Trust & Compliance Center

Built for schools.
Compliant by design.

Every district procurement team asks the same questions. This page is your single source of truth — data practices, parent rights, DPA, security posture, and subprocessors. Nothing to hide. Everything documented.

✓ COPPA-Aligned ✓ FERPA-Compliant ✓ US Data Residency ⚙ SOC 2 In Progress GDPR-K Considerations Documented
Quick Links for Procurement
Student Data

What we collect — and what we don't

We collect the minimum necessary to run a classroom. No PII beyond classroom-assigned identifiers. No behavioral advertising. No third-party data sharing.

✓ What we collect

  • Hero username (chosen by student or teacher — never legal name)
  • Mission progress, quiz scores, XP earned, badges unlocked
  • Pre-assessment and post-assessment results (topic-level)
  • Classroom join code used (links student to teacher dashboard)
  • Session data: IP address + browser type (transient, not linked to identity)
  • Parent email (optional, only if teacher or student provides it for family reporting)

✕ What we never collect

  • Legal name, date of birth, or government ID
  • Physical location (GPS, precise address, or school address tied to student)
  • Biometric data of any kind
  • Behavioral advertising profiles or cross-context tracking
  • Health or disability information
  • Social Security number or financial data
🇺🇸

Data Residency: United States only

All student and teacher data is stored in US-based infrastructure (Neon PostgreSQL on AWS US-East, application hosting on Render US). No data is transferred outside the United States.

FERPA & COPPA

Parent rights & how to exercise them

Parents and guardians have the right to access, correct, and delete their child's data. We respond to all requests within 45 days.

🔍

Right to Access

Parents can request a complete copy of all data we hold on their child, including mission progress, XP, badges, and assessment results.

✏️

Right to Correction

If any data is inaccurate, parents can request correction. We will update or annotate the record within 45 days of a verified request.

🗑️

Right to Deletion

Parents can request full deletion of their child's account and all associated data. We will delete within 30 days and confirm in writing.

How to request: Email privacy@cyberheroeshq.com with subject line "Student Data Request" and include the student's hero username and the school name. We respond within 45 days. District administrators may submit requests on behalf of parents via their school's Teacher Portal.
FERPA Framework

District & school responsibilities

CyberHeroesHQ operates as a school official under the FERPA school official exception (34 C.F.R. § 99.31(a)(1)). The school or district remains the data controller.

1

Teacher-managed accounts

All student accounts are created and managed by teachers through the Teacher Portal. Students never create accounts independently — they join via classroom code (CYBER-XXXX format) issued by their teacher.

2

School as data controller

The school or district controls which students are enrolled, which classrooms exist, and when accounts are terminated. CyberHeroesHQ processes data only as directed — we are the processor, you are the controller.

3

COPPA parental consent

For students under 13, schools act in loco parentis under the COPPA school authorization mechanism (16 C.F.R. § 312.5(b)(1)). By enrolling students under 13, the school represents it has authority to provide consent for educational platform use.

4

Roster maintenance

Schools are responsible for removing students who should no longer have access — e.g., transfers, withdrawals. Account deletion requests should be submitted to privacy@cyberheroeshq.com or via the Teacher Portal.

Subprocessors

Third-party vendors & data shared

We use a small, vetted set of subprocessors. We will notify schools of any material changes to this list at least 30 days in advance.

Vendor Purpose Data shared Region
Neon PostgreSQL database hosting All platform data (encrypted at rest) 🇺🇸 US-East (AWS)
Render Application hosting & deployment Application code; request logs (IP, timestamp) — no student PII in logs 🇺🇸 US
Postmark Transactional email (teacher & parent notifications) Teacher email address, parent email address (if provided), student hero username in notification subject lines 🇺🇸 US
Stripe Payment processing (Family & District subscriptions) Billing email, payment card data (held by Stripe — never stored by us). No student data is shared with Stripe. 🇺🇸 US
Anthropic (Claude) Cipher AI mentor — in-mission hints, streaming chat, post-mission debriefs, and AI-generated remediation challenges Session-scoped, anonymized input only: current mission context + student message. No PII forwarded. No real name, no email, no student ID transmitted to Anthropic. Conversation history stored in our own DB with 7-day TTL; not shared externally. Anthropic does not train on or store this data under our data processing terms. Per-student rate limit (20 messages/hour) and jailbreak filter enforced before any AI call. 🇺🇸 US
Documents

Download for your records

Both documents are current as of the date you download them. For a countersigned DPA, email trust@cyberheroeshq.com.

📋

Data Processing Agreement (DPA)

FERPA school official exception framing, COPPA authorization mechanism, data categories, retention schedule, deletion workflow, security commitments, and subprocessor list. Suitable for district legal review.

⬇ Download DPA (PDF)
🔒

Security Overview

Auth model, encryption in transit & at rest, data residency, access controls, incident response procedure, backup & recovery objectives. For district IT and CISO review.

⬇ Download Security Overview (PDF)
Need a custom security review or HECVAT completion? Email security@cyberheroeshq.com with your questionnaire. We aim to respond within 5 business days.
FAQ

Questions procurement always asks

Answered directly, without weasel words.

Do you sell student data?
No. We do not sell, rent, or broker student data to any third party. Revenue comes from school and family subscriptions — not data monetization.
Do you serve ads to students?
No. The platform contains zero advertising. No ad networks, no behavioral tracking, no cross-site data sharing for advertising purposes.
Can parents opt out or request deletion?
Yes. Email privacy@cyberheroeshq.com. We will delete all data within 30 days and confirm. District admins can also initiate deletion via the Teacher Portal.
Are AI mentors trained on student data?
No. Cipher (our AI mentor) is Socratic by design — it nudges, teaches, and asks questions rather than giving answers. What we send to Anthropic: the current mission context and the student's message, anonymized (no name, no email, no student ID). Anthropic does not train on or retain this data under our data processing agreement. Conversation history is stored in our own database with a 7-day TTL and is never shared with third parties. A per-student rate limit (20 messages/hour) and jailbreak filter run before every AI call. The AI is instructed never to echo, store, or act on any personal information a student might share.
Where is student data stored?
United States only. Database: Neon PostgreSQL on AWS US-East. Application: Render US region. No data is transferred outside the US.
Are you COPPA-compliant?
Yes, with the school authorization mechanism. Schools enroll students under 13 acting in loco parentis per 16 C.F.R. § 312.5(b)(1). We do not independently collect data from children — all accounts are teacher-provisioned.
Do you comply with state student privacy laws?
Our practices are designed to comply with FERPA, COPPA, and major state student privacy laws (SOPIPA, CA SOPPA, NY Education Law §2-d, TX SCOPE Act). For state-specific review, email trust@cyberheroeshq.com.
What happens to data when a pilot ends?
Data is retained for 90 days post-pilot to allow export, then purged. Districts can request immediate deletion at any time. Teachers can export classroom data via the Teacher Portal before the pilot ends.
Trust Package

Request our full Trust Package

For districts with additional procurement requirements, we'll send a complete trust package — including a countersigned DPA, reference contacts, compliance crosswalk, and custom security questionnaire responses.

  • Countersigned Data Processing Agreement
  • Security questionnaire responses (HECVAT, SIG, custom)
  • COPPA / FERPA compliance attestation letter
  • Subprocessor DPAs on request
  • Reference contacts from active district customers

Request Trust Package