Security Practices
How we protect student data and maintain the highest security standards for educational technology.
πFERPA Compliant
π‘οΈAES-256 Encryption
πΊπΈUS-Based Servers
π«No Data Selling
πSOC 2 Infrastructure
π Data Encryption
- In transit: All data is encrypted using TLS 1.2+ (HTTPS) between your browser, our servers, and all third-party APIs.
- At rest: All data stored in our database is encrypted with AES-256 encryption via Supabase/AWS.
- Passwords: Teacher passwords are hashed using bcrypt with a unique salt β we never store plaintext passwords.
π Authentication & Access Controls
- Password hashing: bcrypt with salt (industry standard)
- Session management: JWT tokens with expiration
- Data isolation: Teachers can only access their own students' data β strict row-level access controls
- No shared accounts: Each teacher has their own authenticated account
βοΈ Infrastructure
- Database: Supabase, hosted on Amazon Web Services (AWS)
- Server location: United States (US-based data centers)
- Supabase certifications: SOC 2 Type II certified
- AWS certifications: SOC 2, ISO 27001, FedRAMP authorized
- Regular backups: Automated encrypted backups with point-in-time recovery
π€ AI Data Handling
GradingPen uses the Anthropic Claude API for AI grading. Here's how we handle data with our AI provider:
- Essay text and rubric criteria are sent to Anthropic's API via encrypted HTTPS
- Per Anthropic's API data policy, API data is NOT used to train, improve, or develop their AI models
- Anthropic does not retain API inputs or outputs beyond what's needed to provide the service
- Anthropic is SOC 2 Type II certified
- No student data is ever shared with other AI providers
π« What We Don't Do
- No tracking: No third-party analytics, tracking pixels, or behavioral monitoring
- No advertising: No ads, no ad networks, no ad-related data collection
- No data selling: We never sell, rent, or share student data with third parties
- No AI training: Student data is never used to train AI models
- Minimal cookies: Only an authentication token β no tracking cookies
π¨ Incident Response
- 72-hour notification: We notify affected schools/districts within 72 hours of a confirmed data breach
- Incident response plan: We maintain a documented incident response plan
- Breach details: Notifications include nature of breach, data affected, remediation steps, and contact info
- Cooperation: We cooperate fully with schools during breach investigation and remediation
π FERPA Compliance Summary
- We act as a "school official" with legitimate educational interest
- Student data used only for providing grading services
- No disclosure of education records without consent
- Full support for access, amendment, and deletion requests
- Data Processing Agreement available at /dpa.html
Contact for security inquiries: security@gradingpen.com
Frequently Asked Questions
Where is our data stored?
All data is stored on AWS US-based servers via Supabase. Data never leaves the United States.
Do you train AI on student data?
No. We use the Anthropic Claude API, which per their API terms does not use submitted data for model training, improvement, or development. Student data is processed solely to generate grades and feedback.
Can we get our data back?
Yes. Teachers can export all their data (assignments, rubrics, analytics) at any time via Account Settings. Districts can request a full data export by contacting support@gradingpen.com.
Can you delete all our data?
Yes. Teachers can delete all student data or their entire account via Settings. Districts can request complete data deletion, which will be completed within 30 days. Written confirmation is provided upon request.
Is the platform SOC 2 compliant?
GradingPen uses SOC 2 Type II certified infrastructure. Both Supabase (our database provider) and Anthropic (our AI provider) maintain SOC 2 Type II certifications. AWS (underlying infrastructure) holds SOC 2, ISO 27001, and FedRAMP certifications.
Do you support SSO?
SSO (Single Sign-On) support is coming soon for district plans. Contact
support@gradingpen.com to learn more about our enterprise roadmap.
What happens if there's a data breach?
We maintain a documented incident response plan. In the event of a confirmed data breach involving student data, we notify affected schools/districts within 72 hours with full details including the nature of the breach, data affected, and remediation steps taken.