FERPA Compliance
Family Educational Rights and Privacy Act
SmartTutor operates as a School Official under FERPA — acting solely on behalf of the school district under direct control of the institution, with a legitimate educational interest. We do not use student education records for any purpose beyond delivering the SmartTutor service.
- Limited access: Student education records are accessible only to teachers of record, district administrators, and the students themselves. No cross-district access is possible.
- Parental rights honored: Parents may request access to, or deletion of, their child's records at any time by contacting the district administrator or SmartTutor support.
- Data minimization: We collect only what is necessary for tutoring: subject area, grade level, quiz performance, and session activity. No social security numbers, no health records, no home addresses.
- No third-party disclosure: Student education records are never sold, rented, or shared with advertisers, data brokers, or any commercial third party.
- Audit trail: All access to student records is logged. Districts can request an access log at any time.
For your DPA: SmartTutor will execute a Data Processing Agreement (DPA) or FERPA-compliant data sharing agreement with any school district prior to onboarding. Contact info@bmcksapps.com to start the process.
COPPA Compliance
Children's Online Privacy Protection Act — Students Under 13
COPPA protects children under 13. When students use SmartTutor in a school context, the school district provides verifiable consent on behalf of parents through the district's standard enrollment process — consistent with the FTC's school-official exception to COPPA.
- School-authorized access only: Student accounts in school mode are provisioned by teachers and administrators — students do not self-register.
- No behavioral advertising: SmartTutor displays no advertisements to students. Student data is never used for ad targeting, profiling, or commercial purposes.
- Minimal personal data: For students under 13, we collect name (or username), grade level, and learning activity data only. No email, phone, or profile photo is required.
- Parental access: Parents may review, correct, or request deletion of their child's data by contacting the district, which retains administrative control.
- No sale of data: We do not sell, rent, or monetize any data collected from students under 13 under any circumstance.
Our commitment: If a student's grade or age profile indicates they are under 13, SmartTutor automatically applies the most restrictive data handling rules regardless of which feature they're using.
Row-Level Security (RLS)
Database-enforced tenant isolation — not just application-layer checks
SmartTutor uses Supabase PostgreSQL with Row-Level Security policies enabled at the database engine level. This means that even if a bug existed in the application code, the database itself would prevent School A from ever reading School B's data.
What this means in practice: A teacher at Jefferson Elementary cannot access student records from Lincoln Middle School — even if they share the same physical district server. The database enforces this boundary at the row level, independently of every application layer above it.
Data Encryption
At rest and in transit — no plaintext student data anywhere
All student data is encrypted using industry-standard algorithms at every stage of its lifecycle — from the moment it leaves the student's browser to long-term storage.
- In Transit — TLS 1.2+: All connections between browsers, the application server, and the database use HTTPS with TLS 1.2 or higher. Plain HTTP is rejected and redirected automatically.
- At Rest — AES-256: Supabase PostgreSQL storage is encrypted at rest using AES-256. Backups are also encrypted with the same standard.
- No plaintext credentials: SmartTutor does not store passwords. Authentication is handled entirely through Google OAuth — no password database exists to breach.
- Encrypted backups: Database backups are encrypted and stored separately from the primary database. Backup access requires separate credentials.
Authentication
Google OAuth — no passwords stored by SmartTutor
SmartTutor does not maintain a password database. Authentication is handled entirely through Google OAuth 2.0, delegating credential management to Google's enterprise-grade identity infrastructure.
- Google OAuth 2.0: Users authenticate via Google. SmartTutor never sees or stores a password. Districts using Google Workspace for Education benefit from SSO natively.
- Session management: Sessions are managed via signed, short-lived JWTs. Tokens are scoped to the authenticated user's role and district.
- Token expiry: Access tokens expire and require re-authentication. Refresh tokens are not stored in browser localStorage.
- No credential exposure: Automated security audits scan for any accidentally exposed credentials or tokens in server logs, response headers, or client-side code.
AI Data Handling
Student queries are never used to train AI models
SmartTutor uses AI to generate tutoring questions and personalized explanations. We are explicit about what happens — and doesn't happen — with that data.
- Not used for training: Student queries sent to our AI provider are not used to train or improve AI models. We use API configurations that explicitly opt out of training data usage.
- No student PII in AI logs: AI requests are constructed to exclude personally identifiable information. We send subject, grade level, and question context — not names, emails, or student IDs.
- Query caps prevent abuse: Each student account has a 150 AI query/month cap. This prevents runaway usage and limits the blast radius of any compromised account.
- Content filtering: AI-generated content is passed through safety filters before being shown to students. Off-topic or inappropriate responses are blocked automatically.
AI provider commitment: Our AI API agreement prohibits the provider from using submitted data for model training. We can provide documentation of this API data processing agreement upon request.
Automated Security Monitoring
Daily scans across 9 security domains
SmartTutor runs automated security audits every day. Each audit checks the live production application across the following domains:
Audit results are available on request. District IT directors may request the most recent security audit report at any time by emailing info@bmcksapps.com.
Access Controls
Role-based — no user sees data outside their scope
SmartTutor enforces a strict role-based access model. Every data access check happens at two layers: the application level and the database RLS policy level.
| Role | What They Can See | What They Cannot See |
|---|---|---|
| Student | Their own quiz history, XP, streaks, and badges | Other students' data, teacher records, any admin data |
| Teacher | Their own enrolled students' progress and activity | Students from other teachers' classrooms, data from other schools |
| District Admin | All students and teachers within their district only | Any data from other school districts |
| Service | Strictly scoped operations (e.g., report generation, XP sync) | Cannot perform write operations outside designated service scope |
- Server-side operations only: Sensitive operations (student data writes, classroom management, report generation) are executed server-side only. Client-side code never handles raw student records directly.
- API key isolation: Service accounts used for background jobs (weekly reports, XP sync) operate with narrowly scoped permissions — they cannot read or write outside their designated domain.
Data Retention & Deletion
Districts control their data — full purge available on request
SmartTutor retains student data only for as long as the district maintains an active relationship with us. Districts own their data and can request deletion at any time.
- Full purge on request: Any district administrator may request a complete deletion of all student records, classroom data, and activity logs. Purge is completed within 30 days and confirmed in writing.
- Not sold or shared: Student data is not sold to data brokers, shared with advertisers, or transferred to third parties for commercial purposes — ever.
- Retention schedule: Active student records are retained while the school's account is active. Upon account termination, records are deleted within 90 days unless the district requests earlier deletion.
- Backups: Encrypted backups are retained for up to 30 days for disaster recovery purposes. Backup data is included in any deletion request and purged on the same schedule.
- Data portability: Before deleting an account, districts may request a data export in CSV format covering all student activity records, quiz history, and performance data.
Individual student deletion: To remove a specific student's records (e.g., upon parental request), district administrators can remove the student from the classroom roster — which triggers data deletion. No data is retained after a student is removed.