrative, operational and technical safeguards and practices that you have in place to protect PII. | Platform access is restricted using multi-factor authentication under a least-privilege model. Data is encrypted in transit via HTTPS/TLS and at rest within secure cloud hosting, backed up daily. |
| Address the training received by your employees and any subcontractors engaged in the provision of services under the Contract on the federal and state laws that govern the confidentiality of PII. | Anyone authorized to manage the platform must review state and federal privacy regulations governing student data, including NYS Education Law § 2-d. This ensures all system management and data handling conform to required confidentiality standards. |
| Outline contracting processes that ensure that your employees and any subcontractors are bound by written agreement to the requirements of the Contract, at a minimum. | Anyone authorized to access backend systems must follow our internal data privacy and security policies. We do not use external subcontractors or third-party administrators, keeping all system management under direct internal oversight. |
| Specify how you will manage any data security and privacy incidents that implicate PII and describe any specific plans you have in place to identify breaches and/or unauthorized disclosures, and to meet your obligations to report incidents to the EA. | Breaches are identified via automated monitoring and system error logs. In the event of an unauthorized disclosure, the EA will be notified immediately (within 48 hours), followed by a full incident investigation and mitigation report. |
| Describe how data will be transitioned to the EA when no longer needed by you to meet your contractual obligations, if applicable. | Upon contract termination, relevant user or institutional data will be exported via CSV format and provided directly to the EA upon request. |
| Describe your secure destruction practices and how certification will be provided to the EA. | Data is permanently deleted from production databases, rendering it inaccessible. The data then completely ages out of automated system backups as old snapshots expire according to our retention cycle. We will send a written certification of the deletion via email once the production purge is complete. |
| Outline how your data security and privacy program/practices align with the EA’s applicable policies. | Platform practices align with standard educational privacy requirements. Any specific data security policies provided by the EA will be reviewed and integrated into operational procedures. |
| Outline how your data security and privacy program/practices materially align with the NIST CSF v1.1 using the Framework chart below. | Please see the NIST CSF Alignment section below. |
NIST Cybersecurity Framework Alignment
This table breaks down how our technical security controls and operational practices map directly to the NIST CSF v1.1 standards.
Identify (ID)
| Category | Response |
|---|---|
| Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. | Infrastructure assets (hosting, database, and network services) are fully inventoried. User data is isolated within a dedicated production database entirely separate from local development and testing environments. |
| Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. | The platform provides educational vocabulary tools built around user privacy. Students can access and play games without creating accounts, entirely eliminating the collection of student PII for standard classroom use. |
| Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. | Regulatory, compliance, and legal obligations are managed internally through continuous policy reviews. This direct governance model ensures that state and federal student privacy laws directly dictate application architecture, data handling procedures, and technical security controls. |
| Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. | Primary operational risks focus on keeping the platform online for classrooms and protecting stored user profiles. These risks are managed by staying updated on the software threat landscape and proactively monitoring system components for new vulnerabilities. |
| Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. | Vulnerabilities are managed by monitoring system dependencies and vendor security alerts. If a major exploit is disclosed, the platform is immediately evaluated and patched to maintain system integrity. |
| Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. | Third-party dependencies are controlled through automated vulnerability scanning, version pinning, and minimum release-age gates. This ensures that software updates are held for evaluation and cannot be automatically introduced to the platform immediately upon release. |
Protect (PR)
| Category | Response |
|---|---|
| Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. | Administrative infrastructure access requires multi-factor authentication. Platform user authentication utilizes cryptographically hashed passwords alongside secure, industry-standard single sign-on (SSO) and OAuth integrations. |
| Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties consistent with related policies, procedures, and agreements. | Platform operations are conducted by personnel with formal enterprise cybersecurity training. This background is maintained through ongoing training on modern web vulnerabilities, secure infrastructure management, and secure coding standards. |
| Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. | All data transmitted to and from the platform is encrypted in transit using HTTPS/TLS. Database storage, system volumes, and automated daily backups are fully encrypted at rest. |
| Information Protection Processes and Procedures (PR.IP): Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets. | Security is built directly into the deployment pipeline. The platform utilizes version control for all code changes, maintains isolated development and production environments, and runs automated daily backups to guarantee data integrity. |
| Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. | Physical hardware and operating system maintenance are handled entirely by managed cloud providers. Application updates and database configurations are executed through secure, authenticated configuration management channels. |
| Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. | Network traffic is routed through a web application firewall (WAF) to mitigate denial-of-service (DDoS) threats at the edge. The core application runs on isolated hosting environments that maintain system logs and utilize automated recovery routines to handle system crashes. |
Detect (DE)
| Category | Response |
|---|---|
| Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood. | Anomalies are detected through edge traffic tracking, external uptime monitors, and automated alerts for unusual server resource spikes. |
| Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. | Continuous monitoring relies on automated software dependency analysis alongside routine reviews of infrastructure access logs. |
| Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. | Detection processes are verified through routine development operations, including monitoring alert functionality during planned maintenance windows and reviewing automated dependency scans during code updates. |
Respond (RS)
| Category | Response |
|---|---|
| Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents. | Security incidents are addressed immediately: the affected service is isolated or rolled back to a verified stable state, a code patch is deployed, and users are notified if necessary. |
| Communications (RS.CO): Response activities are coordinated with internal and external stakeholders. | Platform administration serves as the central point of contact for all incident communications, handling timely, direct notifications to affected users, institutional stakeholders, and the EA if a security event occurs. |
| Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities. | Following an incident, application logs and database history are reviewed to isolate the root cause and determine the extent of the impact. |
| Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. | Active threats are contained by deploying rapid software patches, rotating compromised credentials, or blocking malicious traffic at the network edge. |
| Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. | Incident lessons are documented and used directly to update application code and prevent future occurrences. |
Recover (RC)
| Category | Response |
|---|---|
| Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. | System restoration relies on automated pipelines to redeploy stable code, combined with regular backups to restore data integrity. |
| Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. | Recovery workflows and backup configurations are evaluated after any disruption to minimize future downtime. |
| Communications (RC.CO): Restoration activities are coordinated with internal and external parties. | Once the platform is stable, a final update is sent to users to confirm service restoration and share the preventative steps taken. |