Information Security Policy
Document ID: RU-ISP-2026-001 — Version: 0.1 — Date: 2026-05-17
This Written Children's Personal Information Security Program (“ISP” or “Program”) is established by Phareon LLC (“Company,” “we,” “us”) in satisfaction of the requirement under 16 CFR 312.8(b) that operators of websites or online services directed to children, or operators with actual knowledge they collect personal information from children under 13, maintain a written program reasonably designed to protect the security, confidentiality, and integrity of children's personal information.
1. Purpose, Scope, and Applicability
1.1 Purpose. This ISP documents the administrative, technical, and physical safeguards the Company applies to all personal information collected from or about users of the CollegeRoster platform who are (or may be) under the age of 13.
1.2 Scope. This Program covers all personal information collected, processed, stored, or transmitted by CollegeRoster infrastructure, including user account data, athlete profile data, parental consent records, media files, audit log records, and communication data. It covers all systems: Next.js on Vercel, Supabase (PostgreSQL + RLS), Cloudflare R2, Bunny Stream CDN, Supabase Auth, Resend, Stripe, and Tavily.
1.3 Regulatory Foundation. Statutory authority: 16 CFR 312.8(b) (COPPA 2025 amendments, compliance deadline April 22, 2026).
2. Definitions
Children's Personal Information: Any information collected online from a child under 13, including name, address, online contact information, screen name, telephone number, Social Security number, persistent identifier (including the users.id UUID), photograph, audio or video file, geolocation data, or any information combined with the foregoing that enables identification of a specific child. 16 CFR 312.2.
Minor Athlete: A user of CollegeRoster with role = ‘athlete’ and is_minor = true (date_of_birth computed by database trigger).
3. Designated Security Coordinator (16 CFR 312.8(b)(1))
Designated Coordinator: Jon Harris
Title: Founder / Operator, Phareon LLC
Contact: privacy@collegeroster.org
Reports to: Conductor (Jon Harris, Founder, Phareon LLC)
The Designated Coordinator is responsible for owning and maintaining this ISP, conducting annual risk assessments, approving security control changes, receiving and triaging security incident reports, and managing the vendor review process.
4. Data Inventory — Children's Personal Information (16 CFR 312.8(b)(2))
| Category | Data Elements | System Location | Sensitivity |
|---|---|---|---|
| Identity | users.id (UUID), name, email, date_of_birth, is_minor flag, role | Supabase users table | HIGH |
| Athlete Profile | first_name, last_name, primary_sport, height, weight, GPA, test scores | Supabase athlete_profiles table | HIGH |
| Parental Consent | consent_status, consent_granted_at, vpc_method, ip_address, user_agent | Supabase parental_consents / consent_records | CRITICAL |
| Media Files | Video highlights, photos, transcripts — bunny_video_id, r2_key_raw | Supabase media_files + Cloudflare R2 + Bunny Stream | HIGH |
| Authentication | Hashed passwords, session tokens, email verification state | Supabase Auth | HIGH |
| Communications | Email addresses, notification preferences, outreach message content | Supabase + Resend | MEDIUM |
| Audit / Forensic | audit_log rows referencing minor user_ids, cleanup_audit_log rows | Supabase audit_log, cleanup_audit_log | HIGH |
5. Risk Assessment Methodology (16 CFR 312.8(b)(2))
Full annual risk assessments are conducted, with change-driven assessments triggered by: new data categories or processing purposes, new sub-processors, material architecture changes, security incidents, or material changes in applicable law. Risks are scored on Likelihood (1–5) × Impact (1–5). Risks with residual score 15 or above require documented remediation plans; scores 20 or above trigger immediate escalation.
6. Administrative Controls (16 CFR 312.8(b)(3))
6.1 Security Awareness Training. All personnel with access to systems processing children's personal information complete annual security awareness training covering phishing recognition, credential hygiene, data handling obligations, and incident reporting. Annual security awareness training is delivered via internal written security program document reviewed and acknowledged by all personnel with system access.
6.2 Access Control. Principle of least privilege applies to all personnel. The Supabase service_role key is never exposed in client-side code. Quarterly access reviews confirm all administrative access is current. Offboarding revokes access within 24 hours and rotates service_role keys within 72 hours. Background check policy is under review. Currently, access is controlled via principle of least privilege and role-based access controls enumerated in §5.
6.3 Change Management. All database schema changes are implemented via versioned migration files committed to version control and peer-reviewed before deployment. Migrations affecting children's personal information require Coordinator and legal review.
7. Technical Controls (16 CFR 312.8(b)(3))
7.1 Encryption. All data in transit is encrypted using TLS 1.2 minimum. Data at rest is encrypted using AES-256 at the storage layer (Supabase, Cloudflare R2, Bunny Stream). Cryptographic keys are stored exclusively in Vercel environment secrets and are never committed to source control.
7.2 Authentication and Authorization. User authentication is managed by Supabase Auth. MFA is required for administrative platform access. PostgreSQL Row Level Security policies enforce data isolation at the database layer. The Supabase service_role key is used exclusively for server-side administrative operations.
7.3 Audit Logging. The audit_log table records all material security events. The cleanup_audit_log table records per-row forensic details of media hard-deletion events. Retention of audit_log: 1 year. Audit log records are retained for 1 year from the date of the event, after which they are permanently deleted. Audit logs are immutable: no UPDATE or DELETE RLS policies exist on audit_log or cleanup_audit_log.
7.5 Endpoint Protection. Personnel accessing production credentials must use devices with full-disk encryption, OS security updates within 30 days of release, and screen lock after 5 minutes. Production credentials are not permitted in local .env files. All production secrets are stored in Vercel environment variables for the production environment only.
8. Physical Controls
CollegeRoster operates exclusively on managed cloud infrastructure. Physical security controls are inherited from Supabase (SOC 2 Type II), Vercel (SOC 2 Type II), Cloudflare (SOC 2 Type II), and Bunny Stream.
9. Vendor and Sub-Processor Management (16 CFR 312.8(b)(6))
9.1 Requirement. Before sharing children's personal information with any service provider, the operator must obtain written confirmation that the service provider maintains reasonable security measures (16 CFR 312.8(b)(6)).
9.2 Current Sub-Processor Registry. DPA status for Bunny Stream and Resend is pending execution — tracked in issue #305. This is a blocking pre-launch requirement under 16 CFR 312.8(b)(6).
| Sub-Processor | Children's PI Shared? | Security Standard | DPA Status |
|---|---|---|---|
| Supabase | YES (all categories) | SOC 2 Type II | Confirm executed |
| Vercel | YES (transient in flight) | SOC 2 Type II | Confirm reviewed |
| Cloudflare R2 | YES (media files) | SOC 2 Type II, ISO 27001 | Confirm executed |
| Bunny Stream | YES (video content) | Attestation required | BLOCKING — must confirm |
| Stripe | NO (payment data only) | PCI DSS Level 1, SOC 2 | Stripe standard DPA |
| Resend | YES (email addresses) | Attestation required | BLOCKING — must confirm |
10. Data Minimization for Minor Athletes
CollegeRoster collects date of birth solely to compute the is_minor flag. Athlete physical data and academic data are optional. No behavioral advertising profiles are created for any user, minor or adult. Minor athlete profiles are not visible to coaches without active Consent A (data collection) and Consent B (coach visibility) from a verified parent.
11. Incident Response (16 CFR 312.8(b)(4))
| Tier | Description | Response SLA |
|---|---|---|
| Tier 1 — Critical | Active breach of children's personal information confirmed or highly probable | Containment within 1 hour; Conductor notification within 1 hour; outside counsel within 2 hours |
| Tier 2 — High | Suspected breach or confirmed vulnerability | Containment within 4 hours; Conductor notification within 2 hours |
| Tier 3 — Medium | Indirect or limited impact on children's PI | Investigation within 24 hours; Coordinator notified within 4 hours |
12. Monitoring, Testing, and Audit (16 CFR 312.8(b)(4))
Quarterly vulnerability scans, annual penetration testing by an independent third party, and continuous audit log monitoring for anomalous patterns. Natasha SR (adversarial security review) gates all material code changes.
A third-party penetration test is planned prior to public launch. Vendor selection is pending. Results will be remediated before launch.
SOC 2 Type II audit is targeted for 12 months post-public launch, contingent on revenue milestone.
Phareon LLC is evaluating membership in the kidSAFE SEAL Program as the designated COPPA Safe Harbor program. Application is planned before public launch.
13. Training Program (16 CFR 312.8(b)(5))
All personnel with access to CollegeRoster systems complete annual security awareness training. Personnel with direct database access complete COPPA-specific supplemental training covering children's personal information definitions, consent requirements, deletion obligations, and breach reporting timelines. Training records are retained for three years.
14. Annual Program Review (16 CFR 312.8(b)(5))
This ISP is reviewed and updated at minimum annually by the Designated Coordinator. Reviews confirm: data inventory accuracy, risk assessment refresh, all controls are operative, vendor register is current, and training records are current.
16. Version History
| Version | Date | Summary |
|---|---|---|
| 0.1 DRAFT | 2026-05-17 | Initial draft — Conductor + outside counsel review required before legal effectiveness |
This Program is not legally effective until approved and signed by the Conductor and outside counsel. Phareon LLC is a Tennessee limited liability company.