Data & Security

Our data posture

• Default no-PII: builds avoid collecting student personally identifiable information unless a school explicitly requires it and approves the handling.
• Your environment: hosted data lives in the environment your school chooses — your approved cloud, your LMS, or infrastructure we run under agreement on your behalf.
• Least access: we request the narrowest access needed to deliver and support a tool, and remove it when an engagement ends.
• Written data notes: each tool ships with a short, plain-English note describing what data it touches and where it lives.

Compliance awareness

Our work is FERPA, COPPA, and CIPA aware throughout. We design with these frameworks in mind, keep student data in the environment your school controls, and write tooling so that the default is the compliant path rather than the exception. We are happy to walk your IT and administrative teams through how a specific tool maps to your obligations.

Data processing agreement

A data processing agreement (DPA) is available on request and signed as required before an engagement handles school data. If your district has its own DPA or vendor security questionnaire, we will work through it with you.

Ongoing review

Security is not a one-time checkbox. School partnership engagements include quarterly stack audits and an annual policy review, so the tools running in your school stay inventoried and the risk picture stays current. Read more about the School Partnership.

Questions

For a DPA, a security questionnaire, or a walkthrough of how a tool handles data, email hi@thesecondbell.com.