Breach Notification Plan

This document describes how IEP Pulse detects, responds to, and communicates about data security incidents involving student education records or personal information. This plan complies with FERPA requirements and the District of Columbia's Security Breach Protection Amendment Act (DC Code §28-3851 et seq.).

1. What Constitutes a Breach

A data breach is any unauthorized access to, acquisition of, or disclosure of personally identifiable information (PII) from student education records or user account data. This includes:

• Unauthorized access to the database or storage systems
• Accidental exposure of student data to unauthorized users
• Compromise of user account credentials affecting student data
• Unauthorized access by a third-party service provider
• Loss or theft of devices containing unencrypted student data

2. Detection and Monitoring

IEP Pulse employs the following measures to detect potential breaches:

• Audit logging: All data access and modifications are logged with user ID, timestamp, and action type
• Row-Level Security: Database policies prevent unauthorized data access at the query level
• Supabase monitoring: Database and authentication logs monitored for anomalous activity
• Vercel monitoring: Application deployment and function logs reviewed for unauthorized access patterns

3. Response Timeline

4. Notification Content

Breach notifications to affected users will include:

• Date and time the breach was discovered
• Description of what happened
• Types of data that were or may have been affected
• Steps IEP Pulse has taken to contain and remediate the breach
• Recommended actions for the educator (password change, school notification, etc.)
• Contact information for questions

5. Regulatory Notifications

FERPA

As a vendor operating under FERPA's school official exception, IEP Pulse will:

• Notify affected schools/districts so they can fulfill their obligations under FERPA to report to the U.S. Department of Education's Student Privacy Policy Office (SPPO)
• Cooperate with schools/districts in their response and notification to parents
• Maintain records of all disclosures as required by FERPA

District of Columbia (DC Code §28-3852)

As a DC-based business, IEP Pulse will comply with DC's breach notification law:

• Notify affected DC residents in the most expedient time possible and without unreasonable delay
• If the breach affects 50 or more DC residents, notify the DC Attorney General's office no later than when individual notices are sent
• If the breach affects 1,000 or more DC residents, notify national consumer reporting agencies

Other State Laws

If affected users reside in states with their own breach notification requirements (e.g., California, New York, Illinois), we will comply with those requirements in addition to DC law.

6. Remediation

Following a breach, we will take the following remediation steps as appropriate:

• Force password resets for affected accounts
• Revoke and rotate all API keys and service credentials
• Patch the vulnerability that caused the breach
• Review and strengthen RLS policies and access controls
• Engage a third-party security firm for assessment if the breach is significant
• Update security practices based on lessons learned

7. Record Keeping

We maintain records of all security incidents, including:

• Date and time of discovery
• Nature and scope of the incident
• Data types affected
• Number of affected users
• Actions taken in response
• Notifications sent and to whom
• Root cause analysis findings
• Preventive measures implemented

These records are retained for a minimum of 5 years.

8. Responsible Party

The data breach response is managed by:

Mekoce Walker, Owner and Operator
IEP Pulse
Email: privacy@ieppulse.com
Washington, DC

9. Plan Review

This breach notification plan is reviewed and updated at least annually, or after any security incident, to ensure it reflects current practices and legal requirements.