StarGrader's commitment to protecting student data through industry-leading privacy standards and comprehensive security measures.
Prepared in compliance with New York Education Law § 2-d and 8 NYCRR Part 121 | March 2026
Aligned with Student Data Privacy Consortium standards across 16+ states.
TLS 1.2+ in transit, AES-256 at rest via Google Cloud KMS.
Student data is never sold, shared for advertising, or used for AI model training.
StarGrader implements all data security and privacy requirements specified in the DPA throughout the contract term. As a cloud-hosted SaaS platform built on Google Cloud Platform (GCP), security and privacy controls are embedded in the platform architecture and maintained continuously.
The Founder & CEO serves as the designated privacy officer and is directly responsible for ensuring ongoing compliance with all contract obligations, including FERPA, COPPA, and applicable state privacy laws. Compliance is reviewed on an ongoing basis, and any material changes to the platform that affect data handling will be communicated to the LEA in advance.
The designated privacy officer (Founder & CEO) oversees all data handling practices. Access to production systems is limited via Google Cloud IAM with multi-factor authentication (MFA). Data handling policies are documented and reviewed regularly.
Student data is processed only for providing grading services as requested by the instructor. No student data is used for advertising, marketing, profiling, or AI model training. Data retention follows the terms of the DPA.
All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Google Cloud KMS). Authentication via Firebase with secure session management. Payments handled by Stripe (PCI DSS Level 1). Infrastructure on GCP with SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP compliance.
The Founder & CEO is the only individual with access to production systems and student data, and maintains current knowledge of FERPA, COPPA, and applicable state student data privacy laws.
Subprocessors (Google Cloud Platform, Stripe, Google Gemini API) are bound by their own enterprise data processing agreements and compliance certifications. No subprocessor has independent access to student data outside of the services they provide.
If StarGrader expands staffing, all personnel with access to student data will receive training on applicable federal and state privacy laws prior to gaining access.
All subprocessors are bound by written agreements that include data protection obligations:
Any future employees or contractors who require access to student data will be required to sign confidentiality agreements that incorporate the data protection requirements of the DPA.
Google Cloud Platform provides built-in monitoring and alerting for unauthorized access attempts, anomalous activity, and system intrusions. Security alerts and access logs are monitored on an ongoing basis.
In the event of a confirmed breach involving student PII, StarGrader will notify the affected LEA within 72 hours of confirmation, providing: the nature of the incident, types of data involved, estimated date and scope, and a description of the incident.
Upon discovery, StarGrader will immediately secure affected systems, assess scope, preserve evidence, implement corrective measures, and cooperate fully with the LEA, law enforcement, and applicable state agencies.
Upon written request from the LEA, StarGrader will export all student data in a standard machine-readable format (CSV or PDF) and provide it to the LEA within 60 days of the request, or within the timeframe specified by applicable state supplemental terms. The LEA may also direct StarGrader to delete all student data in lieu of transfer.
Upon termination of the DPA or upon written request, StarGrader will securely delete all student data from its systems, including all copies stored in Google Cloud Firestore and Google Cloud Storage.
Deletion is performed using Google Cloud's built-in secure deletion mechanisms, which overwrite data in accordance with NIST SP 800-88 guidelines. StarGrader will provide written certification to the LEA confirming the date and method of data destruction within 30 days of completing the deletion.
StarGrader's data security and privacy practices are designed to align with participating LEAs' policies. StarGrader will review each Subscribing LEA's Data Security and Privacy Policy (and, for New York LEAs, the Parents Bill of Rights for Data Privacy and Security) upon execution of Exhibit E, and will ensure its practices are consistent with the LEA's applicable policies.
Where an LEA policy imposes a more restrictive requirement, StarGrader will comply with the more restrictive requirement.
StarGrader's data privacy practices comply with the following federal and state regulations:
StarGrader's data security and privacy program aligns with the NIST Cybersecurity Framework v1.1 as detailed below.
| Function | Category | StarGrader Response |
|---|---|---|
| IDENTIFY | Asset Management | Maintains inventory of all systems handling student data: GCP (Firestore, Cloud Storage, Cloud Functions), Firebase Authentication, Google Gemini API (enterprise tier), and the StarGrader web application. All managed through Google Cloud Console with role-based access. |
| IDENTIFY | Business Environment | Provides AI-powered grading and feedback tools to K-12 and higher education. Protecting student work and instructor data is essential to the service. |
| IDENTIFY | Governance | Published Privacy Policy and Terms of Service. DPA establishes the regulatory framework. Founder & CEO serves as designated privacy officer monitoring compliance with FERPA, COPPA, and state laws. |
| IDENTIFY | Risk Assessment | Periodic reviews consider sensitivity of student data, threat landscape for cloud SaaS, and impact of unauthorized access. GCP security monitoring supplements internal assessments. |
| IDENTIFY | Risk Management Strategy | Low risk tolerance for unauthorized access to student PII. Leverages GCP's enterprise-grade security for infrastructure while maintaining application-level controls. |
| IDENTIFY | Supply Chain Risk Mgmt | Subprocessors limited to GCP, Google Gemini API, Stripe, and Firebase — all selected based on security certifications and enterprise DPAs. No independent access to student data. |
| PROTECT | Access Control | Firebase Authentication with email/password and Google OAuth. Secure session tokens with auto-expiration. Faculty access scoped to own data. Production access via GCP IAM with MFA. |
| PROTECT | Awareness & Training | Founder maintains current knowledge of FERPA, COPPA, and state privacy laws. Subprocessors maintain their own training programs per SOC 2, ISO 27001, PCI DSS. |
| PROTECT | Data Security | Encryption in transit (TLS 1.2+) and at rest (AES-256 via Google KMS). Student data not used for AI training, advertising, or profiling. Payment data handled exclusively by Stripe. |
| PROTECT | Info Protection Processes | Documented data handling procedures for collection, processing, storage, and deletion. Published Privacy Policy and Terms of Service. Changes communicated to LEAs in advance. |
| PROTECT | Maintenance | Infrastructure managed by GCP under shared responsibility model. Security patches applied automatically. Application updates tested before deployment through controlled release. |
| PROTECT | Protective Technology | GCP firewalls, DDoS protection, intrusion detection, network segmentation. All traffic over HTTPS. Content Security Policy headers and browser security mechanisms. |
| DETECT | Anomalies & Events | GCP monitoring for anomalous activity including unusual access patterns, failed authentication, and unexpected data transfers. Alerts configured for potential security events. |
| DETECT | Continuous Monitoring | Google Cloud Audit Logs, Cloud Monitoring, and Security Command Center provide ongoing visibility into system activity, resource access, and potential threats. |
| DETECT | Detection Processes | Detection maintained through GCP security monitoring infrastructure. Alerts and logs reviewed regularly. Capabilities evaluated and updated as platform evolves. |
| RESPOND | Response Planning | Incident response plan includes: immediate containment, scope assessment, LEA notification within 72 hours, evidence preservation, root cause remediation, and documentation. |
| RESPOND | Communications | Incident communications with LEAs, state agencies (including NYSED CPO), and law enforcement as required. Founder & CEO is primary point of contact. |
| RESPOND | Analysis | Root cause analysis following incidents to determine how, what data affected, and what vulnerabilities exploited. Findings documented and shared with affected LEAs. |
| RESPOND | Mitigation | Immediate containment (revoking credentials, isolating systems), vulnerability remediation, and additional controls to prevent recurrence. |
| RESPOND | Improvements | Lessons learned incorporated into security practices including monitoring rules, access controls, and incident response procedures. |
| RECOVER | Recovery Planning | GCP Firestore replication across multiple availability zones. Multi-region infrastructure provides automatic failover. Recovery designed for minimal data loss. |
| RECOVER | Improvements | Recovery planning updated based on lessons learned. Post-incident reviews assess effectiveness and identify improvements. |
| RECOVER | Communications | During and after recovery, coordinates with affected LEAs for status updates, service restoration confirmation, and relevant findings. Managed by designated privacy officer. |
