TSI National — Enterprise-Grade Security & Data-Protection Policy
Version 1.1 – January 1, 2024 | Reviewed June 30, 2025
Supersedes all prior versions (archived for 7 years).
Governing Law & Venue: State of Texas; exclusive venue in Travis County, TX.
This policy applies to every learner, instructor, client organization, and third-party integrator that accesses any TSI National (“TSI,” “we,” “our”) website, learning portal, API, or related service. Continued use constitutes acceptance.
1 Scope & Zero-Tolerance Enforcement
TSI safeguards all personally identifiable information (“PII”) and confidential training data. Any unauthorized access, credential sharing, impersonation, scraping, or misuse triggers immediate, permanent termination of system privileges and may be reported to law-enforcement. No reinstatement, no grace period.
2 “Commercially Reasonable” Compliance Framework
We implement commercially reasonable controls aligned to—at a minimum—the following U.S. laws and frameworks:
• Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
• California CPRA, Virginia CDPA, Colorado Privacy Act, Utah UCPA, Texas & Florida privacy statutes, or successor legislation
• PCI-DSS (payment data); currently met via PayPal Commerce Platform tokenization—future providers will meet or exceed this standard
• FERPA-analog expectations for educational records
• NIST SP 800-53 r5 & SOC 2 Type II control families
Where no written contract exists, this policy governs confidentiality, security, and acceptable use. Disclaimer: While we employ industry-standard safeguards, no system can guarantee absolute security. TSI’s liability is limited as described in Section 13.
3 Data Collection, Minimization & Five-Year Retention
| Data Element | Purpose | Encryption | Retention Limit* |
|---|---|---|---|
| Name, Email, Phone | Account, support | AES-256 | Up to 5 years after last activity or verified deletion request |
| DOB, SSN (last 4) | State identity verification | AES-256 (field) | Purged ≤ 30 days state DOI mandated recoredkeeping |
| Assessment Scores | Progress analytics | AES-256 | 5 years (regulatory) |
| Payment Tokens | Tuition/materials | Tokenized by PayPal (PCI Level 1) | Token only; no raw card data stored |
Records needed to meet legal/regulatory obligations may be retained longer.
4 Encryption & Infrastructure Hardening
• In Transit: TLS 1.3, HSTS, forward secrecy
• At Rest: AES-256-GCM with AWS KMS (customer-managed keys), quarterly rotation
• Network: Segmented VPC, AWS WAF, real-time DDoS mitigation
• Code: Static & Software Composition Analysis (SAST/SCA), signed commits, four-eyes review, CI/CD pipeline
5 Identity & Access Control
| Role | MFA Method | Privilege | Monitoring |
|---|---|---|---|
| Sys-Admin | Hardware key + TOTP | Full | Daily audit |
| Global Client Manager | Hardware or Auth-App 2 FA | Read-only dashboards, uploads | Continuous SIEM |
| Instructor | Auth-App 2 FA | Grade entry | Immutable log |
| Student | Password (+ optional 2 FA) | Course materials | Login anomaly alerts |
| Prohibited | Shared / impersonated | — | Auto-lock & incident record |
Sessions auto-expire after 3 hours of inactivity.
6 Continuous Monitoring & Audit
100 % event logging → S3 Object Lock (append-only) for 5 years.
SIEM flags geo-velocity, mass export, role escalation; critical alerts triaged ≤ 1 hour, non-critical within 4 hours.
Annual external penetration tests; annual SOC 2 surveillance.
7 Incident Response & Breach Notification
Contain automatically (token revocation, IP block) → Forensics & scope analysis → Notify affected parties as soon as reasonably practicable and always within applicable statutory deadlines (never later than 72 hours for confirmed PII exposure) → Provide remediation plan and credit-monitoring where required → Publish root-cause summary (non-exploit detail) to clients.
8 User Responsibilities
• Maintain unique credentials; enable 2 FA.
• Do not screenshot, download, or locally store restricted PII.
• Report suspected compromise to compliance@tsinational.com immediately.
• Upload of unrelated sensitive data (e.g., HIPAA, PCI) without written consent is prohibited.
9 Sub-Processor Oversight
All third-party providers complete annual security due-diligence and sign a Data-Processing Agreement. Student PII is never sold, leased, or used to train generative AI/LLMs without explicit written consent.
10 Children’s Privacy
TSI does not knowingly collect data from individuals under 13 (16 in CA). If a sponsoring employer submits a minor, parental consent documentation is required.
11 Data-Subject Rights
Requests for access, correction, portability, or deletion: privacy@tsinational.com. Identity verification is required. Verified requests satisfied within 30 days unless law requires otherwise.
12 Policy Updates & Re-Acceptance
Material changes posted 30 days in advance. Users must re-accept upon next login; continued use after the effective date signifies acceptance.
13 Limitation of Liability
To the maximum extent permitted by law, TSI’s aggregate liability for any security incident or policy breach is limited to direct damages not exceeding the total fees paid to TSI in the twelve (12) months preceding the event, except to the extent prohibited by applicable law. TSI is not liable for indirect, consequential, or punitive damages.
14 Contact & Responsible Disclosure
Compliance: compliance@tsinational.com
Security Operations: security@tsinational.com
We acknowledge and credit responsible vulnerability reports within five (5) business days.
TSI National applies enterprise-grade safeguards and commercially reasonable efforts to protect every student’s data.