Student data privacy isn't a feature we added — it's the architecture: student PII stays local/in-district; only de-identified aggregates ever reach our cloud. The same measurement layer that personalizes learning is what proves outcomes to you.
| Standard | How Reaves Academy meets it |
|---|---|
| FERPA | Operates as a school official under 34 CFR § 99.31(a)(1); the LEA controls all data; export/delete on request; DPA provided. |
| COPPA | School-consent model for districts; verifiable parental consent for individual/family accounts (under 13). |
| State laws (CA SOPIPA + ~130 statutes) | No targeted ads, no sale of student data, no non-educational profiling; data minimization. |
| Student Data Privacy Pledge | Committed to its principles. |
| Accessibility | Targeting WCAG 2.1 AA / Section 508; multi-modal (visual + narrated + gestural) via AI guides. |
Student identifier, grade band, learning progress (SmartScores), usage events.
Biometric data, precise geolocation, advertising profiles.
Show ads to students, sell or trade data, or use data for non-educational purposes.
TLS in transit + encryption at rest · JWT-authenticated APIs with per-request authorization · tenant isolation · rate limiting · audit logging · breach notification without undue delay · US-based data centers (Netlify hosting, Neon Postgres).
The LEA owns and controls all data → export (CSV) or delete anytime → on termination, deletion or return within 45 days with certification. De-identified aggregates only for product analytics.
Netlify (hosting) · Neon (managed Postgres, US). A current list is maintained; material changes are noticed.
We provide a FERPA/COPPA/SOPIPA-aligned DPA for signature during procurement.
Request the DPAContact: Jreaves31@gmail.com · Reaves Labs and Learning, LLC. This summary is provided for procurement review; the executed DPA governs. Compliance language is a template pending final counsel review.