Official Security Document
Authoritative reference for all security and data protection practices.
1. Security Purpose & Principles
1.1 Purpose
This document defines how Elevate For Humanity protects user data, maintains system security, and responds to security events. It applies to all platform components: main website, LMS, Store, and Supersonic Fast Cash.
1.2 Security Principles
- Least Privilege: Users and systems receive minimum access required for their function
- Defense in Depth: Multiple security layers protect against single points of failure
- Data Minimization: We collect only data necessary for stated purposes
- Transparency: Users can understand what data we hold and why
- Accountability: All data access is logged and auditable
2. Data Collected
2.1 By Platform Component
Main Website
Contact information, application data, eligibility responses, communication preferences
LMS
Account credentials, course progress, assessment results, certificates, attendance records
Store
Billing address, order history, payment method tokens (not full card numbers)
Supersonic Fast Cash
Tax documents, SSN (encrypted), income information, bank account details for refunds
2.2 Sensitive Data Classification
| Data Type | Classification | Protection Level |
|---|---|---|
| SSN | Highly Sensitive | Encrypted at rest, masked in UI |
| Payment Data | Highly Sensitive | PCI-compliant tokenization via Stripe |
| Tax Documents | Sensitive | Encrypted storage, access logging |
| Academic Records | Protected | Role-based access, FERPA compliance |
| Contact Info | Standard | Standard encryption, access controls |
3. Data Storage & Encryption
3.1 Infrastructure
- Database: Supabase (PostgreSQL) with encryption at rest (AES-256)
- File Storage: Supabase Storage with server-side encryption
- Application Hosting: Netlify with automatic HTTPS
- Payment Processing: Stripe (PCI DSS Level 1 certified)
3.2 Encryption Standards
- In Transit: TLS 1.3 for all connections
- At Rest: AES-256 encryption for all stored data
- Passwords: bcrypt hashing with salt (never stored in plain text)
- Sensitive Fields: Application-level encryption for SSN, tax data
4. Access Controls
4.1 Authentication
- Email/password authentication with secure session management
- Optional two-factor authentication (2FA) for all users
- Required 2FA for Admin and Super Admin roles
- Session timeout after 24 hours of inactivity
4.2 Authorization
- Role-based access control (RBAC) enforced at database level
- Row-level security (RLS) policies on all tables
- API endpoints validate user permissions before data access
- Administrative actions require explicit role verification
4.3 Audit Logging
All access to sensitive data is logged with: user ID, timestamp, action performed, data accessed, IP address. Logs are retained for 7 years and reviewed monthly.
5. Data Retention & Deletion
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account Data | Duration of account + 3 years | Anonymization or deletion |
| Academic Records | 7 years after completion | Secure deletion |
| Tax Documents | 7 years (IRS requirement) | Secure deletion |
| Payment Records | 7 years (financial compliance) | Secure deletion |
| Audit Logs | 7 years | Secure deletion |
5.1 Deletion Requests
Users may request data deletion by contacting our contact form. Requests are processed within 30 days. Some data may be retained for legal compliance (tax records, financial transactions).
6. Incident Response
6.1 Response Process
- Detection: Automated monitoring and user reports
- Containment: Isolate affected systems within 1 hour
- Assessment: Determine scope and impact within 4 hours
- Notification: Notify affected users within 72 hours if required
- Remediation: Fix vulnerability and restore services
- Review: Post-incident analysis and documentation
6.2 Breach Notification
If a data breach affects personal information, we will: notify affected users within 72 hours, notify relevant regulators as required, provide clear information about what data was affected and recommended actions.
7. User Responsibilities
- Use strong, unique passwords (minimum 8 characters)
- Enable two-factor authentication when available
- Do not share account credentials
- Report suspicious activity immediately
- Log out from shared devices
- Keep contact information current for security notifications
8. Contact & Reporting
Security Issues: our contact form
Privacy Requests: our contact form
Data Protection Officer: our contact form
Phone: 317-314-3757
9. Versioning & Review
| Version | Date | Changes |
|---|---|---|
| 1.0 | January 2025 | Initial authoritative version |
Review Schedule: Annually, or upon significant security events or regulatory changes.