← Back to home

Trust and compliance

Last updated: May 20, 2026 · Status: private pilot, no public users yet

SofaOps is a small, transparent company. This page is the honest version of what we have today, what our contract covers, and what is still on our roadmap. If your district has a vendor questionnaire, the table below is meant to be the one-page answer to most of it.

Detailed practices live in our privacy policy and security pages. For DPA review, anything below, or anything we missed, write to info@fcgok.com.

District questionnaire, at a glance

Yes
Encryption in transit and at rest
TLS 1.2+ everywhere with HSTS. Data encrypted at rest in Supabase Postgres and Supabase Storage.
Yes
No tracking, targeted ads, or non-educational use
Zero third-party analytics or ad pixels on student-facing pages. We never sell data, share it with advertisers, or use it to train AI models.
Yes
FERPA and COPPA-aligned data stewardship
School-as-agent COPPA flow for under-13 students (no email, no password). FERPA service-provider posture documented in our privacy policy.
Yes
Secure authentication and role-based access controls
Adults authenticate through Clerk; passwords never reach our servers. Six roles (superadmin, district admin, school admin, teacher, parent, student) enforced at the database with Postgres row-level security.
Yes
Single sign-on
Google sign-in is available today through Clerk; teachers can use their school-issued Google Workspace account if the district allows it. SAML and OIDC federation for district-level identity providers is available on request via a Clerk plan that supports it.
Yes
Uptime monitoring and breach notification
Uptime monitored continuously through Vercel and Supabase. Public status page at /status. We commit to notifying schools within 72 hours of any confirmed unauthorized access to their data. We do not publish a formal contractual 99.9% SLA yet; the underlying platforms support it and we will sign one once we move to a Vercel plan that backs it.
Yes
Legal hold and records preservation
Messages persist by default; we never auto-delete. School and district admins can place a legal hold on any conversation (for subpoenas, FERPA disclosure requests, or Title IX investigations), which blocks admin-tombstoning of message content and writes an append-only audit log of placements, exports, and releases. JSON export of any held thread is one click.
Roadmap
SOC 2 Type II
SofaOps is not SOC 2 certified yet. Our infrastructure providers are (Vercel, Supabase, Clerk, Resend are each SOC 2 Type II), so SofaOps inherits audited controls at the platform layer. We plan to pursue our own SOC 2 once revenue supports it.
Roadmap
iKeepSafe FERPA / COPPA / CalSSPA certifications
Not certified yet. We follow the practices these certifications attest to (see our privacy policy). We plan to pursue the certifications themselves once revenue supports it.
Partial
Accessibility (WCAG 2.1 AA)
We design to WCAG 2.1 AA targets (keyboard navigation, contrast, semantic markup, ARIA labels). No formal third-party audit yet. See our accessibility statement for known gaps.

Yes · covered today  ·  Partial · available on request or with caveat  ·  Roadmap · not yet

What our contract covers

  • Sign your district's NDPA (National Data Privacy Agreement) exhibit, or our equivalent template, on request
  • Sign state-specific addenda on request, including: Oklahoma Student DATA Act (OSDATAA, 70 O.S. §3-168), NY Ed Law §2-d, CA AB 1584, IL SOPPA, and others
  • Notify school administrators within 72 hours of any confirmed unauthorized access to their data
  • Honor legal holds on any conversation: admin places a hold, message tombstoning is blocked, an append-only audit log is kept, and JSON export is available on demand
  • Delete all customer data within 30 days of license termination, with written confirmation
  • Return customer data in standard export formats (CSV for tabular, original files for uploads, JSON for held conversations) on request
  • Provide 30 days' advance written notice before adding or changing a subprocessor
  • Permit a customer's annual security review at no charge

Subprocessors

These are the vendors we use to run SofaOps. Each one is itself audited; SofaOps inherits their controls at the infrastructure layer. We notify customers 30 days before adding or replacing any subprocessor on this list.

Vendor
Role
Region
Audits
Vercel
Application hosting and serverless compute
US
SOC 2 Type II, ISO 27001
Supabase
Postgres database and file storage
US-East
SOC 2 Type II, HIPAA-eligible
Clerk
Authentication for teachers, admins, and parents
US
SOC 2 Type II
Resend
Transactional email delivery (parent invites, newsletters, password resets)
US
SOC 2 Type II
Groq
Optional AI assistance for teacher-facing tooling (no student PII sent)
US
SOC 2 Type II
Stripe
Billing for school and district licenses
US
SOC 2 Type II, PCI DSS Level 1

State student-privacy laws

We support compliance with state-level student data privacy laws through our standard practices (data minimization, no commercial use, deletion on request, secure operator obligations). Where a state requires a signed attestation or rider, we sign it.

State
Law
Our posture
Oklahoma
Student DATA Act (OSDATAA, 70 O.S. §3-168)
Data minimization, secure storage, deletion on request, no commercial use of student data. Practices on our /privacy page satisfy the operator obligations; written attestation available on request.
California
AB 1584 / SOPIPA
Operator obligations covered by our privacy policy. Written rider available.
New York
Ed Law §2-d (Parents' Bill of Rights)
Parents' Bill of Rights addendum available on request.
Illinois
SOPPA
School contract template available.

What we are working toward

We are not going to claim certifications we do not have. Here is what we plan to add as the company grows, in the order we plan to add it:

  1. Published status page and incident history. Public uptime and incident log. Low cost, ship as soon as we have public traffic.
  2. Third-party accessibility audit. Independent WCAG 2.1 AA review with a remediation plan.
  3. iKeepSafe FERPA and COPPA certifications. Pursued once paid school revenue supports the audit fee.
  4. SOC 2 Type II. Pursued once we have multi-district paying customers. This is a 9 to 12 month process and we will not start it until the company can fund it without compromise.

How to evaluate us

  • Send your district vendor questionnaire to info@fcgok.com. We turn it around in five business days.
  • Request our DPA template, or send us yours.
  • Request a security review call. We will walk you through this page line by line and answer anything we have not addressed.
  • Pilot with a single classroom before signing a school or district contract. We prefer it; it sets honest expectations on both sides.