NHSBBQA® - Data Security Commitment

Commitment to Data Security

National High School BBQ Association (NHSBBQA®) and PITMSTR™

Institutional Data Security and Privacy Framework

The National High School BBQ Association (NHSBBQA®) and its technology platform PITMSTR™ are committed to protecting the confidentiality, integrity, and availability of student, educator, and member information.

Our organization operates educational programs within public school systems across the United States, and therefore maintains security practices aligned with the expectations of school districts, state education agencies, and federal privacy laws.

NHSBBQA maintains a multi-layered data security program consisting of:

• Administrative safeguards
• Technical safeguards
• Physical safeguards
• Governance oversight
• Vendor risk management

These controls protect information collected through NHSBBQA educational programs, competitions, credentialing systems, and the PITMSTR digital platform.

Security Governance Framework

NHSBBQA implements security policies informed by widely recognized cybersecurity frameworks.

Our internal security program aligns with the principles of:

NIST Cybersecurity Framework

Core functions:

• Identify

• Protect

• Detect

• Respond

• Recover

SOC-2 Security Principles

Operational controls are designed to support:

• Security

• Availability

• Confidentiality

• Processing integrity

• Privacy

Education Data Governance Standards

Our data practices align with guidance from:

• U.S. Department of Education

• Student Data Privacy Consortium (SDPC)

• State education technology privacy requirements

Legal and Regulatory Compliance

Because NHSBBQA programs operate in educational settings, we follow federal student data protection laws.

FERPA

Family Educational Rights and Privacy Act

FERPA protects the privacy of student education records.

Under FERPA:

• Schools retain ownership of student education records.

• NHSBBQA operates as a school official with legitimate educational interest when contracted by a school district.

• Data is used solely to provide educational services.

COPPA

Children’s Online Privacy Protection Act

For users under age 13:

• schools may provide consent on behalf of parents

• NHSBBQA collects only data necessary for educational participation

• no advertising profiling is conducted

PPRA

Protection of Pupil Rights Amendment

NHSBBQA programs avoid the collection of sensitive personal survey data related to:

• political beliefs

• mental health

• religious practices

• family income

• biometric data

Data Ownership and Control

Schools and school districts retain ownership of all student education records.

NHSBBQA acts only as a data processor and service provider.

Data is used solely to provide:

• educational program management

• competition scoring

• credentialing and student portfolio documentation

• team and event administration

NHSBBQA does not sell, rent, or monetize student data.

No student data is used for targeted advertising.

Administrative Safeguards

Administrative safeguards govern how information is handled within the organization.

Security Policies

NHSBBQA maintains written policies covering:

• Information Security

• Data Privacy

• Acceptable Use

• Incident Response

• Data Retention

• Vendor Risk Management

Personnel Security

Personnel with access to sensitive data must:

• complete privacy training

• sign confidentiality agreements

• follow least-privilege access controls

• use secure authentication

Access is granted only to personnel with a legitimate operational need.

Vendor Risk Management

Third-party service providers are evaluated before receiving system access.

Vendors must meet minimum security standards including:

• encrypted infrastructure

• secure authentication

• compliance with privacy laws

• contractual data protection obligations

Technical Safeguards

PITMSTR technology systems implement modern cybersecurity protections.

Secure Cloud Infrastructure

Systems are hosted in secure cloud environments that include:

• hardened infrastructure

• firewall protection

• intrusion detection

• continuous monitoring

• redundant backup systems

Encryption

Sensitive data is protected using strong encryption.

Encryption in transit:

TLS / HTTPS

Encryption at rest:

AES-256

Encryption ensures that unauthorized users cannot intercept or access protected information.

Identity and Access Management

Access to NHSBBQA systems is protected through identity management controls.

Security features include:

• role-based permissions

• secure authentication

• session monitoring

• administrative audit logs

Sensitive administrative actions are recorded in tamper-evident logs.

Artificial Intelligence and Data Protection

AI technologies used by NHSBBQA are designed to protect student privacy.

Zero-Retention AI Processing

When AI services assist with:

• judging analytics

• scoring review

• educational insights

the system uses zero-retention processing environments.

This means:

• student data is not stored by AI providers

• AI providers cannot train on student data

• data is processed temporarily and discarded.

AI Governance

NHSBBQA AI systems do not perform:

• facial recognition

• biometric identification

• behavioral profiling

• psychological analysis of students

AI tools are used only for educational analytics and operational support.

Data Minimization

NHSBBQA intentionally collects minimal information required for educational programs.

Typical information may include:

• student name

• school affiliation

• competition results

• credential achievements

• project portfolio materials

NHSBBQA does not collect:

• social security numbers

• medical records

• financial account information

Data Retention and Deletion

Student information is retained only as long as required to support:

• credential verification

• educational records

• competition archives

Schools or districts may request deletion of data consistent with their policies.

Incident Response

NHSBBQA maintains a formal cybersecurity incident response process.

If a security event occurs:

1. Systems are immediately secured.

2. The incident is investigated.

3. Data exposure is assessed.

4. Affected institutions are notified.

5. Corrective actions are implemented.

Where required by law or contract, notification timelines will comply with district and state requirements.

Physical Security

Although NHSBBQA infrastructure is cloud-hosted, physical security protections include:

• secure data center facilities

• controlled physical access

• environmental monitoring

• disaster recovery systems

Security Monitoring

Continuous monitoring helps protect NHSBBQA systems.

Monitoring includes:

• security event logging

• anomaly detection

• vulnerability scanning

• system patch management

These controls help identify threats before they impact educational operations.

Transparency and Accountability

Protecting student privacy requires transparency.

NHSBBQA commits to:

• clear privacy policies

• responsible data stewardship

• collaboration with schools and parents

• ongoing security improvements

Trust from schools and families is essential to our mission of safe, educational student experiences.

Security Contact

Security and privacy questions may be directed to:

Data Security Office
National High School BBQ Association (NHSBBQA®)

security@hsbbq.org

Legal & Clarity Statement 

The National High School BBQ Association® is an independent, educator-led organization.
Use of similar descriptive terms by other entities does not imply affiliation, endorsement, or partnership.

National Authority & Sanctioning

CTSO-Neutral Position Paper

School Registration or Charter pages