The data-handling posture your procurement team needs.

About: Compliance

This page is the starting point for compliance review. It summarizes our posture; the full DPA, subprocessor list, and SOC 2 report are shared under NDA during procurement. Request them at /contact.

FERPA

FERPA applies to schools, not vendors, but we operate as a "school official" under the exception at 34 CFR § 99.31(a)(1). That means we access student records only at the school's direction, use them only for the stated educational purpose (AI-likelihood assessment), and are subject to the school's audit. Our school-official agreement template is the default for K-12 and higher-ed deployments.

GDPR

For European students, European study-abroad programs, and institutions with any EU nexus: Data Processing Agreement on request, subprocessor list published and updated, right-to-erasure supported within 30 days, international-transfer mechanism via EU Standard Contractual Clauses plus a Transfer Impact Assessment. Our EU-resident users are served from EU data regions where elected.

COPPA

For K-12 users under 13, SSO metadata drives a restricted mode: no persistent storage of submissions, no cross-session history, no profiling, no marketing. Parental-consent routing is handled by the school under the school-official exception to COPPA's direct-notice requirement.

State-level addenda

We sign the following as default addenda for K-12 procurement:

• California. SOPIPA (Cal. Bus. & Prof. Code §§ 22584 et seq.)
• New York. Ed Law § 2-d, Parents' Bill of Rights, NIST 800-53-aligned security controls
• Illinois. SOPPA (Student Online Personal Protection Act)
• Colorado. Student Data Transparency and Security Act
• Connecticut. Act Concerning Student Data Privacy
• Texas. TSDPA (Student Data Privacy Consortium)

Other state addenda are signed on request; the usual review cycle is 7–14 business days.

SOC 2

SOC 2 Type II report available under NDA. Audit period is rolling; we share the most recent report during procurement. Our control environment covers access management, change management, incident response, and vendor management (subprocessor oversight).

Subprocessors

Full list published on our /subprocessors page (coming with Institutional plans) and refreshed when changes occur. Material changes trigger a 30-day advance notice to institutional customers.

Retention controls

• Default: 30 days, then deletion.
• Institutional option: scan-and-discard (zero retention). Submitted text is scored and deleted within the same request cycle.
• On-prem / VPC deployment: available at the Enterprise tier for institutions with stricter data-residency requirements.

The hard questions, answered

• "Do you train on submitted text?" No. Training data is licensed and unrelated to user submissions. We will sign a contractual prohibition on training with customer data.
• "Do you share or sell student data?" No. No advertising, no profiling, no resale.
• "Can the detector be biased against non-native English speakers, disabled students, or specific demographic groups?" Yes, this is a known failure mode of all AI-detection tools, not just ours. Our published false-positive rate stratifies by known risk groups. See /transparency.
• "What's your breach-notification timeline?" 72 hours from discovery to customer notification, matching GDPR Article 33.