Security Controls Status
Controls are organized by the six NIST CSF 2.0 functions. Each row identifies the relevant category, the control or practice in place, its current status, and the source document or evidence supporting the assessment.
Status legend: Meets Partially Meets Does Not Meet Not Assessed
| CSF Function | Category | Control / Practice | Status | Evidence / Notes |
|---|---|---|---|---|
| Govern | Policy | Data classification policy exists | Meets | Written Data Classification Policy defines three tiers (Restricted, Confidential, Public), data ownership roles, access control requirements, and encryption requirements for external transmission of Restricted data. See Data Classification Policy. |
| Govern | Policy | Password policy documented and enforced | Partially Meets | Written Password Policy establishes minimum length, complexity requirements, and 120-day rotation for systems-level accounts. All user passwords are hashed with PBKDF2+salt via Django's authentication framework and are never stored in plaintext or visible to Tuva staff. User passwords cannot be reused. Policy documentation is in place; technical enforcement of the rotation schedule for all system accounts is not fully confirmed. See Tuva Password Policy documentation. |
| Govern | Privacy Compliance | FERPA alignment | Partially Meets | Tuva's data practices are designed to align with FERPA. Student education records are accessible only to the teacher of record and authorized school administrators. Tuva does not sell or disclose student data to third parties. Students under 13 enroll without an email address using class codes only. Tuva does not hold a formal FERPA audit or third-party certification; alignment is based on product design and internal policy. Confirmed via vendor security questionnaire responses (Newark). |
| Govern | Roles & Responsibilities | Data ownership roles defined | Meets | Data Classification Policy designates the VP of Engineering as Data Owner, with the Product Manager and CEO as alternates. VP Engineering authorization is required before any employee, contractor, or vendor accesses Restricted or Confidential data. |
| Govern | Risk Management | Cyber liability insurance in place | Meets | Tuva maintains cyber liability insurance coverage. Policy details confirmed via vendor security questionnaire responses. |
| Identify | Asset Management | Infrastructure inventory and location documented | Meets | All infrastructure runs on DigitalOcean data centers located in the United States (New York City region). No data is hosted or processed outside of the US. Confirmed across multiple vendor questionnaire responses. |
| Identify | Asset Management | Separate development, test, and production environments | Meets | Tuva maintains distinct development, test/sandbox, and production environments. Developers cannot directly modify production files. Confirmed via vendor questionnaire responses (Monash, PWCS). |
| Identify | Risk Assessment | Periodic access review policy in place | Meets | Data Classification Policy requires periodic review of administrative access rights. Access authorization is logged and reviewed by the Data Owner. |
| Protect | Data Security | Data in transit: HTTPS / TLS 1.2+ encryption | Meets | All data transmitted between users and Tuva servers is encrypted using HTTPS with TLS 1.2+ and SHA-256 with RSA encryption. Confirmed in Data Security documentation and across multiple vendor questionnaires (Monash, PWCS, Newark). |
| Protect | Data Security | Backup data encrypted in transit and at rest | Meets | Daily database and user-content backups are transmitted to AWS S3 using HTTPS (encrypted in transit). AWS S3 provides server-side encryption at rest (AES-256) by default. Confirmed in Tuva Routine Data Backup Operations documentation. |
| Protect | Identity Management | Password hashing: PBKDF2 with salt | Meets | User passwords are hashed with PBKDF2+salt via Django's built-in authentication framework. Passwords are never stored in plaintext and are never visible to Tuva staff. Confirmed via vendor questionnaire (Monash). |
| Protect | Identity Management | SSO: Google, Microsoft, Clever, ClassLink | Meets | Tuva supports Single Sign-On (SSO) via Google, Microsoft, Clever, and ClassLink, allowing schools and districts to use their existing identity providers. Confirmed across multiple vendor questionnaire responses. |
| Protect | Identity Management | Multi-factor authentication (MFA) | Partially Meets | MFA is enforced for Tuva's internal infrastructure and administrative access. MFA is not currently offered as an option for teacher or student end-user accounts; schools and districts that require MFA for staff can satisfy this through their identity provider (Google Workspace, Microsoft Entra, Clever, or ClassLink) when using SSO. Confirmed via vendor questionnaire (Monash). |
| Protect | Identity Management | Under-13 enrollment: no email required | Meets | Students under 13 can join a class using a class code without providing an email address. Only name is required. COPPA-compliant enrollment flow. Confirmed across multiple vendor questionnaire responses. |
| Protect | Access Control | Role-based access control (RBAC) | Meets | Access to data is governed by user role (teacher, student, admin) and data ownership. Students only see data associated with their own account. Teachers see only their own classrooms. Administrative access requires authorization per Data Classification Policy. |
| Protect | Protective Technology | Django framework security protections (XSS, CSRF, SQLi, clickjacking) | Meets | Tuva uses Django's built-in security middleware, which provides protections against Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL injection, and clickjacking by default. Confirmed via vendor questionnaire (ExploreLearning). |
| Protect | Protective Technology | Dependency vulnerability monitoring: Dependabot | Meets | GitHub Dependabot is configured to monitor dependencies for known vulnerabilities and generate automated pull requests when updates are available. Confirmed via vendor questionnaire responses (Monash, ExploreLearning). |
| Protect | Protective Technology | No third-party outsourcing of technical support | Meets | All technical support is handled by Tuva's internal team. No third-party vendors have access to customer data for support purposes. Confirmed via vendor questionnaire (Newark). |
| Protect | Protective Technology | Infrastructure provider certifications (DigitalOcean) | Meets | Tuva's infrastructure provider, DigitalOcean, holds SOC 2 Type II and ISO/IEC 27001:2013 certifications. These certifications apply to the infrastructure layer, not to Tuva as an organization. Confirmed via vendor questionnaire responses (Monash, Durham). |
| Protect | Data Security | No AI-based processing of student or district data | Meets | Tuva does not use AI or machine learning technology to process, analyze, or profile student or district data for any purpose. Standard operational tools (such as application error monitoring via Sentry) may incidentally capture limited technical data; these tools are used solely for platform reliability and are subject to data processing agreements. Confirmed via vendor questionnaire (Newark). |
| Protect | Data Security | Data deleted upon account closure | Meets | User data is deleted from Tuva's systems upon account closure. Confirmed via vendor questionnaire (Durham, PWCS). |
| Protect | Data Security | COPPA compliance: minimal PII, no data sold | Meets | Tuva collects only the minimum PII needed to provide the service (name and email for teachers; name only for students under 13). No student or teacher data is sold to third parties. Confirmed via vendor questionnaire (Durham, Newark). |
| Detect | Anomalies & Events | Application error monitoring: Sentry | Meets | Sentry is configured for real-time application error monitoring and alerting. Anomalous error patterns can trigger notifications to the engineering team. Confirmed via vendor questionnaire (Monash). |
| Detect | Anomalies & Events | Server-level monitoring: CPU, memory, and disk alerts | Meets | DigitalOcean's built-in monitoring provides alerts for CPU usage, memory, and disk utilization on all production droplets. Confirmed via vendor questionnaire (Monash). |
| Detect | Security Continuous Monitoring | Log retention: 2 years | Meets | Application and server logs are retained for a minimum of 2 years. Confirmed via vendor questionnaire (Monash). |
| Detect | Detection Processes | Third-party penetration testing | Not Assessed | Independent third-party penetration testing has not been completed. This row will be updated when a test has been performed and results can be disclosed. |
| Respond | Response Planning | Incident response: 6-step documented lifecycle | Meets | Tuva's Data Breach Notification Procedure documents a six-step incident response lifecycle: (1) Discovery, (2) Containment, (3) Investigation, (4) Communication, (5) Mitigation, (6) Review. See Data Breach Notification Policy. Confirmed in procedure document and vendor questionnaire (Monash). |
| Respond | Communications | 48-hour notification to affected parties after confirmed breach | Meets | Tuva's written procedure requires notifying affected schools and districts within 48 hours of confirming a data breach. Notification includes the scope of the breach, investigation findings, and remedial actions taken. Confirmed in Data Breach Notification Procedure document. |
| Respond | Communications | Responsible disclosure program in place | Meets | Tuva operates a responsible disclosure program with a public-facing contact page (/security/contact) and a Hall of Fame for researchers who have responsibly disclosed vulnerabilities. Program has been in place since at least 2021. |
| Recover | Recovery Planning | Daily database and user-content backups to AWS S3 | Meets | Daily automated backups of the production database and user-uploaded content are transmitted to AWS S3. Backups are encrypted in transit and stored with server-side encryption. Confirmed in Tuva Routine Data Backup Operations documentation. |
| Recover | Recovery Planning | Weekly full system snapshots via DigitalOcean | Meets | Weekly full-droplet snapshots are taken of all production infrastructure via DigitalOcean's snapshot service. Confirmed in Tuva Routine Data Backup Operations documentation and Disaster Recovery document. |
| Recover | Recovery Planning | Periodic backup restore tests | Meets | Backup integrity and restoration procedures are tested periodically to verify that backups are complete and recoverable. Confirmed in Tuva Routine Data Backup Operations documentation. |
| Recover | Recovery Planning | Annual disaster recovery simulation | Meets | Tuva conducts an annual full disaster recovery simulation, including restore from backup to a new region. The DR procedure is documented in the Tuva Disaster Recovery and Business Continuity / Contingency Procedures document. |