TARTAN APP - DATA PRIVACY AND SECURITY PLAN
1. Overview
This Plan describes the technical and organisational measures taken by Tartan App Inc. (referred to as Tartan App) to secure Personal Data it processes, including Student Data and Staff Data. Tartan App is a data processor only, and only processes Personal Data at the direction of its school customers or through their authorised use of the Service and its enabled functionalities.
2. Data Processing Principles
Tartan only uses Personal Data to provide its services and only to the extent necessary and proportionate to do so. Personal Data is not used for marketing, profiling or any other independent commercial use. All processing is conducted confidentially and with due regard to security and reliability.
3. Roles and Responsibilities
Schools act as data controllers and retain full authority over the purposes and means of processing Personal Data. Tartan App acts as a processor and does not independently determine how Personal Data is used. Internally, Tartan App maintains accountability through designated security and privacy ownership, supported by governance processes including oversight, monitoring, and periodic reviews.
4. Data Categories
Tartan App processes Personal Data only to the extent necessary to perform the services it provides. This will usually include Student Data, and Staff Data. System generated or operational data may also be processed. Tartan App does not knowingly process any special categories of data, unless specifically instructed and authorised to do so by a School.
5. Data Classification and Handling
All Personal Data is categorized within a data classification system determined by its sensitivity and risk profile. Student Data and Staff Data are considered restricted by default and handled with appropriate restrictions. Restrictions include controls for accessing, storing, transmitting, retaining and securely disposing of the data throughout its lifecycle.
6. Access Control and Authentication
Personal Data will be accessible only to those persons who have been authorised to do so on a role and business need to know basis. Access will be limited according to the principles of least privilege. Authorised access will be secured through strong password practices and multi-factor authentication where necessary. Reviews of user access rights will occur at regular intervals, with changes implemented in a timely manner if access is required to be increased or removed.
7. Encryption and Data Security
Tartan App protects Personal Data using industry-standard encryption mechanisms. Data in transit is secured using TLS 1.2 or higher, and data at rest is encrypted using AES-256 or equivalent standards. Sensitive data is not stored or transmitted in plaintext, and encryption keys are managed securely with restricted access.
8. System Monitoring and Vulnerability Management
Tartan App maintains monitoring systems to detect and respond to potential threats and unauthorised activities. System activity, including authentication and administrative actions, is logged and reviewed for anomalies. Vulnerabilities are identified through regular scanning, prioritised based on risk, and remediated within defined timeframes.
9. Incident Response and Breach Notification
Tartan App maintains an incident response process designed to identify, contain, investigate, and resolve security incidents. In the event of a security incident involving Personal Data, Tartan App will notify the relevant School without undue delay and typically within 24 to 72 hours. Tartan App will provide sufficient information to support the School's assessment and compliance obligations and will cooperate fully in any required response actions.
10. Data Retention and Secure Disposal
Personal Data is held for no longer than is necessary for the purposes for which it was collected to perform any contractual or legal obligations. Retention periods are specified and reviewed regularly to ensure we do not hold data longer than necessary. Data is securely erased or returned to the School when it is no longer required in a manner which prevents reconstruction.
11. Data Sharing and Transfers
Tartan App will only share Personal Data where required to provide its services and only with authorised parties, including approved Subprocessors and service providers supporting, maintaining, securing, or enhancing the Service. Transfers of Personal Data are always made securely and only to parties who need to know.
12. Subprocessor Management
Tartan App engages third-party service providers only after conducting appropriate due diligence. Subprocessors are contractually required to implement security and confidentiality measures and to process Personal Data solely under Tartan App's instructions. Tartan App maintains oversight of subprocessor activities and reviews their compliance on an ongoing basis including proportionate review of AI-enabled or automated service providers where used.
13. Business Continuity and Disaster Recovery
Tartan App has implemented a business continuity plan to promote system resiliency and disaster recovery. Tartan App utilizes regular backups and has disaster recovery procedures in place that have been tested. Systems and data can be recovered within specified time frames.
14. Secure Development and Change Management
Security is built into Tartan App's development lifecycle. Changes to systems are reviewed, tested, and approved before being put into production. Vulnerability scanning and validation is completed during the development of systems that house Personal Data. Material AI-enabled features involving Personal Data are subject to appropriate privacy and security review before release.
15. Risk Management and Continuous Improvement
Tartan App maintains a formal risk management process to identify, assess, and address risks to its systems and the Personal Data it processes. Risks are documented, prioritised, and reviewed regularly. Continuous improvement is driven by risk assessments, audit findings, incident learnings, and evolving legal and regulatory requirements.
16. Personnel Security and Training
Staff are bound by confidentiality agreements. They are trained on data protection and security procedures as necessary. Additional training is given when employees are onboarded, as well as throughout their employment.
17. Compliance and Regulatory Alignment
Tartan App's security and privacy practices are aligned with applicable legal, regulatory, and contractual requirements, including SOC 2 and K-12 student data privacy frameworks such as NDPA-aligned standards. Tartan maintains documentation and records necessary to demonstrate compliance and support audits, due diligence, and regulatory review processes.
18. Subprocessor and Tool Usage Overview
Tartan App relies on a small number of trusted third parties to provide infrastructure, communications, analytics, and operational services. Essential service providers (e.g. cloud hosting, communications tools, and approved product support providers) may process Personal Data as necessary to provide, maintain, secure, support, or enhance the Service. Certain analytics and marketing tools are used primarily in connection with public website activities. Where such tools are employed, Tartan App seeks to minimise data shared and uses aggregated, pseudonymised, or non-identifiable data where feasible. The complete list is available in the Tartan App privacy policy.