Incident Response & Breach Notification Plan

1. Scope

This plan covers any unauthorized access to, disclosure of, or loss of data processed by Paideon, including:

• Student education records (names, IDs, grades, submissions)
• Teacher account information (email, password hashes)
• School organization data
• Audit logs and system data

2. Incident Classification

Severity Levels

• Critical: Confirmed unauthorized access to student education records or teacher credentials. Requires immediate response (within 1 hour).
• High: Suspected unauthorized access, vulnerability actively exploited, or service compromise. Response within 4 hours.
• Medium: Vulnerability discovered but not exploited, failed attack attempt, or suspicious activity. Response within 24 hours.
• Low: Minor security event with no data exposure. Response within 72 hours.

3. Phase 1: Detection & Assessment

1. Identify the incident — through monitoring, audit logs, user reports, or third-party notification.
2. Assemble response team — engineering lead, company leadership, and legal/compliance contact.
3. Determine scope:
   • What data was accessed or exposed?
   • How many users/students are affected?
   • What was the attack vector?
   • Is the breach ongoing?
4. Classify student data involved: Determine whether student education records (as defined by FERPA) were part of the breach.
5. Document everything — timestamp all actions, preserve logs, record decisions.

4. Phase 2: Containment

1. Isolate the affected system(s) — revoke compromised credentials, rotate API keys, disable affected endpoints.
2. Preserve evidence — capture database logs, audit trails, access logs before any changes.
3. Stop the breach — patch the vulnerability, block the attacker, close the attack vector.
4. Verify containment — confirm the breach is no longer active.

5. Phase 3: Notification

Paideon follows the most stringent applicable notification timeline:

Schools & Districts

• Within 72 hours of confirming a breach involving student education records, we will notify all affected schools and school districts.
• Notification includes: description of the incident, types of data involved, approximate number of students affected, remediation steps taken, and contact information for follow-up.

State Requirements

• New York (Ed Law 2-d): Notify NYSED and affected parents within timelines specified by the Commissioner.
• Illinois (SOPPA): Notify the school and affected families.
• California (CCPA/SOPIPA): Notify the California Attorney General if >500 residents affected.
• Colorado: Notify affected individuals within 30 days.
• For all other states, we follow the applicable state breach notification law.

Individual Teachers

• All affected teachers will be notified via email within 72 hours of confirmed breach.
• Notification includes: what happened, what data was involved, what we are doing about it, and recommended actions (e.g., password reset).

Authorities

• If required by state law, we will notify the relevant state attorney general or education department within the specified timeline.

6. Phase 4: Remediation

1. Fix the root cause — deploy patches, update configurations, strengthen access controls.
2. Force credential rotation — if teacher accounts were compromised, force password resets for affected users.
3. Restore service — verify all systems are operational and secure before resuming normal operations.
4. Monitor for recurrence — enhanced monitoring for 30 days post-incident.

7. Phase 5: Post-Incident Review

1. Conduct a post-mortem within 7 days of incident resolution.
2. Document lessons learned: What failed? What worked? What changes are needed?
3. Update security controls based on findings.
4. Update this plan if gaps were identified.
5. Share findings with affected schools (summary of root cause and preventive measures taken).

8. Contact Information

To report a security incident or vulnerability:

• Email: security@paideon.app
• Response SLA: Within 24 hours for all security reports