College Essay Guy (CEG) Digital Security & Payment Security Policy

(Aligned with K–12 School District DPA Standards, COPPA & FERPA; complements PCI DSS Policy)

Purpose

To ensure that all student, parent, and counselor data collected, stored, or processed by College Essay Guy (CEG) is handled in compliance with applicable federal, state, and local data-privacy regulations—including the Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), and state-specific Student Data Privacy Acts.

This policy extends CEG’s PCI DSS commitment to cover all personally identifiable information (PII) collected through educational services.

Scope

We take protecting student, family, and counselor information seriously. This page explains—at a high level—how we safeguard information when you use our websites, services, and learning platforms. For details on what we collect and how we use it, please see our Privacy Policy.

This policy applies to all systems, tools, and environments where CEG processes, transmits, or stores PII related to students, parents, or educators, including but not limited to:

  • Customer Relationship Management 
  • Learning and content delivery systems
  • Cloud storage and shared drives (Google Drive, Shared Drives)
  • Payment processors 
  • Communication systems

Protecting your Information

We use a combination of administrative, technical, and physical safeguards designed to reduce the risk of unauthorized access, disclosure, alteration, or misuse, including:

  • Access controls & least privilege: Only team members who need information to support you can access it.
  • Secure account practices: We use strong authentication practices (including multi-factor authentication where appropriate) and require strong passwords for internal systems.
  • Secure storage: We limit local storage of sensitive data and use approved, access-controlled systems.
  • Ongoing maintenance: We keep systems and software updated to address known security vulnerabilities.
  • Team awareness: Our team follows security best practices to reduce risks like phishing and account compromise.

Payment Security & PCI Precautions

When you pay for our services, payments are processed through trusted third-party payment providers. **We do not store full credit card numbers.** We take precautions aligned with **PCI DSS** best practices to help protect payment information, including:

  • Using third-party providers that maintain PCI DSS compliance for payment processing
  • Performing due diligence and ongoing monitoring for vendors involved in payment workflows

How to Keep your Account Secure

  • Use a unique, strong password and don’t share login credentials.
  • Be cautious with unexpected emails or messages requesting passwords, payments, or sensitive information.
  • Avoid logging into sensitive accounts on unsecured public Wi-Fi whenever possible.

Data Security & Access Controls

  • Access to software is controlled and has role-based permissions (least privilege).
  • Multi-factor authentication (MFA) is required for all staff with access to student data.
  • Vendor systems must maintain current SOC 2 Type II, PCI DSS, or equivalent certifications.

Data Sharing & Third-Party Vendors

  • Third-party service providers (TPSPs) may access limited data strictly for operational support and are bound by written agreements that prohibit data resale or unauthorized use.
  • All TPSPs are reviewed annually for privacy, security, and compliance alignment.
  • A full list of approved vendors is maintained in CEG’s Vendor Risk Register.

Breach Notification

  • In the event of a confirmed data incident affecting student, parent, or educator data, CEG will notify the affected district or family within 48 hours of confirmation.
  • Notifications include the scope, nature, mitigation steps, and points of contact for further information.

Auditing & Verification

  • The Operations Department conducts quarterly audits of data retention and access logs across CRM, cloud storage, and communication systems.
  • Annual privacy-compliance reviews are logged in the CEG Data Governance Register.
  • Verification records are stored securely in Google Drive for at least 12 months.

Privacy Rights & Requests

  • Parents, guardians, and eligible students may request access, correction, or deletion of their data by contacting [email protected].
  • Requests are verified and fulfilled within 45 days unless a shorter period is required by contract or law.

Documentation & Storage

  • All policies, deletion logs, and audit reports are stored in the secure Data Privacy & Compliance Shared Drive.
  • Documents are retained for 12 months beyond their effective date to demonstrate ongoing compliance.

Questions or Concerns

If you believe your account or information may be at risk, contact us as soon as possible at [email protected].