Security & Compliance
Your data is safe with us
Paideon is built for schools. We take student data privacy seriously and design every feature with FERPA compliance in mind.
Compliance Framework
FERPA Compliant
Paideon operates as a “school official” under FERPA, processing student education records only at the direction of teachers and school administrators. We never use student data for non-educational purposes.
Data Processing Agreement
We sign Data Processing Agreements (DPAs) with school districts, compatible with the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement framework.
No Student PII in AI
Student names and identifiers are stripped before submission content is sent to our AI grading engine. The AI receives only the anonymous submission text and the rubric. No PII is transmitted to third-party AI services.
Audit Logging
All access to student data is logged with timestamps, user identity, and action type. Audit logs are retained for 3 years per FERPA requirements and are available to school administrators on request.
Data Rights
Right to Access
Teachers and school admins can export a complete copy of any student's data at any time, including all grades, submissions, and enrollment records.
Right to Delete
Student records can be permanently deleted by the teacher or school admin. Deletion removes all associated submissions, grades, and enrollment records.
Data Minimization
We only collect data necessary for grading: student name, ID number, email (optional), and submission files. Uploaded files are automatically deleted after 7 days.
Infrastructure & Encryption
- Hosting: Application hosted on Vercel (SOC 2 Type II certified). Database hosted on Supabase (SOC 2 Type II certified, AWS us-east-1).
- Encryption in transit: All data transmitted over TLS 1.2+. HTTPS enforced on all endpoints.
- Encryption at rest: Database encrypted with AES-256. File storage encrypted at rest via AWS S3 server-side encryption.
- Access control: Row-level security (RLS) enforced at the database layer. Teachers can only access their own students' data. Org members see summary-only cross-class data — never individual assignment scores for another teacher's class.
- Authentication: Email/password with bcrypt hashing, Google OAuth, session-based auth with secure HTTP-only cookies.
Subprocessors
The following third-party services process data on behalf of Paideon. All subprocessors maintain SOC 2 compliance and data processing agreements.
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, Auth, File Storage | All application data, user accounts, submission files | US (AWS us-east-1) |
| Vercel | Application Hosting | HTTP requests, server-side rendering | US |
| Anthropic | AI Grading Engine | Anonymous submission content only (no student PII) | US |
| Stripe | Payment Processing | Teacher billing info only (no student data) | US |
Related Documents
Questions?
For security inquiries, DPA requests, or compliance questions, contact us at security@paideon.app. We respond to all security-related inquiries within 2 business days.
Last updated: February 2026