Built to protect
student data at every layer.
We sign your DPA. We act as a school official under FERPA. We don't train AI on your data, and we don't run ads. Your district owns its data — we just hold it carefully.
From your district to ours and back.
Here's exactly what happens to student data once it enters Symplifyed. Four stages. No magic. No surprise data trips.
Encrypted on the way in.
All data traveling between your district's devices and Symplifyed is encrypted with TLS 1.2 or higher. HTTPS-only, no exceptions. We reject any connection attempting to use older, weaker protocols.
Authentication uses MFA-required accounts on our side. SSO support for Google Workspace and Microsoft Entra is available for district rollouts.
Encrypted in storage.
Data at rest is encrypted with AES-256, the same standard used by US government systems. Our production database (Neon) and file storage (Vercel) are both SOC 2 Type 2 attested.
Database backups are encrypted, geographically separated, and retained for 30 days. Older backups are cryptographically erased on a rolling basis.
Access is least-privilege by default.
Inside Symplifyed, role-based access controls keep teachers seeing only their assigned students, administrators seeing only their school, and district leaders seeing the rollup. We don't have a "see everything" button for end users.
On the company side, employee access to production data is restricted to engineers on-call for active incidents and logged. We don't use student data for product analytics, never sample it for testing, and don't load it into anyone's local environment.
Export, return, or delete — your call.
Districts can export their data at any time during the contract. When a contract ends, we'll either return the data to you or permanently delete it from production and backups within 30 days, per your DPA preference.
Deletion includes our backup systems. Once it's gone, it's gone — there's no archived shadow copy sitting somewhere.
Our incident response, in plain English.
If there's ever a security incident affecting your data, here's exactly what we'll do and when.
Detect & contain
Our on-call engineer is paged. We contain the issue, take affected systems offline if needed, and start a timeline log.
Assess scope
We identify what data was affected, which districts are involved, and the root cause. Forensics begin, decisions get logged.
Notify districts
Affected districts get a written notice with what happened, what data was involved, and what we're doing about it. No legalese, no spin.
Post-mortem
You receive a full written incident report: root cause, remediation steps, and what we changed so this can't happen the same way again.
The questions we get most.
Will you sign our district's DPA?
Yes. We sign district-specific DPAs as a matter of course. We also have a standard DPA available if your district wants a starting point.
For districts using state-level DPAs (NDPA, Massachusetts SDPC addendum, California exhibits, etc.), we sign those too.
Are you FERPA compliant?
Yes. Symplifyed operates as a "school official" under FERPA's school-official exception (34 CFR § 99.31(a)(1)). That means we only access student data to perform services on behalf of the district, under direct district control, and we maintain confidentiality of all records.
We do not redisclose student data outside the district's instruction without consent.
What about COPPA?
For students under 13, Symplifyed relies on the school's authority to provide consent under COPPA, in line with FTC guidance. The district is the consenting party on behalf of parents for educational uses of the platform.
We do not collect personal data from students directly for any purpose outside the district's educational use.
Where is our data stored?
Student data is stored on infrastructure within the United States. Our production database is hosted on Neon (US regions) and our application layer runs on Vercel (US regions).
We don't transfer student data outside the US for processing.
Do you use AI? If so, how?
Yes. We use AI sub-processors (Anthropic and OpenAI) for specific features inside Symplifyed. We have contractual no-training agreements with both: student data submitted to these services is never used to train their models.
AI features are scoped to assist teachers and administrators — they never make decisions about a student on their own. A human is always in the loop.
What happens if a sub-processor changes?
We give districts 30 days' advance written notice before adding or changing any sub-processor that handles Student Data. The current list is always available on our sub-processors page.
If you object to a new sub-processor, we'll work with you to find a path forward.
Can teachers see other classrooms' data?
No. Teachers only see students assigned to them. Administrators only see their assigned school. District-level staff see the rollup. Access is scoped at the role level and verified on every request — not just hidden in the UI.
What happens to our data when the contract ends?
Per your DPA, we either return all data to your district or permanently delete it within 30 days of contract end. Deletion includes backups.
You can also export your data at any time during the contract — no need to wait for it to end.
Are you SOC 2 certified?
Our production infrastructure (Vercel, Neon) is SOC 2 Type 2 attested. Symplifyed's own SOC 2 Type II attestation is in progress — we'll publish the report here when it's complete.
In the meantime, we can share our security overview document under NDA for districts in active evaluation.
How do I report a security concern?
Email security@symplifyed.com. We respond within one business day, take every report seriously, and treat responsible disclosure with respect.
For general privacy questions or data access requests, email privacy@symplifyed.com.