Security & Compliance

Protecting student data is our top priority. Learn about the security measures we implement to keep your information safe.

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.

Access Controls

Role-based access controls ensure users only see data they are authorized to view.

Secure Infrastructure

Hosted on SOC 2 Type II certified cloud infrastructure with redundancy and automatic backups.

Regular Audits

Annual penetration testing and continuous security monitoring to identify and address vulnerabilities.

Employee Training

All team members receive security awareness training and follow strict data handling procedures.

Incident Response

Documented incident response procedures with notification within 72 hours of any data breach.

FERPA Compliance

Galaxy Math is designed to comply with the Family Educational Rights and Privacy Act (FERPA). We act as a "school official" under FERPA, meaning:

  • We only use education records for the purposes for which they were disclosed
  • We do not re-disclose personally identifiable information without consent
  • We support schools in meeting their FERPA obligations
  • Parents and eligible students can request access to their education records

COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA) by:

  • Collecting minimal personal information from students
  • Not collecting email addresses or contact information from children
  • Relying on school consent under FERPA for students in school settings
  • Providing parents with the ability to review and delete their child's data
  • Not enabling children to publicly share personal information

State Student Privacy Laws

We maintain compliance with various state student privacy laws including:

  • SOPIPA (California): We do not use student data for behavioral advertising or build profiles for non-educational purposes
  • NY Education Law 2-d: We maintain appropriate data security protections and limit third-party access
  • Colorado: We support data protection agreements and transparent data practices

We sign Data Privacy Agreements (DPAs) with schools and districts upon request.

Data Retention & Deletion

We retain student data only as long as necessary to provide our educational services:

  • Data is retained for the duration of the school's or organization's subscription
  • Upon termination, data is deleted within 30 days unless a longer retention is requested
  • Teachers and parents can delete individual student accounts at any time
  • We provide data export in standard formats upon request

Third-Party Services

We carefully vet all third-party services that may have access to data:

  • Cloud Hosting: Microsoft Azure (SOC 2 Type II certified)
  • Payment Processing: Stripe (PCI DSS Level 1 compliant)
  • Email: SendGrid (SOC 2 certified) - teacher/parent communications only
  • Error Monitoring: Sentry (SOC 2 Type II certified) - no PII collected

Student data is never shared with third parties for advertising or marketing purposes.

Security Contact

To report a security vulnerability or ask questions about our security practices:

Email: security@galaxymath.io

We respond to security reports within 48 hours and acknowledge responsible disclosure.