09 - Security, Compliance, And Operational Risk¶
Security Baseline¶
Identity and access management with least privilege and strict parent/tutor/admin separation.
Encryption in transit and at rest.
Centralized logging and audit trails with 1-year retention minimum.
Vulnerability management with remediation SLAs.
Annual penetration test before broad MSP scaling.
Compliance Scope¶
Standard |
Required |
Current Status |
Gap |
Owner |
|---|---|---|---|---|
COPPA |
Yes |
In progress |
Parental consent record automation |
Product + Legal |
FERPA |
Conditional (school channel) |
In progress |
Data sharing agreement templates per partner |
Legal |
SOC 2 Type I |
Yes (MSP) |
Planned |
Control evidence collection and auditor engagement |
Security |
SOC 2 Type II |
Later phase |
Not started |
Operating period evidence |
Security |
GDPR/CCPA |
Conditional by region |
Planned |
DSAR automation and deletion workflows |
Engineering |
Risk Register¶
Risk |
Category |
Probability |
Impact |
Mitigation |
Owner |
|---|---|---|---|---|---|
Exposure of student PII through misconfigured access |
Security |
Low |
Critical |
Strict RBAC defaults, access reviews, tenant boundary tests |
Security |
Child safety incident in live session context |
Safety |
Low |
Critical |
Tutor screening, session conduct policy, reporting and escalation workflow |
Tutor Ops + Legal |
Scheduling or tutor availability gaps reduce continuity |
Operational |
Medium |
High |
Capacity planning, backup bench, continuity SLA monitoring |
Tutor Ops |
Payment failures or billing confusion increase churn |
Commercial |
Medium |
Medium |
Dunning logic, clear billing UX, rapid support handoff |
Revenue Ops |
Bias or uneven efficacy across student subgroups |
Product/Ethics |
Medium |
High |
Subgroup outcome monitoring and curriculum review checkpoints |
PM + Curriculum |
Incident Management¶
Incident severity model defined (Sev-1 to Sev-4).
On-call and escalation policy documented.
Target response times: Sev-1 acknowledge <=15 minutes, Sev-2 <=30 minutes.
Post-incident review required within 5 business days.
Reliability Targets¶
Availability SLO: 99.9% monthly for core learner, tutor, and parent workflows.
Latency SLO: p95 <=400 ms for key session and scheduling interactions.
Error budget policy: Monthly error budget tied to feature release velocity; freeze high-risk launches when budget exhausted.
Controls Review Cadence¶
Monthly control audit.
Quarterly tabletop incident exercise.
Annual external assessment.
Quarterly privacy review for student data minimization and retention limits.