Privacy Policy

1. Our Role and Relationship

Upstart Education operates as a "School Official" under FERPA, acting under the direct control of the District for the purpose of providing educational data analytics services. We process student education records solely on behalf of and at the direction of the District.

The District remains the data controller. We are the data processor. The District determines which data is shared with us, which staff members have access, and the terms under which data is handled.

Our Service is provided to Districts under a written agreement that includes data privacy and security commitments consistent with this policy.

2. Information We Process

We process the following categories of information, all of which flow from the District’s Student Information System (SIS) through our authorized data pipeline partner:

Student Education Records (from the District’s SIS)

• Student identifiers (names, student IDs, state student IDs)
• Demographic information (age, grade level, gender, race/ethnicity)
• Enrollment records (school, classes, sections, teacher assignments)
• Attendance records (daily attendance events, absence categories)
• Assessment scores (state assessments, reading screeners, benchmark assessments)
• Academic records (grades, GPA, course transcripts), when available
• IEP/504 plan documents, when uploaded by the District
• Contact information (addresses, phone numbers, email addresses, parent/guardian information)

District Staff Information

• Name and email address (for platform login)
• Role and building assignments (for access control)
• Query history (what questions were asked and when)

Technical Information

• Session data (login times, session duration)
• Browser type and version
• IP address (for security monitoring only, not for tracking)

3. How We Use Information

We use information solely to provide and improve the Service for the District:

Providing analytics

Processing natural language queries against student data and returning results, visualizations, and explanations.

Access control

Enforcing role-based data access so each staff member sees only the data appropriate to their role.

Audit logging

Recording every data access for compliance and accountability.

IEP/504 analysis

When authorized, analyzing IEP and 504 documents to provide accommodation summaries, year-over-year comparisons, and goal-assessment cross-references.

Service improvement

Analyzing query patterns and accuracy metrics (using de-identified, aggregated data only) to improve the platform’s understanding of education terminology and query accuracy.

Security monitoring

Detecting and preventing unauthorized access, anomalous behavior, and potential security threats.

4. How We Protect Information

We implement administrative, technical, and physical safeguards to protect student data:

Encryption

• All data is encrypted at rest using AES-256 encryption.
• All data is encrypted in transit using TLS 1.3.
• IEP/504 documents and highly sensitive PII (Tier 1 and Tier 2 data) are encrypted with per-district encryption keys managed through AWS Key Management Service.

Access Controls

• Role-based access enforced at the database level using database-level security policies.
• Five independent security layers validate every data query before results are returned.
• Multi-tenant isolation ensures no district can access another district’s data.

Infrastructure

• All data hosted on Amazon Web Services (AWS) in US-only regions (us-east-1 and us-west-2).
• Production, pre-production, and security environments are fully isolated in separate AWS accounts.
• Multi-layer network isolation ensures the database tier has no direct internet connectivity, even outbound.
• Web Application Firewall, automated threat detection, and continuous compliance monitoring.

Audit and Accountability

• Every data query is logged in an immutable audit trail.
• IEP/504 access has a separate, dedicated audit trail.
• Audit records cannot be modified or deleted by any user, including our own engineering team.
• Audit data is backed up to tamper-proof immutable storage.

Certifications & Programs

• SOC 2 Type I certification targeted for Q3 2026.
• Annual penetration testing by independent security researchers.
• Defined incident response plan with 72-hour breach notification commitment.
• Cyber liability insurance covering K-12 EdTech data incidents.

For a comprehensive view of our security architecture, see our Security & Trust page.

5. AI and Machine Learning

Our Service uses AI (specifically AWS Bedrock, powered by Anthropic’s Claude model) to translate natural language questions into database queries and to analyze IEP/504 documents.

Critical commitments

Zero data retention by the AI provider. AWS Bedrock is configured with zero data retention. Prompts and responses are not stored by AWS and are never used for model training.

What flows to the AI, and what doesn’t. During SQL generation, only the database schema and the user’s question are sent to the AI — no student data. During answer summarization, the query results may pass to the AI to produce the natural-language explanation. AWS Bedrock retains none of it: every prompt, completion, and intermediate result is discarded the moment the response is generated. Bedrock’s default 30-day abuse-monitoring log is also opted out. Student data is never used to train, fine-tune, or improve any AI model.

Exception for IEP/504 analysis. When a user requests IEP/504 document analysis, the document content is sent to AWS Bedrock for processing. This requires verified authorization, per-district encryption, and a dedicated audit trail entry. The AI processes the request and immediately discards all data.

No model training. Under no circumstances is any data (student, staff, or operational) used to train, fine-tune, or improve any AI model. This is enforced by our architecture, not merely by policy.

Private network processing. All AI queries travel through private network connections. Student data never traverses the public internet to reach the AI service.

Anthropic (the AI model provider) never receives or sees your data. AWS Bedrock operates as an intermediary; data is processed within AWS’s infrastructure.

6. Data Sharing and Subprocessors

We minimize the number of entities that process student data.

Amazon Web Services (AWS)

Cloud hosting, AI processing (Bedrock), encryption key management. All data (encrypted at rest, processed in US-only regions).

Ednition

SIS data pipeline: connects to the District’s SIS, normalizes data, and delivers it to our platform. Student and staff data during transit from SIS to our system.

7. Data Retention and Deletion

Active data

Student data is retained for the duration of the District’s contract. Historical data (multi-year assessments, attendance, etc.) remains available for trend analysis.

Audit logs are retained indefinitely in immutable storage for compliance purposes.

Contract termination

All student data is deleted within 60 days of contract termination. This includes:

• Deletion of all database records associated with the District
• Deletion of all IEP/504 documents from encrypted storage
• Destruction of the District’s per-district encryption key, rendering any backup copies of encrypted data permanently unreadable
• Cryptographic verification that data is unrecoverable
• Documentation of the deletion in the audit trail

Annual data review

We conduct an annual review with each District to verify data inventory, usage, and continued necessity.

8. Your Rights and Choices

District rights

• Access to all data we hold on behalf of the District
• Correction of inaccurate data (via SIS, as data flows one direction)
• Deletion of data (upon contract termination or upon request)
• Audit trail access for compliance review at any time
• Designation of authorized staff and their access levels

Parent/guardian rights under FERPA

Parents may inspect and review their child’s education records held by the District. Because we operate as a School Official under the District’s authority, requests to access or amend records should be directed to the District.

The District is responsible for complying with FERPA access and amendment requests. We will cooperate with and support the District in fulfilling these requests.

COPPA compliance

We comply with the Children’s Online Privacy Protection Act (COPPA), including the updated rules effective April 2026:

• We do not collect personal information directly from children. All data is provided by the District through its SIS.
• We maintain a written information security program that addresses the collection, use, and protection of children’s data.
• We do not use children’s data for algorithm training, profiling, or targeted advertising.
• We do not use children’s data for any commercial purpose unrelated to providing the Service.

9. State-Specific Rights

We comply with state-level student data privacy laws in all states where we operate, including but not limited to:

• Compliant with the Illinois Student Online Personal Protection Act (SOPPA) and the Illinois National Data Privacy Agreement (NDPA) framework.
• Compliant with the Massachusetts Student Data Privacy Act and related regulations.
• Compliant with the California Student Online Personal Information Protection Act (SOPIPA) and applicable provisions of the CCPA/CPRA as they relate to educational data.

For state-specific questions, contact us at privacy@upstart.education.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Districts of material changes at least 30 days before they take effect by email to the District’s designated privacy contact.

The "Last Updated" date at the top of this policy indicates when it was most recently revised.

11. Contact Us

If you have questions about this Privacy Policy or our data practices:

Upstart Education

• Privacy and security inquiries: privacy@upstart.education
• General inquiries: hello@upstart.education

For data privacy complaints, please contact your District’s data privacy officer, who may escalate to us as needed.