SpEd BotSpEd Bot
LoginSign Up

Security & Privacy

How we protect student data and support FERPA-aligned workflows

Security Overview
SpEd Bot is designed with security as a foundational principle

Student educational records are sensitive and protected under federal law (FERPA). SpEd Bot implements multiple layers of security to help keep data private and protected.

Encrypted in Transit
Encrypted at Rest
Row-Level Security
FERPA Aligned
Encryption

In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS). This prevents anyone from intercepting your data.

At Rest

All data stored in our database is encrypted using AES-256 encryption, the same standard used by banks and government agencies.

Data Isolation

Row-Level Security

Our database enforces strict row-level security policies. This means you can only access your own students' data - even if there were a bug in our application code.

Account Isolation

Each user account is completely isolated. There is no shared access between accounts, and administrators cannot view your student data.

Authentication

Secure Login

We use industry-standard authentication powered by Supabase Auth. Passwords are hashed using bcrypt and never stored in plain text.

Password Requirements

Passwords must be at least 12 characters and contain uppercase, lowercase, and numeric characters.

OAuth Options

Sign in with Google for additional security through provider-managed authentication.

Infrastructure

Cloud Hosting

Our application is hosted on Vercel with automatic SSL certificates, DDoS protection, and global CDN distribution.

Database

Data is stored in Supabase (PostgreSQL) with automated backups, point-in-time recovery, and SOC 2 Type II compliance.

AI & Privacy
How we use AI while protecting student privacy

Our AI features (Buddy chat and report generation) are designed with privacy in mind:

  • No Last Names: Student last names are never sent to AI. Only first names are used when needed.
  • No Data Retention: We use OpenAI's API (not ChatGPT), which does not retain data sent for processing. Your session data is not used to train AI models.
  • Minimal Data Sent: Only the specific context needed to answer a request is sent (notes, goals, or report details).
  • You Control the Output: AI-generated content is always presented as a draft for your review. You have full control to edit before finalizing any report.
FERPA Alignment
Family Educational Rights and Privacy Act

FERPA protects the privacy of student education records. As a tool used by special education professionals, we are committed to supporting your compliance obligations:

  • Student data is only accessible to the account that entered it
  • No sharing of personally identifiable information (PII) with third parties
  • Secure storage and transmission of all educational records
  • You maintain control over your data and can export or delete it at any time
  • AI processing excludes student last names and identifying information

Questions about security or privacy? Contact us at hello@spedbot.app

Terms of ServicePrivacy Policy