Security & Data Practices

For school leaders and administrators

Overview

Casemate is designed with security and privacy in mind for schools. We collect minimal data and use industry-standard security practices. This document summarizes our approach for schools evaluating the product. For a consolidated view, see our Trust Center.

Data Minimization

No full names.Teachers enter only student initials (e.g., J.M.), grade level, IEP goals, service requirements, and class schedules (e.g., "Math, Room 101"). We do not store Social Security numbers, birth dates, addresses, or full names for students.

Uploaded PDFs are de-identified. When an IEP or assessment is uploaded, PII (names, SSNs, dates of birth, phone numbers, emails, addresses) is stripped before results are stored; names are reduced to initials. This design supports FERPA compliance by minimizing student data.

Authentication & Access Control

Users sign in via Firebase Authentication (Google, email/password). All access requires authentication. Data is stored in Firestore with security rules that enforce role-based access aligned to your organization's structure:

  • Teachers access the students on their own caseload.
  • Teachers in the same school may share school-wide caseloads where the school enables it.
  • Principals may access caseloads within their school; district administrators may access schools within their district.

There is no access across unrelated schools or districts. The rules are enforced server-side by Firestore and cannot be bypassed by the client.

Artificial Intelligence

AI features are processed by default through Google Vertex AI on Google Cloud, under the Google Cloud Data Processing Addendum: content is not used to train models, is processed within a configured region, and is authenticated by our service account (no API key is transmitted). Prompts are built from de-identified data and pass an additional PII-scrubbing step before being sent. AI output is always a draft for professional review. Full details are in our AI data governance summary.

Encryption

In transit: All traffic uses HTTPS (TLS 1.2+).
At rest: Data is stored in Google Cloud Firestore, which encrypts all data at rest by default.

Infrastructure

Casemate runs on Google Cloud (Firebase/Firestore, Cloud Functions, Vertex AI, Document AI) and Netlify (hosting). Both are enterprise-grade providers with strong security practices. We do not store data on local servers or personal devices.

Subprocessors

We use the following subprocessors to operate the service:

  • Google Cloud — Firebase Authentication, Firestore, Cloud Functions, Vertex AI, Document AI, Secret Manager
  • Netlify — application hosting / CDN
  • Stripe — payment processing
  • Resend — transactional invitation email (staff addresses only)

Each subprocessor is contractually bound to protect data. We can provide a Data Privacy Agreement (DPA) and current subprocessor list for schools upon request.

Data Retention & Deletion

Users can request deletion of their account and all associated data at any time. We will delete data within 30 days of a valid request, except where retention is required by law. On termination of a school or district agreement, student data is deleted or returned per that agreement.

FERPA Compliance

When a school or district uses Casemate, we act as a school official with a legitimate educational interest under FERPA. We process student data only to provide the service under the district's direction, we do not re-disclose it, and we do not use it for advertising or to train our own models. Schools may require a Data Privacy Agreement or addendum — we are happy to sign one, including the SDPC National Data Privacy Agreement (NDPA).

Security Questions

For security questionnaires, DPAs, or compliance inquiries, contact us at privacy@iepcasemate.com.

See also Trust Center, Privacy Policy, and Terms of Service.