Compliance & safeguards

Procurement-grade evidence,
not procurement-grade slogans.

CurioPilot is built for K-12 schools and families who must protect student data under FERPA, GDPR, COPPA, and beyond. This is the verifiable posture.

Download the DPA Talk to our compliance team

Quick reference

Where we stand, by regulation.

RegulationOur postureEvidenceStatus

GDPR (EU)

Compliant. We are processor; you are controller. Article 28 DPA is mandatory.

DPA + sub-processor list + DSAR + erasure flows

Live

UK GDPR + ICO

Compliant. UK-specific clauses available.

UK addendum to DPA

Live

COPPA (US under-13)

Compliant. Verifiable parental consent enforced at the gate.

COPPA gate audit log; consent flow live

Live

FERPA (US K-12)

Compliant as a school official under direct control.

FERPA records review endpoint

Live

CCPA / CPRA (California)

Compliant. We don't sell data. Consumer rights honoured.

Privacy notice + DSAR

Live

PIPL (China)

Limited. Talk to us if China-specific deployment.

Custom DPA

Limited

SOC 2 Type II

In progress. Q3 2026 audit completion target.

Type I readiness completed Q1 2026 (NDA)

In progress

ISO 27001

Roadmap. Not yet pursued.

—

Roadmap

COPPA (US under-13)

Verifiable parental consent, enforced at the gate.

For students under 13, the AI gate `checkCoppaGate()` is called before any personalisation runs. Without verified parental consent on file, the platform serves non-personalised activities only.

Verifiable consent methods supported:

Credit card / payment verification
Government ID upload (with retention controls)
Notarised consent form
Phone verification (where supported by jurisdiction)

Parents can grant or revoke consent any time from their account. Every grant + revocation is audit-logged with timestamp + method.

FERPA (US K-12 records)

Records review, on demand.

Under FERPA, schools can disclose student records to a school official with a legitimate educational interest. CurioPilot operates as a school official under your direct control:

You define what data is shared
We are bound by FERPA's redisclosure restrictions
We don't share student records with anyone outside your direction
You can request a complete records export at any time

Records review endpoint produces all FERPA-relevant records: profile, accommodations, intervention alerts, report-card comments, grades, every submission, and the audit trail of every change. Schools that have requested records typically receive the export within 1 hour.

Security infrastructure

What we do. What we don’t.

What we do

TLS 1.3 everywhere
AES-256-GCM at rest (Firestore)
Field-level encryption on secrets
Firebase Auth with custom claims
Tenant isolation at Firestore-rule level
Boot-time tripwire for leaked secrets
Annual penetration test (NDA-gated results)
24-hour security incident response
PII boundary build-time attestation
Sub-processor list with notice of changes

What we don’t

Store SIS credentials in plaintext
Train models on your students' data
Sell data to advertisers
Allow super-admin access without audit
Use tracking pixels without consent
Lock you in (data export is yours)
Auto-redirect parents by browser language
Send PII to Sentry (it's stripped)
Skip consent gates “for convenience”
Use customer data outside service scope

Sub-processors

Every third party that touches your data.

We commit to 30 days advance notice before adding a new sub-processor. Schools can opt out during the notice period.

Sub-processor	Purpose	Data category	Region	DPA
Google Cloud (Firebase)	Hosting, Firestore, Auth, Cloud Functions	All	EU	DPA
Google AI (Gemini)	AI inference (primary tier)	Redacted prompts only	EU/US	DPA
OpenAI	AI inference (fallback tier)	Redacted prompts only	US	DPA
Anthropic	AI inference (fallback tier)	Redacted prompts only	US	DPA
Stripe	Payment processing (B2C)	Billing data only	EU/US	DPA
SendGrid / AWS SES	Transactional email	Email + name only	Per-tenant choice	DPA
Sentry	Error monitoring	Stack traces, no PII	EU	DPA
Cloudflare	CDN + edge security	Network metadata	Global	DPA
Plausible / Fathom	Marketing site analytics	Non-personal usage data	EU	DPA

The DPA

Read it. Sign it. The platform enforces it.

Our standard DPA is GDPR Article 28-compliant, with optional UK, CCPA, and US state-specific addenda. School admins sign once during onboarding; the platform’s enforceAiConsent() check refuses every AI call without a signed DPA.

Custom DPAs are available on the Campus plan for districts with their own template requirements.

Standard DPA (PDF)

GDPR Article 28-compliant · current version

Custom-template request

Districts with their own DPA template

Read the DPA summary online

Plain-language overview · 5 min read

When things go wrong

24-hour response, transparent communication.

Detection: monitoring + alerts run 24/7.
Triage: incidents categorised by severity within 2 hours.
Notification: data breach involving customer data — notification within 24 hours of confirmation, including scope, impact, and initial remediation.
Communication: status page + direct email to affected DPOs.
Post-mortem: published within 14 days; public version available after sensitive details are redacted.

Recent incidents: No customer-data incidents to date. Internal incidents documented in our security runbooks (NDA-gated for prospective customers).

Common questions

Compliance, in detail.

Are you SOC 2 Type II certified?

Audit in progress; Type II report expected Q3 2026. Type I readiness review completed Q1 2026. We can share the readiness report under NDA.

Where is our data stored?

EU primary (Frankfurt). US secondary (multi-region). Configurable per-tenant on Campus plan. Backups encrypted with separate keys.

Do you have cyber-insurance?

Yes. €5M coverage including notification costs, regulatory fines, and breach response. Certificate available on request under NDA.

Can we run our own DPIA?

Yes — we provide a DPIA template populated with CurioPilot-specific facts to make your assessment fast.

What about Schrems II / international data transfers?

Standard contractual clauses (SCCs) cover EU → US transfers. Sub-processors with US presence are contractually bound to SCC terms. Transfer impact assessment available on request.

How do you handle data subject requests?

Article 15 (export): one click in the parent / school admin account → JSON bundle. Article 17 (erasure): one click → active data removed in seconds; backups purged within 90 days.

Will you sign a BAA (HIPAA business associate agreement)?

We aren't a HIPAA-covered entity by default. K-12 nurse / health records adjacent use cases occasionally trigger HIPAA scope — talk to us if your use case requires BAA.

What's your security questionnaire turnaround?

5 business days for standard questionnaires (HECVAT, SIG-Lite, CAIQ). Custom questionnaires variable.

Send our compliance docs to your DPO.

We’ll prepare a packet specific to your jurisdiction and the regulations that apply. Includes DPA, sub-processor list, security questionnaire, and answers to your specific questions.

Request a compliance pack

Verifiable parental consent, enforced at the gate.

For students under 13, the AI gate `checkCoppaGate()` is called before any personalisation runs. Without verified parental consent on file, the platform serves non-personalised activities only.

Verifiable consent methods supported:

Credit card / payment verification

Government ID upload (with retention controls)

Notarised consent form

Phone verification (where supported by jurisdiction)

Parents can grant or revoke consent any time from their account. Every grant + revocation is audit-logged with timestamp + method.

Records review, on demand.

Under FERPA, schools can disclose student records to a school official with a legitimate educational interest. CurioPilot operates as a school official under your direct control:

You define what data is shared

We are bound by FERPA's redisclosure restrictions

We don't share student records with anyone outside your direction

You can request a complete records export at any time

Sub-processor

Purpose

Data category

Region

DPA

Google Cloud (Firebase)

Hosting, Firestore, Auth, Cloud Functions

All

DPA

Google AI (Gemini)

AI inference (primary tier)

Redacted prompts only

EU/US

DPA

OpenAI

AI inference (fallback tier)

Redacted prompts only

DPA

Anthropic

AI inference (fallback tier)

Redacted prompts only

DPA

Stripe

Payment processing (B2C)

Billing data only

EU/US

DPA

SendGrid / AWS SES

Transactional email

Email + name only

Per-tenant choice

DPA

Sentry

Error monitoring

Stack traces, no PII

DPA

Cloudflare

CDN + edge security

Network metadata

Global

DPA

Plausible / Fathom

Marketing site analytics

Non-personal usage data

DPA

Read it. Sign it. The platform enforces it.

Custom DPAs are available on the Campus plan for districts with their own template requirements.

Procurement-grade evidence,not procurement-grade slogans.

Where we stand, by regulation.

Processor relationship, by design.

Verifiable parental consent, enforced at the gate.

Records review, on demand.

What we do. What we don’t.

What we do

What we don’t

Every third party that touches your data.

Read it. Sign it. The platform enforces it.

24-hour response, transparent communication.

Compliance, in detail.

Send our compliance docs to your DPO.

Procurement-grade evidence,not procurement-grade slogans.

Where we stand, by regulation.

Processor relationship, by design.

Verifiable parental consent, enforced at the gate.

Records review, on demand.

What we do. What we don’t.

What we do

What we don’t

Every third party that touches your data.

Read it. Sign it. The platform enforces it.

24-hour response, transparent communication.

Compliance, in detail.

Send our compliance docs to your DPO.

Procurement-grade evidence,
not procurement-grade slogans.

Procurement-grade evidence,
not procurement-grade slogans.