How IS3 protects students and meets education law

Protects the privacy of student education records and gives parents the right to access and control them.

• Protect student/parent contact details at rest (phone field-encrypted; email & DOB kept searchable, protected by storage-layer encryption).Planned

  Phone is now field-encrypted. Email/date-of-birth follow the standard approach (storage-layer encryption at rest) so search still works — remaining step is verifying disk/backup encryption is enabled on staging/production.

• Show parents a history of who accessed their child's records.Enhancement

  Surface the existing access log in the parent portal.

• Database-enforced tenant isolation (row-level security) so one district can never see another's records — verified across 208 tables.
• Tamper-proof, append-only audit log of record activity, retained for 5 years.
• Parents can formally request to inspect records, with a 5-business-day turnaround (Ed Code §49069).
• Every document view and download is logged; document links are unguessable and access-controlled.
• Record-access logging now captures who views IEP, 504, SST, and intervention records — not just student profiles and meetings.

Governs how special-education (IEP) services are evaluated, documented, and delivered — with strict parental-consent and timeline safeguards.

• Require Prior Written Notice before a placement/service change is implemented.Enhancement

  Add a confirmation that notice was issued first.

• Parental consent is enforced — an assessment cannot be approved until consent is signed; revocation is handled.
• Full timeline tracking: 15-day assessment plan, 60-day evaluation, annual review, triennial re-eval, and 10-day manifestation determination.
• Procedural safeguards delivery is tracked, including language/interpreter and parent acknowledgment.
• Transition planning for students 16+ (post-secondary goals, transfer of rights, agency involvement).
• Prior Written Notice captures all 7 federally required elements; surrogate parents supported.
• Parent portals show only parent-appropriate fields — staff-only notes are never exposed — and every parent portal now requires a dedicated parent login.

Ensures students with disabilities receive accommodations, with their disability information handled confidentially.

• Automatic reminders before an annual review or re-eval deadline.Enhancement

  Add a scheduled alert ahead of each due date.

• Require a granted evaluation consent before evaluation tasks begin.Enhancement

  Add a consent check at the start of evaluation (publish is already gated).

• Consent captured with type, status, method, signature, and expiration.
• Annual-review and re-evaluation dates tracked with service-level deadlines.
• Parent portal access is read-only and scoped to a parent's own children.
• Plans cannot be published until all required signatures are collected.
• Encrypted all Section 504 disability information at rest — disability descriptions and the major-life-activities list (case, plan, and meeting records).

Limits online collection of personal information from children under 13.

• Document parental awareness for transition-age student input forms.Enhancement

  Add a short parent-notice note to the student-input flow.

• No analytics, advertising, or behavioral-tracking SDKs anywhere in the app — verified.
• Students do not have direct login accounts; the platform is used by staff and parents.
• No third-party cookies, pixels, or trackers that would require consent.

Protects students and families from intrusive surveys and screenings without parental notice.

• Add transparency and a parent-challenge path for automated at-risk scoring.Enhancement

  Document how scores are calculated, require human review, and let parents contest the underlying data.

• No standalone surveys or self-report instruments collecting protected categories.
• Behavioral data is staff-entered (incidents), not student questionnaires.
• Tier 2+ interventions require recorded parental consent before they start.

Makes the platform usable by people with disabilities — keyboard, screen-reader, and color-contrast accessibility.

• Add automated accessibility testing to the build pipeline.Enhancement

  Enable expanded a11y linting and runtime axe checks in CI.

• Publish a formal accessibility conformance report (VPAT).Enhancement

  Produce a VPAT 2.x for district procurement.

• Accessible UI foundation (Radix/shadcn) with full keyboard navigation and focus management.
• Forms wire labels, error messages, and invalid states for screen readers.
• Skip-to-content link, page language set, semantic headings, and image alt text.
• Color theme meets AA contrast for text and background.

California's student-privacy law: no selling student data, no targeted advertising, and deletion on district request.

• Formal data agreement for the meeting-transcription service, with no-retention/no-training terms and consent.Planned

  Sub-processor and action documented; execute the DPA and gate transcription on participant consent (legal/ops step, not a code change).

• Move student-related email to a contracted, education-compliant provider.Planned

  Action documented; swap the mail provider to one under a signed DPA via configuration (no code change).

• No targeted advertising, data sales, or ad/analytics infrastructure — verified.
• Third-party integration credentials are stored encrypted.
• Scheduled record-retention and destruction routines per California timelines.
• Published a SOPIPA/AB 1584-compliant Privacy Policy and Terms — no sale of data, no targeted advertising, parental rights, and deletion on request.
• Districts can request deletion of a student's records and export everything held about a student — with retention-law safeguards.

California's student-records rules: directory-information controls, access, and amendment rights.

• Parents can request record amendments with hearing rights (45-day process, §49070).
• Parents can inspect records within 5 business days (§49069).
• Staff access is scoped by role and organization.
• Per-student directory-information opt-out (§49073) can be recorded and is honored by a disclosure check.

Governs Expanded Learning attendance, eligibility, and reporting integrity.

• Make reported (locked) attendance fully tamper-evident.Enhancement

  Enforce immutability on locked attendance and log any unlock.

• Attendance with check-in/out, hours, source tracking, and an upload audit log.
• Parent consent (with signature) gates program enrollment.
• Program eligibility and independent-study master agreements supported.

Encryption, access control, audit logging, and breach-response practices that protect all student data.

• Remove a fallback encryption key so a misconfigured deploy can't use a known key.Priority

  Done in code — the app now requires the encryption key via environment and fails closed if it's missing. Remaining: set FERNET_KEY in the staging/production environment (see docs/COMPLIANCE_REMEDIATION.md).

• Multi-factor authentication for staff and administrators.Planned

  Enable and require TOTP/WebAuthn for staff/admin roles.

• Enable end-to-end encryption for virtual meetings.Enhancement

  Turn on meeting E2EE where the deployment supports it.

• TLS everywhere in production with HSTS; secure, hardened session cookies.
• Modern token auth with rotation + revocation and a strong (12-char) password policy.
• Role-based access plus database row-level security across all tenants (verified).
• Uploaded documents are encrypted at rest.
• A formal breach / incident-response process is in place, with incident tracking and district-notification templates.

Engineering safeguards behind the scenes: secure tokens, tenant isolation, encrypted files, and hardened endpoints.

• Malware scanning and stricter type/size limits on document uploads.Enhancement

  Add a file-type allowlist, size caps, and antivirus scanning.

• Remove unused legacy tables to keep tenant isolation airtight.Enhancement

  Drop the empty orphan user tables that lack row-level security.

• All unauthenticated links (parent signatures, shared documents) are token-validated and scoped.
• Signature/login links use strong, single-use, expiring tokens.
• Login is rate-limited; no SQL-injection exposure.
• Files are encrypted at rest; cross-tenant access is blocked by design.
• Production restricts allowed origins; admin access does not over-grant across tenants.