Trust and privacy, built in.
Your organization owns and controls its data — we are a service provider that holds and processes it only to deliver the product.
You own your data. We hold it for you.
Your organization is the data owner and controller; ITS acts as a service provider that holds and processes data only on its behalf.
Service provider, not data owner
The organization is the data owner and controller; ITS acts as a service provider, processing data only on the organization's behalf.
Processed only to deliver the product
We process your data only to provide, secure, and support the product, under a signed Student Data Privacy Agreement with each organization.
Clear promises about your students' data
We never sell or rent your data
User data — student or otherwise — is never sold or rented, to anyone, for any reason.
No advertising in our apps
We don't sell advertising in any of our client apps, and we never use your data for targeted advertising.
No student profiling
We do not build profiles of students for any purpose other than providing the product.
De-identified data, used responsibly
We use de-identified, aggregated data only to maintain and improve the product — and never attempt to re-identify it.
Aligned with the laws that protect students
School official
We act as a "school official" with a legitimate educational interest under FERPA.
Under-13 authorization
For students under 13, the school provides authorization in the educational context.
State student-privacy laws
We follow SOPIPA and applicable U.S. state student-privacy laws.
Signed with every district
A Student Data Privacy Agreement is signed with every district.
How we protect your data
Encryption in transit and at rest
Encryption in transit (TLS) and encryption at rest within our cloud infrastructure.
Hosted in the United States
Hosted on Google Cloud in the United States.
Least-privilege access
Role-based, least-privilege access for staff, with administrative-access logging.
Multi-factor authentication
Multi-factor authentication available for staff and administrator accounts.
Hardware-backed device storage
Student data cached on mobile devices is protected using the device's hardware-backed secure storage.
Verified app requests
Device attestation verifies that requests come from our genuine, unmodified apps.
You stay in control of your data
Retained while you use the product
Student data is retained for the duration of the school's use of the product.
Deleted within 30 days on request
On a verified school request, student data is deleted from active systems within 30 days; encrypted backups age out within 180 days.
Parents work through their school
Parents access or request deletion of their student's data through their school.
We notify you fast
If we confirm a security breach affecting your data under our control, we notify your organization within 72 business hours.
The vetted providers behind the product
We use a limited set of established service providers to help deliver, secure, and support the product. We share only the data each one needs to perform its service, and we never sell or rent your data to anyone.
Documents and resources
Talk to our team
Evaluating us for your organization? We're happy to walk through our Student Data Privacy Agreement and answer any questions about how we handle your data.