Privacy policy

Purpose

• Define principles, roles, and controls for safeguarding information assets and personal data processed by SSAI.
• Ensure lawful, fair, and transparent processing of personal data and alignment with ISO/IEC 27001:2022 controls and applicable privacy regulations.

Scope

• Applies to all SSAI personnel, contractors, interns, temporary staff, and third-party processors.
• Covers all information assets and personal data (electronic and paper) related to customers, users, employees, and third parties processed via the website, AI-enabled SaaS platform, assessments, certifications, and related services.
• Includes processing in all jurisdictions where SSAI operates or provides services.

Policy Statement

SSAI commits to:

• Lawful, fair, and transparent processing; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
• Implementing information security controls appropriate to risk, including encryption, access control, logging, vulnerability management, and secure AI workflows.
• Obtaining explicit consent where required (e.g., marketing, special categories, child-safety-related assessments), with easy withdrawal mechanisms.
• Respecting data subject rights (access, rectification, erasure, restriction, portability, objection) and responding within legal timelines.
• Applying privacy-by-design/default in system development and AI features; conducting Data Protection Impact Assessments (DPIAs) when required.
• Reporting personal data breaches to relevant authorities and affected individuals as required (e.g., GDPR within 72 hours; DPDP timelines as applicable).
• Ensuring third-party processors meet equivalent security and privacy standards contractually (including cross-border safeguards such as SCCs/adequacy).
• Continual improvement of the Information Security Management System (ISMS).

Part A: Governance

Roles and Responsibilities

• Owner/CEO : Overall accountability for compliance and ISMS effectiveness.
• System & Office Administrator : Maintains data processing records, oversees access administration, coordinates data subject requests, supports incident/breach notifications, and vendor due diligence.
• Data Protection Officer (DPO): [Appoint/designate as needed; until then, CEO assumes role]. Oversees privacy audits, DPIAs, training, and compliance monitoring.
• All Staff: Comply with this policy, security procedures, and report incidents immediately.
• Third-Party Processors: (e.g., hosting providers such as host.co.in, and partners such as Microlan): Bound by written agreements, meet ISO/IEC 27001–aligned controls, support audits, breach notifications, and data subject requests.

Policies and Standards Hierarchy

• This Combined Information Security, Data Protection & Privacy Policy
• ISMS Policies: Access Control, Cryptography, Asset Management, Supplier Management, Secure Development/AI Model Governance, Incident Response, Business Continuity/DR, Backup & Recovery, Logging & Monitoring, Acceptable Use
• Privacy Standards: Lawful Bases, Consent, DPIA, Data Retention & Disposal, International Transfers, Cookie/Tracking, Children’s Data, Marketing Preferences
• Procedures and Work Instructions supporting the above

Part B: Personal Data Management

Lawful Bases and Processing Purposes

• Contract performance (e.g., certification processing, account provisioning)
• Consent (e.g., marketing, special categories including child-safety-related assessments)
• Legitimate interests (e.g., product improvement, service security) balanced with individual rights
• Legal obligations (e.g., regulatory reporting)
• For AI features, data may be used to improve models with appropriate safeguards, minimization, and opt-out where applicable.

Information We Collect

• Directly provided: contact details (name, email, phone, address), institutional data (school name, location, safety assessments), billing details.
• Automatically collected: IP address, device/browser data, usage logs, cookies/analytics.
• Special/sensitive data: only where strictly necessary and with explicit consent (e.g., children-related safety inputs for certifications), subject to enhanced controls.

Data Subject Rights and Requests

• Rights: access, rectification, erasure, restriction, portability, objection, consent withdrawal.
• How to submit: info@school-safety.org
• Timelines: within 30 days or applicable legal timeframe.
• Verification: SSAI verifies identity before acting, maintains an audit trail of requests and responses.

Children’s Privacy

• Collect only with verifiable parental/guardian consent or other lawful basis permitted by applicable law.
• Use strictly for safety/certification purposes; apply heightened security and minimization.
• Align with DPDP, GDPR, and COPPA (for US users as applicable).

Cookies and Tracking

• Functional cookies for sessions; analytics cookies (e.g., Google Analytics) with user controls via a cookie banner and browser settings.
• See Cookie Policy for categories, purposes, and retention.

Sharing, Disclosure, and International Transfers

• Share on a need-to-know basis with service providers under data processing agreements (DPAs) ensuring GDPR/DPDP compliance and security controls.
• Legal disclosures as required by authorities.
• Publish anonymized/aggregated information (e.g., certified school directories) with user-configurable visibility where applicable.
• Cross-border transfers use approved mechanisms (e.g., SCCs, adequacy, DPDP-compliant measures), with documented transfer risk assessments.

Data Retention and Disposal

• Retain personal data only as long as necessary for the stated purposes and legal obligations.
• Example: certification-related records retained per statutory and contractual requirements; certain operational records may be retained for up to 364 days unless longer retention is mandated.
• Anonymized/aggregated data may be retained indefinitely.
• Secure deletion and destruction procedures apply to paper and electronic media; disposal is logged.

Part C: Information Security Controls (ISO/IEC 27001:2022 aligned)

Asset Management

• Maintain an information asset inventory (systems, datasets, media, applications).
• Classify information (Public/Internal/Confidential/Restricted) and apply handling rules.

Access Control

• Role-based access control (RBAC); least privilege and need-to-know.
• Strong authentication, MFA for privileged roles.
• Periodic access recertification; immediate revocation upon role changes/termination.

Cryptography

• Encryption in transit (TLS 1.2+), encryption at rest for sensitive data.
• Key management with restricted access and rotation; avoid hard-coded secrets; use secure vaults.

Secure Development and AI Governance

• Secure SDLC with code reviews, dependency scanning, SAST/DAST.
• Data minimization and pseudonymization where feasible for training and testing.
• AI model governance: document data sources, purposes, evaluation, bias testing, human oversight, and opt-out paths where applicable.
• Separate production and non-production environments; use de-identified data in non-prod.

Operations Security

• Patch and vulnerability management with defined SLAs based on severity (e.g., Critical within 7 days).
• Logging and monitoring of security events; time-synchronized logs retained per policy.
• Backups with regular restore testing; defined RPO/RTO objectives.

Network and Infrastructure Security

• Defense-in-depth with firewalls, WAF/IPS where applicable, network segmentation, and least-privilege service communications.
• Hardening baselines; secure configuration and regular reviews.

Endpoint and Physical Security

• Endpoint protection (EDR/AV), disk encryption, screen lock, and device control.
• Physical controls for offices and data centers via vendors; visitor logs and restricted areas.

Supplier and Third-Party Management

• Due diligence prior to onboarding; contractual clauses for confidentiality, security, breach notification, sub-processing, and audits.
• Ongoing monitoring; high-risk vendors reviewed at least annually.

Incident and Breach Management

• Incident response plan with roles, triage, containment, eradication, recovery, and post-incident review.
• Personal data breach assessment and notification:
  • GDPR: notify supervisory authority within 72 hours where required, and affected individuals without undue delay when high risk.
  • DPDP: notify the Data Protection Board/Authority as applicable and affected individuals per statutory timelines.
• Maintain an incident register and evidence preservation procedures.

Business Continuity and Disaster Recovery

• BCP/DR plans aligned to critical services with tested failover/restoration.
• Regular exercises; lessons learned feed continuous improvement.

Training and Awareness

• Mandatory onboarding and annual training for all personnel on information security, privacy, phishing, and incident reporting.
• Role-based training for engineers, data handlers, and executives.
• Periodic simulated phishing and tabletop exercises.

Part D: Transparency and User Information

Privacy Notice Summary

• What we collect: contact data, institutional and certification data, usage data, payment data via secure gateways, and sensitive data only with explicit consent.
• Why we use it: deliver and improve services, ensure security and compliance, communicate with users, perform analytics (preferably anonymized).
• Sharing: with contracted service providers and as required by law; no data selling.
• Rights & Contact: submit requests to info@school-safety.org; (until otherwise designated).
• Cookies: controlled via banner and browser settings.
• International transfers: protected via SCCs/adequacy/DPDP-compliant measures.

Full Privacy Policy: provided on our website and SaaS platform and reflects the contents of this document.

Part E: Contact, Review, and Changes

Contact Us

Review Cycle

• This policy is reviewed annually or upon significant changes in processing, technology, services, or legal requirements.
• Last reviewed: August 1, 2025.

Changes to This Policy

• Updates will be posted with effective dates.
• Material changes may be communicated via email or in-product notifications.
• Continued use of Services constitutes acceptance.

Appendix: Practical Controls and Notices

• Records of Processing Activities (RoPA): maintained and reviewed annually; includes lawful basis, categories, recipients, retention, and transfer safeguards.
• DPIA triggers: new AI features, children’s data processing, large-scale monitoring, or high-risk processing; mitigation documented and approved by DPO/CEO.
• Consent management: documented, granular (e.g., marketing vs. analytics), easy withdrawal via account settings or email link.
• Data portability format: commonly used, machine-readable (e.g., JSON/CSV), secure delivery.
• Data deletion: documented timelines; secure wipe with verification; backups aged out per retention.
• Breach playbooks: include communication templates, notification criteria per GDPR/DPDP, and post-mortem steps.
• International transfers register: records destinations, mechanisms (SCCs/adequacy), and transfer risk assessments.
• Vendor list and subprocessors: maintained and made available upon request or published with change notifications.