Trust & Security
Enterprise-grade security for K-12 education
๐
FERPA Compliant
Full educational privacy protection
๐ถ
COPPA Compliant
Safe for students under 13
๐ก๏ธ
SOC 2 Type II
Enterprise-grade security
โ๏ธ
AWS Infrastructure
99.9% uptime guaranteed
Data Privacy Compliance
FERPA (Family Educational Rights and Privacy Act)
Tappy is fully compliant with FERPA requirements for protecting student education records:
- School Official Status: We act as a "school official" with legitimate educational interest
- Educational Purpose Only: Student data is used solely for educational purposes
- No Secondary Use: We never use student data for advertising or marketing
- No Data Sales: We never sell student data to third parties
- Data Ownership: Districts retain ownership of all student data
- Data Portability: Export your data at any time in standard formats
- Data Deletion: Complete data deletion upon contract termination
COPPA (Children's Online Privacy Protection Act)
Tappy is designed to be safe for students of all ages:
- School Consent: Schools may consent on behalf of parents under the school official exception
- Minimal Data Collection: We collect only what's necessary for educational services
- No Behavioral Advertising: We do not serve ads or create advertising profiles for children
- Parental Rights: Parents can review, request deletion, and refuse further collection
- Age-Appropriate Design: Interface designed for K-12 students
Student Privacy Pledge: Tappy is committed to the Student Privacy Pledge principles, ensuring we safeguard student privacy regarding the collection, maintenance, and use of student personal information.
Infrastructure Security
Amazon Web Services (AWS)
Our platform is hosted on AWS, which maintains industry-leading security certifications:
AWS Certifications
- SOC 2 Type II
- SOC 3
- ISO 27001
- ISO 27017
- ISO 27018
- FedRAMP Authorized
Data Center Security
- US-based data centers
- Physical access controls
- 24/7 security monitoring
- Redundant power and cooling
- Fire detection and suppression
- Geographic redundancy
Application Security
| Security Control |
Implementation |
| Encryption in Transit |
TLS 1.2+ for all connections |
| Encryption at Rest |
AES-256 encryption for all stored data |
| Authentication |
SSO (SAML 2.0, OAuth) |
| Access Control |
Role-based access control (RBAC) |
| Password Security |
Bcrypt hashing, complexity requirements |
| Session Management |
Secure tokens, automatic timeout |
| API Security |
Rate limiting, input validation, CORS |
| Vulnerability Scanning |
Regular automated and manual testing |
| Logging & Monitoring |
Comprehensive audit logs, real-time alerts |
Data Handling
What We Collect
Required Data
- Username or student ID
- Learning interactions
- Progress and assessment data
Optional Data
- Voice interactions (for voice tutoring)
- Email (for account recovery)
- Grade level and subjects
What We Never Collect
- Social Security numbers
- Financial information from students
- Biometric data
- Location tracking
- Data from third-party social networks
Data Retention
- Active Accounts: Data retained while account is active
- Contract Termination: Data deleted within 30 days of request
- Automatic Cleanup: Inactive guest data purged after 12 months
- Backups: Retained for 90 days for disaster recovery
Incident Response
In the event of a security incident affecting student data:
- Detection: 24/7 automated monitoring and alerting
- Response: Dedicated incident response team
- Notification: Affected districts notified within 72 hours
- Remediation: Root cause analysis and preventive measures
- Documentation: Full incident report provided to affected parties
Third-Party Services
We use limited third-party services, all bound by data protection agreements:
| Service |
Purpose |
Data Shared |
| Amazon Web Services |
Infrastructure hosting |
All data (encrypted) |
| LiveKit |
Voice/video communication |
Voice session data |
| Stripe |
Payment processing |
Billing info (no student data) |
Integrations
Tappy integrates securely with major education platforms:
- Clever: Automated rostering and SSO
- Google Classroom: Assignment sync and SSO
- Schoology: LTI integration
- Canvas: LTI integration