Security & Privacy
Built with student privacy at the foundation.
In K-12, data privacy is not a feature — it is a prerequisite. EdLoop's security architecture, governance policies, and compliance posture are designed to meet the highest standards districts require.
Security & Compliance
Built with student privacy at the foundation
FERPA Aligned
Designed to operate within FERPA requirements. We function as a School Official with legitimate educational interest.
AES-256 Encrypted
All data encrypted at rest and in transit. AES-256 encryption with TLS 1.3 for all connections.
US Data Residency
All student data stored in the United States on SOC 2-compliant infrastructure.
DPA Ready
We review and sign district-standard Data Processing Agreements. Our template is also available.
SOC 2 Readiness
Actively pursuing SOC 2 Type II certification with controls already in place for security, availability, and confidentiality.
COPPA Awareness
EdLoop does not collect personal information directly from students under 13 without school/district authorization.
Data Governance
How we handle student data
Every data decision at EdLoop starts with one question: is this in the best interest of students and the districts that serve them?
Data Minimization
We collect only the data necessary to deliver learning insight. No behavioral tracking, no advertising profiles, no unnecessary data retention.
Retention & Deletion
Districts control data retention timelines. Upon contract termination, all student data is permanently deleted within 30 days, with written confirmation provided.
Transparency
Districts maintain full visibility into what data is collected, how it is processed, and where it is stored. We publish our data practices and update them proactively.
Access Controls
Role-based access ensures teachers see only their students, principals see their school, and district leaders see aggregate data. No one accesses more than they need.
FERPA Posture
Our commitment to FERPA alignment
School Official Exception
EdLoop is designed to operate within FERPA requirements. We function as a School Official under the School Official Exception (34 CFR 99.31(a)(1)), with a legitimate educational interest in the data we process. This means districts can share education records with EdLoop without requiring parental consent, provided a proper agreement is in place.
Data Processing Agreements
We review and sign district-standard Data Processing Agreements that define the scope of data access, permitted uses, security obligations, and breach notification requirements. Our legal team is experienced with state-specific DPA frameworks including the Student Data Privacy Consortium (SDPC) National DPA template.
Data Minimization & Purpose Limitation
EdLoop collects only the student data necessary to deliver structured feedback and learning insight. We do not sell student data. We do not use student data for advertising. We do not retain data beyond the district-agreed retention period. Access is strictly limited to personnel with a legitimate educational need.
Access Controls & Audit Trails
Role-based access controls ensure that users only access data relevant to their role. All data access is logged and auditable. Administrative actions are tracked with immutable audit trails. Districts can request access logs at any time.
Technical Architecture
Security at every layer
EdLoop's infrastructure is built on defense-in-depth principles, with security controls at the network, application, and data layers.
Encryption
All data encrypted with AES-256 at rest and TLS 1.3 in transit. Database-level encryption with managed key rotation. No unencrypted data leaves our systems.
US Data Residency
All student data is stored exclusively in the United States on SOC 2 Type II-compliant cloud infrastructure. No data is transferred internationally.
Authentication & Access
SSO/SAML integration for enterprise plans. Multi-factor authentication available for all admin accounts. Session management with automatic timeout and audit logging.
Incident Response
Documented incident response plan with 24-hour notification commitment for confirmed breaches. Annual security review and penetration testing by third-party auditors.
Security Questions
Common security and privacy questions
Request our security documentation
Our team will provide your procurement office with our full security package, including SOC 2 report, DPA template, and data flow documentation.