Student Data Privacy Consortium (SDPC) Vendor Questionnaire

SafeClass Shield, Inc. - Responses
Date Completed: January 1, 2026
Completed By: Data Protection Officer

ABOUT THIS QUESTIONNAIRE

The Student Data Privacy Consortium (SDPC) created this standardized questionnaire to help educational institutions evaluate vendor data privacy and security practices. SafeClass Shield completes this questionnaire annually and makes it available to all current and prospective school customers.

Our Commitment: All responses are accurate as of the date completed. We will notify customers of any material changes within 30 days.

SECTION 1: COMPANY INFORMATION

1.1 Company Legal Name:
SafeClass Shield, Inc.

1.2 Product/Service Name:
SafeClass Shield Digital Safety and Parental Control Platform

1.3 Company Address:
[Company Address]
[City, State, ZIP]

1.4 Primary Contact for Privacy:
Data Protection Officer
Email: dpo@safeclassshield.com
Phone: 1-800-SAFEKID, Option 4

1.5 Year Founded:
[Year]

1.6 Number of Employees:
[Number]

1.7 Number of K-12 School Customers:
[Number] schools and [Number] school districts

SECTION 2: DATA COLLECTION AND USE

2.1 What types of student data does your product/service collect?

\u2611 Student name
\u2611 Student ID number (assigned by school or generated by system)
\u2611 Student grade level
\u2611 Student age/date of birth
\u2610 Student address
\u2610 Student email (not collected directly; may be accessed via Google Classroom integration)
\u2610 Student phone number
\u2610 Student social security number
\u2611 Student device activity (websites visited, apps used, screen time)
\u2611 Academic information (assignments, due dates, submission status from Google Classroom)
\u2610 Disciplinary records
\u2610 Health information
\u2610 Special education/504/IEP information
\u2610 Biometric information
\u2610 Geolocation data (precise GPS)
\u2610 Photos or videos
\u2611 Other: Parent-child chat messages (encrypted), content blocking events

2.2 How is student data collected?

\u2611 Directly from the school (via CSV upload or school admin portal)
\u2611 From students' devices (monitoring agent installed on school-issued or parent-managed devices)
\u2611 From third-party integrations (Google Classroom API with school authorization)
\u2610 From students directly (students do not create accounts or provide data directly)
\u2611 Automatically through technology (device monitoring agent, browser extension)

2.3 For what purposes do you use student data?

\u2611 Provide the core educational service (digital safety monitoring, parental controls)
\u2611 Improve or develop new features
\u2611 Perform analytics to understand usage patterns (aggregated, de-identified)
\u2610 Market or advertise to students
\u2610 Create individual student profiles for non-educational purposes
\u2611 Communicate with parents/guardians (safety alerts, reports)
\u2610 Other: [Specify]

2.4 Do you use student data for targeted advertising?

\u2610 Yes
\u2611 No

Explanation: SafeClass Shield does not use student data for any advertising purposes. The platform is completely ad-free.

2.5 Do you create student profiles for non-educational purposes?

\u2610 Yes
\u2611 No

Explanation: Student profiles are created solely for educational and safety purposes as authorized by parents or schools.

2.6 Do you sell or rent student data?

\u2610 Yes
\u2611 No

Explanation: SafeClass Shield does not and will never sell or rent student data to any third party.

SECTION 3: DATA SHARING AND DISCLOSURE

3.1 With whom do you share student data?

\u2611 No one (except service providers necessary to operate the platform)
\u2611 Service providers/subcontractors (see list below)
\u2610 Other educational institutions
\u2610 Researchers (only aggregated, de-identified data)
\u2610 Government entities (only in response to lawful subpoena or court order)
\u2610 Parents/guardians (yes, parents have full access to their child's data)
\u2610 Other: [Specify]

3.2 List all subcontractors/service providers with access to student data:

3.3 Do subcontractors have direct access to student data?

\u2611 Yes (AWS and Google host our infrastructure)
\u2610 No

All subcontractors are bound by Data Processing Agreements (DPAs) that:

• Restrict use of data to providing services to SafeClass Shield
• Require same level of data protection as SafeClass Shield
• Prohibit re-disclosure without authorization
• Require return or destruction of data upon contract termination

3.4 Do you share de-identified or aggregated student data?

\u2611 Yes (only when properly de-identified per FERPA \u00a7 99.31(b) and cannot be re-identified)

Use cases: Product improvement, research on digital safety trends, industry benchmarking

SECTION 4: DATA SECURITY

4.1 What technical safeguards protect student data?

\u2611 Encryption of data at rest (AES-256)
\u2611 Encryption of data in transit (TLS 1.3)
\u2611 Firewall protection
\u2611 Intrusion detection/prevention systems
\u2611 Multi-factor authentication for administrative access
\u2611 Role-based access controls (RBAC)
\u2611 Regular security vulnerability scans
\u2611 Annual third-party penetration testing
\u2611 Security monitoring and alerting (SIEM)
\u2611 Automated security patching
\u2611 Database activity monitoring
\u2611 End-to-end encryption (for parent-child chat)
\u2611 Other: Password hashing with bcrypt, API rate limiting, DDoS protection

4.2 What administrative safeguards are in place?

\u2611 Employee background checks
\u2611 Employee training on data privacy and security
\u2611 Confidentiality agreements for all employees
\u2611 Incident response plan
\u2611 Business continuity and disaster recovery plan
\u2611 Data breach notification procedures
\u2611 Regular internal security audits
\u2611 Third-party security assessments (SOC 2 Type II annual)
\u2611 Security policies and procedures documentation
\u2611 Other: Annual FERPA and COPPA training for employees with student data access

4.3 What physical safeguards protect data?

\u2611 Secure data centers (AWS-operated) with:

• 24/7 security guards and video surveillance
• Biometric access controls
• Redundant power and network
• Fire suppression and climate control
• Geographic replication for disaster recovery

\u2611 Clean desk policy for office employees
\u2611 Locked cabinets for physical documents (minimal physical records)
\u2611 Visitor sign-in and escort policy
\u2611 Badge access to offices

4.4 Have you experienced a data breach in the past 3 years?

\u2610 Yes
\u2611 No

If yes, describe: [N/A]

4.5 Security Certifications:

\u2611 SOC 2 Type II (annual audit)
\u2611 ISO 27001:2013 Information Security Management
\u2610 ISO 27018:2019 Personal Data Protection in the Cloud
\u2610 FedRAMP Authorized
\u2610 StateRAMP Authorized
\u2610 HITRUST CSF Certified
\u2611 PCI DSS (via Stripe for payment processing)
\u2610 Other: [Specify]

Available upon request: SOC 2 report (under NDA), ISO 27001 certificate, penetration test summary

SECTION 5: DATA RETENTION AND DELETION

5.1 How long do you retain student data?

\u2611 Duration of contract with school
\u2611 Specific retention period: 30 days post-termination (grace period for data export)
\u2610 Indefinitely
\u2610 Other: [Specify]

Detailed retention schedules:

• Active accounts: Duration of subscription
• Post-termination: 30-day export period, then permanent deletion within 60 days
• De-identified analytics: May be retained indefinitely (no longer PII)
• Audit logs: 1 year

5.2 Can schools request deletion of student data?

\u2611 Yes, at any time

How: Email deletion-requests@safeclassshield.com or use in-app bulk deletion tool

Timeline: Deletion completed within 30 days; backups deleted within 90 days

5.3 What is your data deletion/destruction method?

\u2611 Cryptographic erasure (destroy encryption keys)
\u2611 Overwriting data (DoD 5220.22-M standard)
\u2611 Physical destruction (for hardware decommissioning)
\u2610 Other: [Specify]

5.4 Do you return data to schools upon contract termination?

\u2611 Yes, schools have 30 days to export data via self-service portal or request bulk export

Format: CSV, JSON, or PDF reports

SECTION 6: PARENTAL RIGHTS

6.1 Can parents access their child's data?

\u2611 Yes (for personal accounts, parents have full dashboard access)
\u2611 Via school (for school accounts, schools control access per FERPA)

6.2 Can parents request deletion of their child's data?

\u2611 Yes (for personal accounts)
\u2611 Through school (for school accounts, per school's FERPA procedures)

6.3 Can parents correct inaccurate information?

\u2611 Yes (parents can update child profile information)
\u2611 Via school (for school-provided data)

SECTION 7: COMPLIANCE

7.1 Is your service compliant with the following laws/regulations?

\u2611 FERPA (Family Educational Rights and Privacy Act)
\u2611 COPPA (Children's Online Privacy Protection Act)
\u2611 PPRA (Protection of Pupil Rights Amendment)
\u2611 CCPA/CPRA (California Consumer Privacy Act/Privacy Rights Act)
\u2611 California AB 1584 (SOPIPA - Student Online Personal Information Protection Act)
\u2611 New York Education Law \u00a7 2-d
\u2611 Illinois SOPPA (Student Online Personal Protection Act)
\u2611 Texas Education Code Chapter 32
\u2610 GDPR (General Data Protection Regulation) - applicable if serving EU students
\u2610 PIPEDA (Canada) - applicable if serving Canadian schools
\u2610 Other: [Specify]

7.2 Do you have a Student Privacy Pledge signatory?

\u2611 Yes (Future of Privacy Forum Student Privacy Pledge)
\u2610 No

7.3 Are you willing to sign a Data Protection Agreement (DPA)?

\u2611 Yes, we provide a standard DPA and can accommodate reasonable modifications

7.4 Do you have Cyber Liability Insurance?

\u2611 Yes
Coverage amount: $5 million
Coverage includes: Data breach response, legal fees, regulatory fines, business interruption

SECTION 8: TRANSPARENCY

8.1 Is your Privacy Policy publicly available?

\u2611 Yes
URL: https://safeclassshield.com/privacy-policy

8.2 Do you provide annual transparency reports?

\u2611 Yes (or plan to)
URL: https://safeclassshield.com/transparency-report

8.3 Will you notify schools of changes to your privacy practices?

\u2611 Yes, at least 30 days in advance for material changes

8.4 Do you have a bug bounty or responsible disclosure program?

\u2611 Yes
Contact: security@safeclassshield.com
Details: https://safeclassshield.com/security/responsible-disclosure

SECTION 9: ATTESTATION

SafeClass Shield, Inc. attests that the information provided in this questionnaire is accurate and complete as of the date indicated. We commit to:

1. Using student data only for educational purposes
2. Not selling or renting student data
3. Not using student data for targeted advertising
4. Implementing industry-standard security measures
5. Complying with FERPA, COPPA, and applicable state laws
6. Notifying schools of data breaches within 48 hours
7. Deleting student data upon request or contract termination
8. Undergoing annual third-party security audits
9. Maintaining required insurance coverage
10. Updating this questionnaire annually

Signature:
[Data Protection Officer Name]
Data Protection Officer
SafeClass Shield, Inc.

Date: January 1, 2026

SUPPORTING DOCUMENTATION

The following documents are available upon request to support this questionnaire:

1. Privacy Policy (public: https://safeclassshield.com/privacy-policy)
2. Data Security Policy (public: https://safeclassshield.com/data-security-policy)
3. FERPA Compliance Statement (public)
4. COPPA Compliance Statement (public)
5. Data Processing Agreement (DPA) template
6. State-specific Data Protection Addenda (e.g., NY, IL, CA)
7. SOC 2 Type II Report (under NDA)
8. ISO 27001 Certificate (public)
9. Penetration Test Summary (under NDA)
10. Subcontractor List with DPAs
11. Data Retention and Deletion Policy
12. Incident Response and Breach Notification Plan
13. Cyber Insurance Certificate of Coverage
14. Sample Parent Consent Forms (for COPPA)

To request documentation:
Email: institutional-compliance@safeclassshield.com
Phone: 1-800-SAFEKID, Option 2

This questionnaire is reviewed and updated annually or when material changes occur.

SafeClass Shield, Inc.
Committed to Student Privacy and Transparent Data Practices