Compliance posture
- FERPA-aligned. Our K-12 DPA and rostering practices are designed to support FERPA-covered institutions.
- COPPA-compliant DPA available for districts serving students under 13.
- SOC 2 Type II in progress. Timeline available on request under NDA.
- GDPR. EU users' personal data is processed on a legitimate-interest / contract basis, with a DPA available on request.
StudyPod is not currently HIPAA, PCI, or FedRAMP certified.
Data handling
- Encryption. TLS 1.2+ in transit, AES-256 at rest.
- Residency. Primary storage is in the United States.
- Retention. Account data is retained while your account is active. On deletion, data is removed within 30 days, including from backups.
- Model training. Your uploads and interactions are never used to train foundation models.
Sub-processors
We use a short list of vendors to run StudyPod. If we add a sub-processor, we update this list.
- Supabase — managed database, auth, and object storage.
- Cloudflare — CDN, DNS, and edge compute.
- Lovable AI Gateway — routes AI model requests. Providers behind the gateway are contractually prohibited from training on our data.
- Resend — transactional email.
- Stripe — payment processing (when Scholar billing is enabled).
Incident response
We monitor for security anomalies 24/7 via our infrastructure providers and application-level alerts. In the event of a material incident affecting user data, we will notify affected users and relevant regulators within the timelines required by applicable law, and provide a post-incident report.
Requests from procurement
Security questionnaires, DPAs, and compliance packets: security@studypod.app. Typical turnaround is one business week.