menu
save_alt ダウンロード

Compliance Actions Calendar

Scheduled security and compliance activities

< Back

Overview

This document describes Beekeeper Studio’s scheduled compliance activities. These activities ensure ongoing adherence to our security policies and support compliance with GDPR, NDPA, and customer contractual requirements.

All compliance activities are tracked in a shared compliance spreadsheet with three tabs: Monthly Reviews, Quarterly Reviews, and Annual Audit.

Automated Monitoring

The following systems run continuously and require no manual intervention:

  • Vulnerability Scanning: Dependabot and GitHub Security Alerts on all repositories, with automated PRs for dependency updates
  • Backup Monitoring: Heroku Postgres backup status routed through Papertrail to Slack on failure
  • Application Error Monitoring: Honeybadger for exception tracking and alerting
  • Infrastructure Monitoring: Heroku-managed infrastructure with built-in metrics and alerting for database connection limits, memory (R14), and request timeout (H12) errors
  • Authentication Monitoring: Failed logins, admin logins, and privilege changes logged with [SECURITY] prefix and routed through Papertrail to Slack

Monthly Compliance Review (1st Friday, ~1 hour)

Owner: CTO

Security Check

  • Review Dependabot alerts for any ignored or postponed items
  • Verify no critical vulnerabilities are older than 7 days
  • Review patches deployed and any overdue vulnerabilities
  • Confirm last backup completed successfully (heroku pg:backups)
  • Review any automated security alerts from the past month
  • Verify log retention/deletion is operating correctly (Papertrail)

Access Check

  • Review current user list and access levels
  • Verify no former team members retain access
  • Confirm MFA is enabled on all accounts
  • Check for dormant accounts (inactive >90 days)

Contractor Check

  • Confirm all contractors are still active
  • Verify confidentiality agreements are on file

Documentation

  • Record results in the Monthly Reviews tab of the compliance spreadsheet

Quarterly Compliance Review (First Friday After Quarter End, ~2.5 hours)

When: April, July, October, January
Owner: CTO + one team member

Access and Security Review (60 minutes)

  • Review all access levels across production systems
  • Verify 100% MFA compliance
  • Rotate any API keys or service account credentials older than 90 days
  • Check for dormant accounts (inactive >90 days)

Vulnerability and Patch Review (60 minutes)

  • Review and merge open Dependabot PRs
  • Verify all critical vulnerabilities patched within 7 days, high within 30 days
  • Document any exceptions with compensating controls

Subprocessor Check (20 minutes)

  • Review subprocessor list for accuracy
  • Document any vendor additions, removals, or security incidents
  • Update subprocessor list if changed

Backup Test (30 minutes)

  • Restore a backup to verify recovery procedures work
  • Document restoration time and result

Documentation

  • Record results in the Quarterly Reviews tab of the compliance spreadsheet

Annual Compliance Week (First Week of November, ~10-15 hours)

Owner: CTO + full team for training day

Day 1: Self-Audit Preparation (3 hours)

  • Gather evidence from the past year: monthly and quarterly compliance records, vulnerability scan results, backup test results, access review records
  • Review prior year’s audit findings and remediation status

Day 2: Self-Audit Execution (3 hours)

Audit checklist covers:

  • Asset Management: All systems with customer data documented, subprocessor list current
  • Access Control: MFA on all accounts, access reviews completed, no dormant accounts
  • Data Security: Encryption at rest and in transit, data retention policy followed
  • Vulnerability Management: Dependabot enabled, patching SLAs met
  • Incident Response: Plan updated, breach notification template ready
  • Backup and Recovery: Quarterly backup tests passed, disaster recovery plan documented

Document any gaps as findings with severity and remediation plan.

Day 3: Policy Review (2 hours)

Review all security policies and update version dates:

Day 4: Audit Report (2 hours)

Compile annual audit report covering:

  • Executive summary and overall security posture
  • Key metrics (MFA compliance, vulnerability SLA compliance, backup success rate)
  • Findings and remediation status
  • Compliance metrics by control category
  • Goals for the coming year

Day 5: Training and Closeout (2 hours)

Team Training (1 hour):

  • Review security policy highlights
  • Handling of customer and student data
  • Incident reporting procedures
  • Each team member signs policy acknowledgment

Closeout (1 hour):

  • File all audit evidence
  • Record results in the Annual Audit tab of the compliance spreadsheet
  • Set calendar reminders for next year

As-Needed Actions

New Team Member Onboarding (30 minutes)

  • Send confidentiality agreement
  • Create accounts with MFA required
  • Add to access review tracking

Team Member Offboarding (30 minutes)

  • Disable all accounts immediately
  • Remove from all systems (GitHub, Heroku, etc.)
  • Send reminder of continuing confidentiality obligations
  • Update access review tracking

Data Deletion Request (2-3 hours)

  • Acknowledge within 24 hours
  • Create and execute deletion plan
  • Verify deletion and send confirmation
  • For NDPA: complete within 60 days

Security Incident (Variable)

Critical Vulnerability (1-2 hours)

  • Review and assess impact immediately
  • Deploy patch within 7 days per Vulnerability Policy
  • Document in compliance spreadsheet

New Subprocessor (45 minutes)

  • Review vendor security certifications (SOC 2 or ISO 27001 required)
  • Add to subprocessor list
  • Notify customers 30 days before data sharing begins (NDPA requirement)

Compliance Evidence

When customers or educational institutions (LEAs) request compliance documentation, Beekeeper Studio provides:

  1. Annual Audit Report - Demonstrates annual security assessment per NDPA Section 5.2
  2. Compliance Spreadsheet - Monthly and quarterly review records showing ongoing monitoring
  3. Security Policies - Published at /legal/
  4. Subprocessor List - Published at /legal/subprocessors

Immediate Action Required

The following situations require immediate response regardless of the compliance calendar:

  • Critical vulnerability older than 7 days - Patch immediately
  • Suspected data breach - 72-hour notification deadline
  • Production access without MFA - Remediate immediately
  • Backup failure for more than 3 days - Investigate and resolve
  • Former team member retains access - Revoke immediately

Everything else can wait until the next scheduled compliance review.