SSL / Website Security Policy

1) Scope

This policy explains how we protect data transmitted to and from our websites, apps, donation pages, and registration portals (the “Services”). It covers SSL/TLS encryption, data handling, incident response, and state-specific security notices.

2) SSL/TLS Encryption

• We enforce HTTPS by default and redirect all HTTP requests to HTTPS.
• Our servers present current TLS certificates issued by a trusted certificate authority and use strong cipher suites.
• We implement HSTS, OCSP stapling, Perfect Forward Secrecy (where supported), and disable deprecated protocols/ciphers.
• Admin logins, intake forms, payments/donations, and parent/guardian portals are always served over HTTPS.

3) What We Protect in Transit

When you use our secure forms or portals, SSL/TLS protects:

• Contact details (parent/guardian name, email, phone, address)
• Limited participant information necessary for program registration (e.g., athlete name, age/grade, team selections)
• Account credentials (if you create an account)
• Payment or donation information (processed via PCI-compliant third-party processors; we do not store full card numbers)

4) Additional Security Controls

• Role-based access to internal dashboards; least-privilege by default
• Strong password and session-management requirements for staff/volunteers
• Regular vulnerability patching and configuration reviews
• Server-side input validation and basic application firewalls
• Encrypted backups for critical systems
• Vendor due diligence for any integrated platforms (payments, email, analytics)

5) Children & Students (Pre-K–12)

We serve inner-city youth with parental/guardian involvement.

• We do not knowingly collect personal information from children under 13 without verifiable parental consent.
• Parents/guardians manage or provide any needed youth data through secure forms.
• Requests regarding a child’s information can be sent to security@innercitymonarchs.com.

6) Payments & Donations

• Online payments/donations are handled by PCI-DSS compliant processors over HTTPS.
• We never store full PAN (card number), CVV, or magnetic-stripe data on our servers.

7) User Responsibilities

To help keep your data secure:

• Use updated browsers and devices.
• Keep your passwords private; enable MFA if offered.
• Do not send sensitive information over email; use our secure forms.
• Report suspicious emails, texts, or pages to security@innercitymonarchs.com.

8) Data Retention & Minimization

We collect the minimum data needed for program operations, registration, compliance, and safety. Retention periods are limited to operational, legal, and audit requirements, after which data is securely deleted or anonymized.

9) Incident Response & Breach Notification

If we discover a security incident that affects your information, we will:

• investigate and contain; 2) notify affected individuals and, where required, regulators; and 3) offer guidance and remedies appropriate to the incident.

10) State-Specific Security Notices (“Special States”)

We operate from Florida and will expand to other states. Where state law provides additional rights or duties, we honor them. Below is a summary (not legal advice):

• California (CPRA / Data Breach statutes; “Shine the Light”): We maintain reasonable security procedures appropriate to the nature of data processed. In the event of a qualifying breach, we will provide notifications consistent with California law. California residents may have additional privacy rights (see our Privacy Policy).
• Colorado (CPA & security requirements): We implement reasonable safeguards and vendor controls; breach notifications will be made to consumers and the Attorney General as required.
• Connecticut (CTDPA): We maintain reasonable administrative, technical, and physical safeguards; we will notify affected residents and the AG for qualifying incidents.
• Virginia (VCDPA) & Utah (UCPA): We use reasonable security measures and provide breach notices as required by state law.
• Nevada: We use encryption for sensitive data in transit and follow Nevada breach-notification timelines.
• New York (SHIELD Act): We implement safeguards appropriate to our size and resources; if a breach occurs, we will notify impacted New Yorkers and the NYAG/other authorities as applicable.
• Massachusetts (201 CMR 17.00): We maintain a written information security program (WISP) proportionate to our operations; breach notice obligations will be followed.
• Florida (FIPA): As our home state, we comply with Florida data-security and breach-notification requirements and cooperate with the Florida Attorney General where applicable.

If your state grants you additional security or privacy rights beyond the above, we will comply with those obligations when we operate there or handle your data.

11) International Use

Our Services are intended for U.S. use. If you access them from outside the U.S., you consent to U.S. processing and protections described here.

12) Third-Party Services

We may integrate trusted providers (e.g., payment processors, email, scheduling, analytics). Each provider must maintain industry-standard security and process data under contract. Links to third-party sites are outside our control; review their policies.

13) Accessibility

We aim to keep our secure experiences accessible to all families, volunteers, and supporters. If you encounter barriers on HTTPS pages, email security@innercitymonarchs.com.

14) Changes to This Policy

We may update this SSL / Security Policy for technology, legal, or operational reasons. Material changes will be posted with a new effective date.

15) How to Contact Us

Questions, security concerns, or suspected phishing?
Email: security@innercitymonarchs.com