Overview

Tuva is committed to protecting the personal information of students, teachers, and staff who use our platform. In the event that a data security incident occurs — including unauthorized access to, disclosure of, or loss of personal data — Tuva will follow the procedures outlined in this document.

This procedure applies to all Tuva systems and data, including user-created content, teacher and student account information, and any data processed on behalf of schools and districts.

What triggers this procedure? Any confirmed or suspected unauthorized access to, disclosure of, destruction of, or loss of personal data stored or processed by Tuva — including incidents caused by external attackers, accidental exposure, or misconfiguration.

Incident Response Lifecycle

Tuva's incident response follows a six-step lifecycle. Each step has defined responsible parties and expected actions.

  1. Discovery

    Tuva's engineering team or an external reporter identifies a potential data security incident. All suspected incidents are escalated immediately to the VP of Engineering and CEO. Monitoring tools (Sentry, DigitalOcean alerts) may surface incidents automatically.

  2. Containment

    The engineering team takes immediate steps to contain the incident and prevent further unauthorized access or data loss. This may include revoking access credentials, taking affected systems offline, or blocking specific IP addresses.

  3. Investigation

    Tuva investigates the scope, cause, and impact of the incident. The investigation determines which data was affected, how many users were impacted, and whether personal data was accessed or exfiltrated.

  4. Communication

    Affected schools, districts, and users are notified within 48 hours of confirming that a data breach has occurred. The notification includes: a description of the incident, the categories of data affected, the scope and number of records involved, the steps Tuva has taken in response, and contact information for follow-up questions.

  5. Mitigation

    Tuva implements permanent fixes to prevent recurrence. This may include patching vulnerabilities, updating access controls, rotating credentials, or modifying data handling procedures.

  6. Review

    Following resolution, Tuva conducts a post-incident review to identify lessons learned and update procedures, monitoring, and controls as needed. Findings are documented internally.

Notification Timeline

Tuva's notification commitments following a confirmed data breach. Tuva complies with applicable state data breach notification laws, which may require notification to additional parties (such as a state Attorney General's office) within timeframes that vary by jurisdiction. Where state law imposes a stricter timeline than the 48-hour commitment below, Tuva will follow the applicable state requirement.

Milestone Timeline Details
Initial notification to affected parties Within 48 hours of confirmed breach Tuva notifies affected schools and districts by email and phone. Notification includes scope, categories of data affected, and initial remediation steps.
Follow-up communication As investigation progresses Tuva provides updates as new information becomes available during the investigation and mitigation phases.
Post-incident report Within 30 days of resolution A written summary of the incident, root cause, scope, and remedial actions taken is available upon request.
What the notification includes: The initial notification to affected schools and districts will include: (1) the date and nature of the incident, (2) the categories of personal data involved, (3) the approximate number of records and individuals affected, (4) the steps Tuva has taken to contain and investigate the incident, and (5) a point of contact for follow-up questions.

Contact

If you have questions about this policy, believe you have identified a security incident, or need to report a suspected breach:

Tuva's security team will acknowledge all security inquiries within one business day.