Education Privacy Compliance
Last Updated: December 30, 2024
Truvana is designed specifically for California K-12 school districts and public agencies. We are committed to complying with all applicable education privacy laws and protecting student and employee data.
1. FERPA Compliance
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g) protects the privacy of student education records. While Truvana primarily handles employee HR data, we maintain FERPA-compliant practices for any student information that may be referenced in employee records.
Our FERPA Commitments:
- School Official Exception: We operate as a "school official" under FERPA when processing data on behalf of educational agencies, with legitimate educational interests.
- Direct Control: Districts maintain direct control over the use and maintenance of education records through our platform.
- Use Limitation: We use education records only for the purposes specified in our contract with the district.
- Re-disclosure Prohibition: We do not disclose personally identifiable information from education records to third parties without consent.
- Audit Rights: Districts may audit our compliance with FERPA requirements.
Note: Truvana is primarily an employee HR system. Student data should generally not be entered into the system except as incidental to employee documentation (e.g., incident reports involving student interactions).
2. SOPIPA Compliance
The Student Online Personal Information Protection Act (SOPIPA)(California Business and Professions Code § 22584) applies to operators of websites, online services, or applications designed for K-12 school purposes.
SOPIPA Prohibited Activities:
Truvana does NOT and will NEVER:
- Targeted Advertising: Use student information for targeted advertising to students or parents.
- Profile Building: Create advertising or marketing profiles of students.
- Data Sale: Sell student information to any third party.
- Non-Educational Disclosure: Disclose student information for purposes other than the K-12 school purposes for which it was collected.
SOPIPA Required Security:
- Reasonable security appropriate to the nature of the information
- Delete student information upon request within a reasonable timeframe
- Contractual prohibition on unauthorized data use
3. COPPA Applicability Analysis
The Children's Online Privacy Protection Act (COPPA) (15 U.S.C. §§ 6501-6506) applies to online services that collect personal information from children under 13.
COPPA Applicability to Truvana:
Primary Use: Truvana is an employee HR management system designed for use by adult school district employees (administrators, principals, HR staff).
Direct Collection: Truvana does NOT directly collect information from children under 13. Children do not create accounts or interact with the platform.
Incidental Information: If student names or information appear incidentally in employee documentation (e.g., incident reports), this is information provided by adult employees, not collected directly from children.
Our Position:
While COPPA's direct applicability to Truvana is limited given our adult-focused HR platform, we implement COPPA-informed protections as a best practice:
- No accounts for users under 18
- Strong data minimization for any incidental student information
- District control over all data relating to minors
- No behavioral advertising or profiling
4. AB1584 Compliance
California Assembly Bill 1584 (Education Code § 49073.1) establishes requirements for third-party contractors handling student records on behalf of local educational agencies.
AB1584 Contract Requirements:
Our agreements with school districts include:
5. Data Minimization Controls
We implement data minimization principles to collect and retain only the information necessary for legitimate HR management purposes:
- Collection Limitation: Only collect data fields necessary for documented business purposes.
- Purpose Limitation: Data is used only for the purposes for which it was collected.
- Retention Limits: Automatic data deletion after retention periods expire (see Retention Schedule).
- Access Controls: Role-based access ensures employees only see data relevant to their job function.
- Anonymization: Analytics and reporting use de-identified data where possible.
6. Prohibition on Data Resale and Advertising
⛔ We Do NOT:
- Sell, rent, or lease any customer data to third parties
- Use customer data for advertising or marketing purposes
- Share data with data brokers or advertisers
- Create advertising profiles of employees or students
- Display targeted advertisements within the platform
- Monetize customer data in any way beyond the subscription fee
Our Business Model: Truvana generates revenue exclusively through subscription fees paid by customer organizations. We have no financial incentive to misuse your data.
Contractual Guarantee: Our Data Processing Agreement (DPA) includes binding contractual commitments that we will never sell or use your data for advertising.
7. Security Measures
We implement comprehensive security controls to protect education data:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Controls: Multi-factor authentication, role-based permissions
- Audit Logging: Complete audit trail of all data access
- Employee Training: Annual privacy and security training
- Incident Response: 24/7 security monitoring and response
- Vendor Management: All subprocessors vetted for compliance
For detailed security information, see our Security & Compliance page.
8. Questions & Compliance Verification
For compliance questions or to request documentation:
- 📧 Privacy Officer: privacy@truvana.com
- 📧 Compliance: compliance@truvana.com
- 📞 Phone: Available in your customer agreement
We are happy to provide additional documentation, complete vendor security questionnaires, or participate in compliance audits as needed.
9. CSDPA - California Student Data Privacy Agreement
The California Student Data Privacy Agreement (CSDPA) is a standardized contract template developed by the California Privacy Alliance that streamlines vendor agreements between school districts and technology providers.
Our CSDPA Commitments:
- Data Ownership: Districts retain full ownership of all data created in the system
- Export Capability: Full data export available at any time in standard formats
- Breach Notification: 72-hour notification commitment for security incidents
- Data Deletion: Complete deletion within 60 days of contract termination
- Security Standards: AES-256 encryption, TLS 1.3, role-based access controls
Requesting a CSDPA: Contact your Truvana representative to request a signed CSDPA with California K-12 addendum.
10. 1EdTech Trusted Apps Alignment
1EdTech (formerly IMS Global Learning Consortium) develops open standards for educational technology interoperability. Their Trusted Apps Programcertifies applications meeting data privacy and security standards.
TrustEd Apps Criteria We Meet:
- Privacy Policy Transparency: Clear, accessible privacy documentation
- Data Handling Documentation: Documented data flows and retention
- Security Practices: Enterprise-grade security controls
- Accessibility: WCAG 2.1 AA compliance for keyboard/screen reader support
- Data Governance: Clear ownership, retention, and deletion policies
Learn more at 1edtech.org/program/trustedapps ↗
11. Project Unicorn Data Interoperability
Project Unicorn is an initiative for seamless, secure K-12 data interoperability. It brings together education technology companies and school districts to enable systems to exchange data effectively while protecting student privacy.
Our Interoperability Commitments:
- Standard Formats: Data exports available in CSV, JSON, and PDF
- RESTful APIs: Modern API architecture for integration
- Data Documentation: Complete documentation of data structures
- Privacy by Design: Data minimization in all exchanges
- Vendor Flexibility: Easy data migration if you switch providers
Learn more at projectunicorn.org ↗
Related: Privacy Policy | Data Processing Agreement | Security | Sub-processors