Security & FERPA

Written for IT administrators and procurement officers at schools, universities, and districts. Short on marketing claims, long on what we actually do.

Infrastructure

• Hosting: Vercel (or equivalent) on US data centers. SOC 2 Type II certified provider.
• Transport: TLS 1.2+ with modern cipher suites. HTTPS enforced on all domains.
• Payment processing: Stripe. PCI DSS Level 1 certified. We never see or store card data.
• Backups: daily, encrypted at rest, 30-day retention.

Authentication

• SSO via Google Workspace and Microsoft Entra (Year 1).
• Class-code entry for quick pilots (Year 1).
• LTI 1.3 launch (Canvas, Blackboard, Moodle, D2L) — on request; 60-day delivery on first paying deal that requires it.
• Clever / ClassLink rostering — planned Year 3 or sooner if a district deal funds it.
• Optional domain whitelisting for institutional licenses.
• No passwords stored on our side for SSO users. For accounts that use email+password, bcrypt with salt.

FERPA

When a US school or university uses the Service, we operate as a "school official" under FERPA to the extent student records pass through us. Specifically:

• We only collect data necessary to provide the Service (an email or opaque user ID, scene data the student creates).
• We do not sell, share, or otherwise use student data for any purpose other than providing the Service to the school.
• We delete student data on written request from the school within 30 days.
• We offer a Data Processing Addendum (DPA) on institutional contracts.

COPPA

We do not knowingly collect personal information directly from children under 13. Schools enrolling students under 13 on an institutional license provide parental consent on their behalf under the FTC's "school consent" exception.

Data minimization

We intentionally collect very little. We don't need — and don't collect — grades, attendance, birthdates, addresses, behavioral data, or advertising identifiers. We do not place third-party tracking cookies.

Incident response

If we suffer a security incident that may have exposed customer or student data, we notify affected institutions within 72 hours of detection and provide a written post-mortem within 14 days. Contact [email protected] for the most current procedure.

Responsible disclosure

Security researchers: thank you. Report vulnerabilities to [email protected]. We respond within 48 hours and publicly credit reporters on request once the issue is fixed.

Procurement resources

For IT / procurement reviews we can provide:

• Our current Data Processing Addendum (DPA)
• A completed Higher Education Community Vendor Assessment Toolkit (HECVAT) Lite
• A subprocessor list with roles and data flows
• A SOC 2 Type II attestation (planned for 2027 — currently operating under inherited attestations from our hosting and payment subprocessors)

Email [email protected] to request these documents.