This is the page your procurement team will ask for. FERPA school official exception, COPPA school authorization, DPA, Security overview, subprocessor list, and parent rights — all in one place. Download what you need, then request the full Trust Package if your legal team requires it.
CyberHeroesHQ operates as a school official under the FERPA school official exception (34 C.F.R. § 99.31(a)(1)). We process student education records only as directed by the school or district — we are the processor, the school is the controller.
CyberHeroesHQ is designed for children ages 8–18. For students under 13, we rely on the school authorization mechanism (16 C.F.R. § 312.5(b)(1)): schools act in loco parentis and provide consent on behalf of parents when they enroll students in a classroom. We do not independently collect data from children — all accounts are created and managed by teachers through the Teacher Portal.
All COPPA data rights requests — access, correction, deletion — are handled within 45 days per FTC guidance.
privacy@cyberheroeshq.com →Our Data Processing Agreement is suitable for district legal review. It covers: FERPA school official exception framing, COPPA school authorization mechanism, categories of data processed, retention schedule, deletion workflow, security commitments, subprocessor list, and signature blocks.
Covers: FERPA school official exception · COPPA authorization · Data categories · Retention & deletion workflow · Security commitments · Subprocessor list · Signature blocks
⬇ Download DPA (PDF)Download our security overview — written for district IT administrators and CISOs. Covers: authentication model, encryption in transit and at rest, data residency, access controls, incident response procedure, backup & recovery objectives.
Covers: Auth model (teacher/student/parent/admin) · Encryption in transit + at rest · US data residency · Access controls · Incident response (72-hour notification) · Backup & recovery (RTO < 4h, RPO < 5 min)
⬇ Download Security Overview (PDF)We use a small, vetted set of subprocessors. We notify schools of any material changes to this list at least 30 days in advance. No student data is shared with ad networks or analytics services.
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Neon (PostgreSQL) | Primary database hosting | All platform data — encrypted at rest (AES-256 via AWS KMS) | 🇺🇸 US-East (AWS) |
| Render | Application hosting & deployment | Application code; request metadata (IP, timestamp) — no student PII in logs | 🇺🇸 US |
| Postmark | Transactional email (teacher & parent notifications) | Teacher/parent email address; student hero username appears only in notification subject lines | 🇺🇸 US |
| Stripe | Payment processing (family & district subscriptions) | Billing email + card data (held by Stripe — never stored by us). No student data goes to Stripe. | 🇺🇸 US |
| Anthropic (Claude) | Cipher AI mentor — Socratic hints, chat, post-mission debriefs, AI-generated remediation challenges | Session-scoped, anonymized only. Current mission context + student message. No real name, email, or student ID. Conversation history in our DB with 7-day TTL, not shared externally. Anthropic does not train on or retain this data. | 🇺🇸 US |
Parents and guardians have the right to access, correct, and delete their child's data. We respond to all requests within 45 days.
Download a complete JSON export of your child's data — hero username, progress, XP, badges, quiz scores — from the Family Dashboard.
Request correction of inaccurate data by emailing privacy@cyberheroeshq.com. We update or annotate within 45 days of verified request.
Permanently delete all your child's data from the Family Dashboard — deletion is immediate and irreversible. Or email privacy@cyberheroeshq.com.
CyberHeroesHQ is the processor — the school or district is the controller. Here's what the district is responsible for under our model.
All student accounts are created and managed by teachers through the Teacher Portal. Students never self-register. They join via classroom code (CYBER-XXXX format) issued by their teacher — no password, no PII required on the student side.
The school or district controls enrollment, classroom existence, and account termination. CyberHeroesHQ processes data only as directed — no independent data collection from students.
Schools act in loco parentis under the COPPA school authorization mechanism (16 C.F.R. § 312.5(b)(1)). By enrolling students under 13, the school represents it has authority to provide consent for educational platform use.
Schools are responsible for removing students who transfer or withdraw. Submit deletion requests to privacy@cyberheroeshq.com or via the Teacher Portal. We respond within 30 days.
Schools are responsible for compliance with applicable state student privacy laws in their jurisdiction (SOPIPA, CA SOPPA, NY Education Law §2-d, TX SCOPE Act, etc.). Email trust@cyberheroeshq.com for state-specific documentation.
Answered directly — no weasel words.
Districts with additional procurement requirements get a complete trust package — countersigned DPA, compliance attestation letter, security questionnaire responses, subprocessor DPAs on request, and reference contacts.
Data access, correction, deletion requests, parental consent questions
privacy@cyberheroeshq.comCountersigned DPA, compliance attestation, procurement requirements
trust@cyberheroeshq.com