Security & Trust
TruancyTracker handles student attendance records, so security and privacy are built into the product, not bolted on. Here is how we protect your district's data.
Our role with your data
Your district owns its data. We act as a service provider / school official under FERPA: we process student data only to provide the attendance-intervention service you direct, and we never sell it, use it for advertising, or repurpose it. This aligns with FERPA and state student-privacy laws (e.g. California's SOPIPA).
Data isolation
- Each school/district is a separate tenant; every record is scoped to its owner.
- Access is role-based, and every request is checked against the user's own school - an administrator at one school cannot reach another's data. This is enforced in code and verified by automated tests on every release.
Encryption
- In transit: TLS everywhere.
- At rest: sensitive integration credentials are encrypted; passwords are stored only as salted BCrypt hashes, never in plain text.
Access & accountability
- Least-privilege access controls, with administrative access limited and monitored.
- An append-only audit trail records who accessed or changed records, with the actor and source, for accountability and security review.
- Account protections include login rate-limiting/lockout, session timeouts, and forced password rotation after an administrative reset.
Subprocessors
We use a small set of vetted US-based infrastructure providers (cloud hosting, database, and email delivery). Payment processing, when used, is handled by a PCI-compliant provider that never receives student data - only billing contacts. A current subprocessor list and signed data-processing terms are available to customers.
Data ownership, export & deletion
Your data is yours. On request or at the end of a contract, we provide a full export of your data and permanently delete it from our systems.
Compliance approach
We sign district Data Privacy Agreements (including the SDPC "National DPA" and state exhibits), keep data in US regions, and maintain written security, retention, and breach-response practices. Detailed security documentation is available to districts on request.
Contact
Security questions or to request our security overview / DPA: [email protected].