Rationarium Information Security Policy

Effective Date: January 1, 2026 Review Cycle: Annual Policy Owner: Chief Executive Officer / Chief Technology Officer, Rationarium Inc. Last Documented Review: December 9, 2025

Purpose

This policy establishes the security principles, controls, and responsibilities that Rationarium Inc. applies to the systems and data entrusted to us by institutional customers. It is provided as a high-level summary; additional technical detail is available to customers under NDA.

Scope

This policy covers all Rationarium Inc. systems involved in delivering WeBWorK hosting services, including:

• Production customer WeBWorK environments
• Operational infrastructure (monitoring, alerting, backup, deployment)
• Administrative systems used to conduct Rationarium’s business
• Sub-processor relationships

Guiding Principles

1. Minimize data. Collect and retain only what is required to deliver the service.
2. Isolate customers. Never commingle data from different customers.
3. Default-deny access. Grant access only when and where it is needed, and only for as long as it is needed.
4. Assume compromise is possible. Maintain monitoring, backups, and response capability that permit recovery even from a full host compromise.
5. Be transparent. Tell customers what we do, how we do it, and promptly when something goes wrong.

Standards Alignment

Rationarium’s controls are informed by:

• NIST Cybersecurity Framework (CSF) v2.0 — guiding framework across identify, protect, detect, respond, and recover functions
• CIS Critical Security Controls — operational reference for technical safeguards; Rationarium works toward alignment with Implementation Group 1 (IG1) as its minimum baseline
• FERPA school-official standards — for handling of student education records
• NIST SP 800-171 — informs data-protection controls for instances hosting sensitive or controlled unclassified data

Access Control

• SSH public-key authentication only. Password authentication is disabled on every production server.
• Privileged root login prohibited. Administrative actions require a named administrator account with sudo.
• Least privilege. Administrative access to production infrastructure is limited to the Rationarium CEO/CTO. Rationarium staff do not access a customer’s WeBWorK application unless the customer grants explicit, time-limited, purpose-limited permission; any such account is deactivated immediately upon completion of the task.
• Credential custody. Administrative SSH keys are stored on a managed, disk-encrypted workstation with an encrypted offline backup. Access to the workstation requires VPN connectivity.

Authentication

• Customer end-users authenticate via LTI 1.3, LDAP, or WeBWorK native accounts at the customer’s discretion. Strong-authentication policy (single sign-on, MFA, password complexity) is controlled by the institution.
• WeBWorK 2.20 and later supports two-factor authentication, configurable by permission level and by per-course allowlist and denylist. Rationarium enables and configures 2FA at customer request.
• Rationarium administrative accounts use SSH public-key authentication for server access and hardware-backed multi-factor authentication for any cloud-console or administrative-email access.

Network Security

• Single-tenant virtual machines hosted at DigitalOcean (US).
• Host firewall (UFW) restricts inbound traffic on every production instance. TCP 22 (SSH), TCP 80 (Let’s Encrypt ACME challenge and HTTP-to-HTTPS redirect), and TCP 443 (HTTPS) are accepted from the public internet. Internal monitoring metrics endpoints are accepted only from Rationarium’s private VPC subnet. All other ports are denied by default.
• TLS 1.2 or higher for all client-server communication; older protocol versions are disabled.
• Private networking via DigitalOcean VPC where Rationarium services need to communicate internally.

Data Protection

• In transit. TLS 1.2 or higher for all external connections. No cleartext protocols are exposed on public interfaces.
• At rest. Nightly database backups are encrypted before storage. Full-disk encryption of the live database is available on request and is enabled by default for instances storing sensitive data.
• Backups. Nightly, encrypted, with seven-day rolling retention and off-host storage. Backup restoration is exercised regularly — see the Disaster Recovery Plan.
• Single-tenant isolation. Each customer has a dedicated virtual machine, dedicated database instance, and dedicated file storage. No shared customer data planes exist.

Monitoring and Logging

Rationarium operates a centralized monitoring stack covering all production customer instances:

• Metrics — Prometheus-based collection of system resources, Apache worker state, Hypnotoad worker saturation, and TCP accept-queue depth
• Synthetic monitoring — Uptime Kuma external probes every thirty seconds against each customer instance
• Alerting — Grafana alert rules route to on-call push notification (ntfy)
• Public status page — https://status.rationarium.org
• Application and access logs — retained on each instance for security investigation; rotated and archived per instance policy

Customer WeBWorK instances record login, logout, action, timestamp, and source IP address for all user activity. Logs are available to institutional administrators.

Vulnerability Management

• Operating system and dependency patches are applied to customer instances on a regular cadence, typically during the lowest-usage period of the academic calendar.
• Emergency patches addressing critical security vulnerabilities are applied outside the normal cadence, with advance notice to customers wherever possible.
• Application (WeBWorK) updates are scheduled with customer coordination. Security-relevant WeBWorK patches are tracked through the WeBWorK open-source community and applied promptly.
• Supply chain. Rationarium tracks upstream WeBWorK releases and third-party dependencies through the WeBWorK community and DigitalOcean security advisories.

Incident Response

Rationarium maintains a written incident response runbook covering detection, containment, investigation, customer notification, and post-incident review. Customer notification commitments are described in the Incident Notification Policy. Key commitments:

• Customer notification within four hours of a confirmed incident
• Written post-incident report within five business days of resolution
• Regulator notification support as required by applicable law

Change Management

Rationarium’s Change Management Policy describes how changes to customer environments are planned, communicated, and executed. In summary: changes are coordinated with the customer administrator, scheduled during minimum-impact windows where practical, preceded by a backup snapshot, and logged.

Third-Party Sub-Processors

Rationarium uses one infrastructure sub-processor:

• DigitalOcean LLC — hosting and related services (SOC 2 Type II, CSA STAR Level 1)

Rationarium does not share institutional or student data with any other third party. A current list of sub-processors is maintained and customers will be notified at least thirty days before any addition.

Physical Security

Rationarium does not operate physical data center facilities. Physical and environmental controls at the data-center layer are the responsibility of DigitalOcean, whose certifications are published at https://www.digitalocean.com/trust/certification-reports. Administrative workstations used by Rationarium staff are stored in private, access-controlled locations and use full-disk encryption.

Personnel

• Security responsibilities are consolidated in the CEO/CTO role (K. Andrew Parker). Rationarium does not currently operate a separate information security office; as the organization grows, a dedicated security function will be established.
• Confidentiality. All Rationarium personnel are bound by confidentiality obligations with respect to customer data.

Policy Review

This policy is reviewed at least annually and updated in response to material changes in services, infrastructure, or the threat environment. The effective date above indicates the current version.

Contact

Security inquiries, vulnerability reports, and policy questions: andrew@rationarium.org