Data Handling

Effective Date: January 1, 2025   |   Last Updated: January 1, 2026

Purpose

This Data Handling Note summarizes NRSFAS’s approach to protecting client information and supporting common public-sector security and privacy expectations. It is informational and does not supersede contract terms, security addenda, or agency-specific requirements.

Data Minimization and Purpose Limitation

We collect and process client information only as needed to perform contracted services and to meet legal and contractual obligations. We encourage clients not to provide sensitive personal data unless required for the engagement and properly authorized.

Access Controls

We apply least-privilege access, role-based access controls where feasible, and multi-factor authentication for administrative access to systems supporting client work.

Encryption

We use encryption in transit for standard business communications and, where applicable, encryption at rest for stored engagement artifacts. Specific encryption requirements can be addressed in a security addendum.

Logging, Monitoring, and Incident Response

We maintain security logging and monitoring appropriate to our operating environment and have an incident response process. We notify clients of confirmed security incidents in accordance with contract terms and applicable law.

Subprocessors and Service Providers

When we use service providers to support operations (for example, hosting, collaboration tools, analytics), we select providers based on security and reliability and bind them to confidentiality obligations. Client-specific subcontractor approvals can be handled through contract and procurement processes.

Retention and Disposal

Engagement data is retained in accordance with contractual requirements and business needs, then securely disposed of when no longer required. We can support agency retention schedules when specified.

Compliance Alignment

Where required by an engagement, we can map controls and practices to client frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53 control families, and we can support audit artifacts such as policies, procedures, and evidence packages. We do not claim certification unless explicitly documented in writing.

Contact

Questions about data handling:

Email: info@nrsfas.org

Phone: (951) 305-0130