Trust Center
How Casemate protects student data — for district privacy officers, IT, and legal counsel.
The short version
| Student data collected | Minimal & de-identified — initials, not full names. No SSNs, DOBs, or addresses stored. |
| FERPA role | We act as a school official with legitimate educational interest, under district direction. |
| AI provider | Google Vertex AI (Google Cloud) by default; not used to train models; region-pinned. |
| Data Processing Agreement | Available on request — including the SDPC National Data Privacy Agreement (NDPA). |
| Encryption | TLS 1.2+ in transit; encrypted at rest (Google Cloud). |
| Data selling / ads | Never. No advertising, no model training on your data. |
Data minimization
Casemate is built to hold as little student data as possible. Teachers enter initials, grade level, IEP goals, services, and schedules. When IEP or assessment PDFs are uploaded, personally identifiable information is stripped before results are stored — names are reduced to initials, and SSNs, dates of birth, phone numbers, emails, and addresses are removed.
FERPA & state student-data-privacy laws
When a school or district uses Casemate, we operate as a school official with a legitimate educational interest under FERPA (34 CFR § 99.31(a)(1)): we use student data only to provide the contracted service under the agency's direction, we do not re-disclose it, and we do not use it for our own purposes. We sign Data Privacy Agreements, including the SDPC National Data Privacy Agreement (NDPA) and state-specific exhibits (e.g., NY Education Law § 2-d, Illinois SOPPA, California). Contact us for an executed agreement.
AI data governance
Some features use generative AI (IEP/assessment extraction, present levels, progress statements, and standards-aligned activities). The default path runs through Google Vertex AI on Google Cloud:
- Covered by the Google Cloud Data Processing Addendum — content is not used to train Google's models.
- Processed within a configured Google Cloud region.
- Authenticated by our service account — no API key is transmitted.
- Prompts are built from de-identified data and pass an additional PII-scrubbing step before being sent.
- AI output is a draft; a qualified educator reviews and finalizes all AI-assisted IEP content.
A district or organization may optionally use its own AI key (BYOK), in which case those requests use that customer's own provider relationship.
Access control
Access follows your organization's structure and is enforced server-side: teachers see their own caseload; same-school teachers may share caseloads where enabled; principals see their school; district administrators see their district. There is no access across unrelated schools or districts.
Subprocessors
- Google Cloud — Firebase Authentication, Firestore, Cloud Functions, Vertex AI, Document AI, Secret Manager
- Netlify — application hosting / CDN
- Stripe — payment processing
- Resend — transactional invitation email (staff addresses only)
Common questions
Do you sell or share student data?
No. We never sell student data and never share it for advertising or marketing.
Is our data used to train AI models?
No. The default Vertex AI path is covered by the Google Cloud DPA, which prohibits using customer content to train Google's models. We also do not train any of our own models on student data.
Will you sign our DPA?
Yes. We sign the SDPC NDPA and state exhibits, and can review a district's own agreement. Email privacy@iepcasemate.com.
Where is data stored and processed?
In Google Cloud, with AI processing pinned to a configured region. Encrypted in transit and at rest.
What happens to data when we stop using Casemate?
Student data is deleted or returned per your agreement; account data is deleted within 30 days of a valid request.
Contact
For DPAs, security questionnaires, or compliance inquiries: privacy@iepcasemate.com
See also our Privacy Policy, Security & Data Practices, and Terms of Service.