Our Commitment
Tuva processes personally identifiable information for students and teachers on behalf of schools and districts. We take that responsibility seriously. Our infrastructure runs on DigitalOcean data centers located entirely within the United States. All data in transit is encrypted with TLS 1.2+. We maintain written policies for data classification, incident response, password management, and business continuity — and we publish them here for transparency.
Tuva is designed with FERPA and COPPA in mind. We collect only the minimum information necessary to provide the service. We do not sell student or teacher data. Students under 13 can enroll using a class code — no email address required. This section is designed for district IT administrators, procurement reviewers, and compliance officers.
Security Documentation
Browse the sections below to review our security posture, policies, and responsible disclosure program.
Security Standards & Status
A self-assessed status table organized by the NIST Cybersecurity Framework 2.0 functions — Govern, Identify, Protect, Detect, Respond, and Recover — with evidence citations for each control.
Data Breach Notification Policy
Our six-step incident response lifecycle and notification procedure, including the 48-hour notification timeline for affected schools and districts.
Data Classification Policy
How Tuva categorizes data into Restricted, Confidential, and Public tiers — with access controls, encryption requirements, and data ownership responsibilities for each.
Security Researchers
We welcome responsible disclosures from security researchers. If you have identified a vulnerability, please contact us directly.