Security & Data Protection Statement

Elevate for Humanity is committed to protecting the privacy and security of all participant, employer, and partner data. As an ETPL-listed workforce training provider operating under WIOA, FERPA, and Indiana state law, we are legally and ethically obligated to handle personal information with care, transparency, and accountability.

This statement describes how we collect, use, store, protect, and share data — and what rights you have over your information.

We collect only the data necessary to deliver training services, process funding, and meet regulatory reporting requirements.

Participant data includes: - Name, date of birth, contact information - Social Security Number (required for WIOA ITA processing and credential issuance) - Employment history, education level, and household income (for funding eligibility) - Training enrollment, attendance, and assessment records - Credential and certification records

Employer and partner data includes: - Business name, EIN, and contact information - Job postings, hiring records, and OJT agreements - WOTC certification documentation

Platform usage data includes: - Login activity, course progress, and assessment scores - Device type and browser (for technical support purposes only)

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database credentials and API keys are stored in environment-isolated secret stores and never exposed in application code.

Access controls: Role-based access control (RBAC) limits data access to staff with a legitimate need. Participant records are accessible only to the participant, their assigned case manager, and authorized administrators.

Authentication: Multi-factor authentication (MFA) is required for all staff accounts. Participant accounts use secure password hashing (bcrypt) and optional MFA.

Infrastructure: Our platform is hosted on Supabase (SOC 2 Type II certified) and Netlify (SOC 2 Type II certified). No participant data is stored on local servers or personal devices.

Audit logging: All access to sensitive records is logged with timestamp, user ID, and action type. Logs are retained for a minimum of 3 years.

We retain participant records for the minimum period required by applicable law and funding regulations:

• WIOA participant records: 3 years after the program year closes (per 2 CFR § 200.334)
• FERPA education records: Until the participant requests deletion or 5 years after last enrollment, whichever is later
• Financial and billing records: 7 years (IRS requirement)
• Credential records: Indefinitely, as these may be needed for employment verification

After the applicable retention period, records are securely deleted or anonymized. You may request early deletion of non-regulated records by contacting us.

FERPA (Family Educational Rights and Privacy Act): Participant education records are protected under FERPA. We do not disclose education records to third parties without written consent, except as permitted by law (e.g., to accrediting organizations, in response to judicial orders, or to funding agencies for audit purposes).

WIOA (Workforce Innovation and Opportunity Act): Participant data collected for WIOA-funded programs is shared with Indiana DWD and the U.S. Department of Labor as required for performance reporting and audit compliance. This sharing is authorized under WIOA § 116.

Indiana state law: We comply with Indiana's data breach notification law (IC 24-4.9) and applicable state privacy regulations.

HIPAA: We do not collect or store protected health information (PHI). Health-related data collected for CNA or healthcare programs is limited to training records, not medical records.

As a participant, employer, or partner, you have the following rights regarding your data:

Right to access: You may request a copy of the personal data we hold about you at any time.

Right to correction: You may request correction of inaccurate or incomplete records.

Right to deletion: You may request deletion of non-regulated personal data. Note that records required by WIOA, FERPA, or IRS regulations cannot be deleted before the applicable retention period expires.

Right to restrict processing: You may request that we limit how we use your data in certain circumstances.

FERPA rights: Students and eligible parents have the right to inspect and review education records, request amendments, and consent to disclosures as provided under FERPA.

To exercise any of these rights, contact our Data Protection Officer at the address below.

In the event of a data breach affecting personal information, Elevate for Humanity will:

1. Contain the breach and assess the scope within 24 hours of discovery
2. Notify affected individuals within 72 hours as required by Indiana IC 24-4.9
3. Notify relevant regulatory agencies (Indiana DWD, U.S. DOL) as required by funding agreements
4. Provide affected individuals with information about the breach, what data was involved, and steps they can take to protect themselves
5. Conduct a post-incident review and implement corrective measures

We maintain an incident response plan that is reviewed annually.

We share participant data only as necessary and only with parties who have agreed to appropriate data protection terms:

Funding agencies: Indiana DWD, U.S. DOL (required for WIOA reporting) **Credentialing bodies:** NHA, ACT, Certiport, EPA, OSHA (for credential issuance and verification) **Payment processors:** Stripe (for tuition payments — PCI DSS compliant) **Platform infrastructure:** Supabase, Netlify (SOC 2 Type II certified)

We do not sell, rent, or trade personal data to any third party for marketing or commercial purposes.