Protecting Student Data
The security of student and family data is a foundational obligation, not a feature. Every layer of the USI platform is designed to meet federal privacy law requirements and industry security standards.
Security Architecture
Defense-in-depth controls across encryption, access, governance, and response.
Encryption
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Secure password hashing with bcrypt
- HTTPS enforced on all public endpoints
Access Controls
- Role-based access control (RBAC) with least-privilege
- Multi-factor authentication for administrative access
- Session management with secure token handling
- API routes guarded by authenticated sessions
Data Governance
- Purpose-limited data collection
- No sale or secondary commercial use of student data
- Data minimization — collect only what is needed
- Audit logging for sensitive data access
Incident Response
- Documented incident response plan
- Breach notification within required timelines
- Containment, investigation, and remediation procedures
- Post-incident review and corrective action
Regulatory Compliance
Our data practices are designed around federal education privacy laws and accessibility requirements.
FERPA
Family Educational Rights and Privacy Act
Student education records are handled under FERPA's school-official exception. Parents retain rights to access, review, and request amendment of their children's records. Disclosure of personally identifiable information is limited to contracted educational purposes.
COPPA
Children's Online Privacy Protection Act
The Unique Scholars Institute maintains operator-level COPPA responsibilities. School-based consent is limited to uses solely for the educational benefit of the school. No student data is used for advertising, profiling, or unrelated commercial purposes. Privacy notice is provided at collection points.
PPRA
Protection of Pupil Rights Amendment
Intake forms and assessments are reviewed against PPRA requirements. Protected-topic surveys are not administered without district review and required consent or notice. Marketing-oriented data collection is prohibited.
ADA Title II
Americans with Disabilities Act
The platform is designed and tested against WCAG 2.1 Level AA, the technical standard identified by the DOJ for public-school web content. Accessibility extends to forms, documents, and interactive features.
Data Lifecycle
From collection through deletion, every phase of data handling is documented and controlled.
Collection
Data is collected only for specified, documented educational purposes. Collection points include visible privacy notices and consent mechanisms.
Storage
Data is stored in encrypted, access-controlled environments. Database connections use secure credentials with connection pooling and idle timeouts.
Processing
Data processing is limited to contracted services. Staff access follows least-privilege principles with role-based permissions.
Retention
Data is retained only as long as necessary for contracted purposes. Retention periods are documented and reviewed annually.
Deletion
Upon contract termination or request, data is securely deleted with certification of destruction provided to the district or parent.
Transition
Upon partnership conclusion, data export is provided in standard formats within a defined transition window, followed by secure deletion.
Personnel & Screening
- Student-facing personnel undergo background checks and required child-safety training
- Staff access to student data follows least-privilege principles with documented role assignments
- Data handling training is provided to all staff with access to personally identifiable information
- Supervision model ensures accountability at every level of student interaction
Questions About Data Security?
District procurement teams and school leaders can request our Data Privacy Agreement, security questionnaire responses, and compliance documentation.