Breach Protocol

Effective Date: June 1, 2026 Last Updated: June 1, 2026 This protocol describes how Koydo handles confirmed or suspected security incidents affecting personal data, education records, child-directed learning records, or institution-managed accounts.

Koydo reviews suspected incidents for scope, affected systems, data categories, user impact, child-safety impact, and institutional obligations. Incidents involving children, school records, parent accounts, payments, authentication, or AI learning logs receive elevated review.

When an incident is confirmed or reasonably suspected, Koydo prioritizes containment, credential rotation, access review, affected-service isolation, logging preservation, and restoration of trusted service behavior.

For school-managed education records, Koydo notifies the school in writing without undue delay and in any case within 72 hours of confirming a Personal Data Breach affecting those records, consistent with the FERPA Notice and Data Processing Agreement. For other affected users, Koydo provides notices required by applicable law and contract, using practical channels such as email, account notices, school administrator notices, or parent/guardian communications.

When available and appropriate, breach notices describe the affected data categories, approximate number of affected users or records, likely consequences, containment measures, recommended user actions, and contact information for follow-up.

If an incident touches adaptive-learning records, AI tutor logs, assessment history, parent summaries, or school reporting data, Koydo evaluates the incident for privacy, child-safety, education-record, and model-governance implications before closing the review.

Security or breach questions can be sent to security@koydo.app or legal@koydo.app.