Scope
This policy applies to all electronic information stored on, processed by, or transmitted through Tuva's systems — including production databases, file storage, logs, backups, and development and test environments.
It applies to all Tuva employees, contractors, and third-party vendors who have access to Tuva systems or data.
Data Ownership
Tuva designates a Data Owner responsible for authorizing access to sensitive data and overseeing compliance with this policy.
- Primary Data Owner: VP of Engineering
- Alternates: Product Manager, CEO
No employee, contractor, or vendor may access Restricted or Confidential data without prior authorization from the Data Owner. Access authorizations are logged and reviewed periodically.
Classification Tiers
All data handled by Tuva falls into one of three classification tiers. The tier determines what access controls, handling procedures, and protections apply.
Restricted
The most sensitive category. Unauthorized disclosure would seriously harm Tuva, its users, or the schools and districts it serves.
Examples: production database credentials, API keys and secrets, student personally identifiable information (PII), authentication tokens, encryption keys, financial records.
Access requirement: VP of Engineering authorization required before any access. Access is limited to individuals with a specific business need. All access is logged.
Handling: Must be transmitted via encrypted channel only (VPN or equivalent). Must not be stored in plaintext. Must not be shared outside Tuva without legal authorization.
Confidential
Sensitive internal information where unauthorized disclosure could harm Tuva or its users, but the risk is lower than Restricted data.
Examples: internal business processes, non-public product roadmaps, aggregated usage analytics, teacher email addresses, business partner agreements.
Access requirement: Limited to Tuva employees and authorized contractors with a business need. VP of Engineering authorization required for third-party access.
Handling: Should be transmitted via encrypted channel. Should not be shared publicly or with unauthorized parties.
Public
Information that has been explicitly approved for external release. Unauthorized disclosure carries no material risk.
Examples: published marketing content, publicly documented features, this security policy, pricing information, public API documentation.
Access requirement: No restriction on access or sharing.
Handling: No special handling requirements. Standard quality review before publication is recommended.
Access Control
Tuva enforces the principle of least privilege: all access to data is limited to what is necessary for a person's specific role and responsibilities.
- User passwords are hashed with PBKDF2 and a per-user salt. Passwords are never stored in plaintext and are never visible to Tuva staff.
- Role-based access control limits what each user type (student, teacher, administrator) can view and modify. Students see only their own data. Teachers see only their own classrooms.
- Access to production infrastructure requires authorization from the Data Owner. Administrative access rights are reviewed periodically.
- All access authorization decisions are documented and logged.
Encryption
All data transmitted externally — including data transmitted between users and Tuva servers — is encrypted using HTTPS with TLS 1.2 or higher (SHA-256 with RSA encryption).
Restricted data must be transmitted via an encrypted channel (VPN or equivalent) whenever it is sent outside of Tuva's internal network. Unencrypted transmission of Restricted data is prohibited.
Daily database and user-content backups are transmitted to AWS S3 over HTTPS and stored with AWS server-side encryption (AES-256).
Software Security
Tuva applies security controls throughout its software development and deployment process:
- Source code is stored in a private GitHub repository. Access is limited to authorized Tuva engineers.
- No developer may directly modify production files or production database records outside of a formal change management process.
- Separate development, test/sandbox, and production environments are maintained. Production data is not used in development or test environments.
- GitHub Dependabot is configured to monitor third-party dependencies for known vulnerabilities and alert the team when updates are required.
- Tuva's application is built on Django, which provides built-in protections against Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL injection, and clickjacking.
Data Retention
Tuva retains user data only as long as necessary to provide the service and meet legal obligations.
- Active accounts: Student and teacher account data is retained for the duration of the active account. Schools and districts may request data deletion at any time by contacting Tuva.
- Account closure: Upon account closure or district offboarding, user data is deleted from Tuva's production systems.
- Application logs: Server and application logs are retained for a minimum of 2 years for security monitoring and incident investigation purposes.
- Backups: Encrypted backup snapshots are retained on a rolling schedule. Daily backups are retained for 30 days; weekly snapshots are retained for 90 days.
If your district has specific data retention requirements, please contact us — we can discuss district-specific data processing agreements.
Third-Party Subprocessors
Tuva uses a limited set of third-party services to deliver and operate its platform. Each subprocessor is subject to a data processing agreement and is evaluated for security and compliance.
| Subprocessor | Purpose | Data Involved | Certifications |
|---|---|---|---|
| DigitalOcean | Cloud hosting infrastructure (servers, networking, snapshots) | All application data — hosted entirely in US data centers (New York City region) | SOC 2 Type II, ISO/IEC 27001:2013 |
| Amazon Web Services (S3) | Encrypted backup storage | Encrypted daily database and user-content backups | SOC 2 Type II, ISO/IEC 27001, FedRAMP |
| Sentry | Application error monitoring | Application error events and stack traces; subject to data scrubbing settings | SOC 2 Type II |
| Single Sign-On (SSO) via Google Workspace | Account authentication tokens (no student data transferred to Google) | SOC 2 Type II, ISO/IEC 27001 | |
| Microsoft | Single Sign-On (SSO) via Microsoft Entra ID | Account authentication tokens (no student data transferred to Microsoft) | SOC 2 Type II, ISO/IEC 27001 |
| Clever | Single Sign-On (SSO) and rostering integration | Roster data shared by the district (name, grade level, section) | SOC 2 Type II |
| ClassLink | Single Sign-On (SSO) and rostering integration | Roster data shared by the district (name, grade level, section) | SOC 2 Type II |
This list reflects current primary subprocessors. Tuva does not share student or teacher data with any subprocessor for advertising or profiling purposes.