Is the software application fully compliant with FERPA, COPPA, and state student data privacy laws?
Yes. The platform is fully compliant with both the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA).
Data collection is strictly limited to the minimal parameters required to establish student accounts and monitor learning progress. Behavioral tracking is prohibited, and school-guided consent models are fully supported.
Does the vendor sell student data or utilize data for targeted advertising or user profiling?
No. Legally binding privacy policies guarantee that student data is never sold, leased, or rented to third parties.
Student data is utilized exclusively to deliver the specific educational services purchased by the district. The creation of advertising profiles based on student activity is strictly barred.
What encryption standards protect student data both in transit and at rest?
All data transmitted between user devices and the host servers is secured using industry-standard Transport Layer Security (TLS 1.2 or higher) encryption.
Data stored within the cloud environment is encrypted at rest using Advanced Encryption Standard (AES-256).
What is the vendor data breach notification protocol and timeline?
The vendor maintains a documented Incident Response Plan.
In the event of a verified security incident or data breach, notification is delivered to the affected district’s designated Data Privacy Officer within 24 to 72 hours of discovery, ensuring adherence to state privacy frameworks.
Ereflect Inc. holds formal 1EdTech Data Privacy Certification and is verified under the A4L (Access 4 Learning) Student Data Privacy Consortium.
Additionally, the vendor participates in regional data frameworks, including the 11-State Data Privacy Agreement via The Education Cooperative, ensuring standardized compliance across multiple state jurisdictions.
Does the software development lifecycle follow secure architecture frameworks?
Yes. Product development operates under the Secure by Design pledge.
This framework ensures that data privacy and system security mechanisms are embedded natively into the software architecture from inception, rather than applied as retrofitted patches.
What are the vendor data retention policies and data destruction protocols upon contract termination?
The purchasing district retains full ownership of all student and institutional data.
Upon contract termination or non-renewal, all student Personally Identifiable Information (PII) is securely purged from servers within 30 to 90 days. A formal Certificate of Destruction can be provided upon request.
Does the vendor maintain a unified data privacy agreement applicable across all software applications?
Yes. A singular, strict data privacy policy governs the entire product suite.
The data protection standards, compliance certifications, encryption mandates, and non-commercialization guarantees apply uniformly to every application, tool, and service deployed within a district.
Data collection across all software platforms is strictly limited to the minimal parameters required to establish student accounts, authenticate logins, and track learning progress.
The vendor does not collect, track, or store student geolocation data, physical addresses, phone numbers, or biometric data.
What specific data fields are stored within the system for student profiles?
The database handles only basic, non-sensitive data fields necessary for instructional functionality.
These typically consist of a student's first name, last name, district-assigned username or email address, grade level, and school site identification.
Where single sign-on (SSO) integrations are utilized, the applications only consume the specific directory attributes authorized by the district's IT administrator.
The applications capture performance metrics generated directly by the student's instructional interactions.
Depending on the specific software module deployed, this includes input speed, accuracy percentages, lesson completion statuses, total active time-on-task, vocabulary mastery tiers, and error pattern diagnostics.
This performance data is utilized exclusively to drive the localized adaptive learning algorithms and populate the teacher and administrator reporting dashboards.