Operating under 34 CFR 99.31(a)(1) as a school official.

School consent under the school official exception. No direct collection from children.

Student data is never sold and never used for commercial profiling.

No advertising, no sale, no commercial student profiles.

District owns student data. 90-day deletion. 30-day subprocessor notice.

BAA available. PHI handling protocols aligned to HIPAA Security Rule.

All data stored on SPEDScribe infrastructure is encrypted using AES-256 with keys managed under a dedicated key management service.

All data transmitted between users, our servers, and AI processing partners uses TLS 1.3, the current cryptographic standard.

Every transcript passes through two independent PII scrubbing layers before reaching AI processing. See the Dual-Layer PII Pipeline section below for technical detail.

Providers access only their own session data. Directors see only their district. Admins are separated from production student data.

Districts can enforce SSO authentication through Clever, ClassLink, or Google Workspace. No separate credentials for providers to manage.

All AI processing partners execute zero-data-retention agreements. Student data is processed and immediately discarded — never stored by AI systems.

AssemblyAI's ML-based PII detection runs during transcription. Trained on millions of audio samples, it identifies and replaces person names, dates of birth, phone numbers, email addresses, SSNs, healthcare numbers, locations, and organizations directly in the speech-to-text output.

A second, independent pass runs server-side on SPEDScribe infrastructure. Microsoft Presidio ships as a Python-only library, so we implement the equivalent detector design natively in Node.js: seven parallel pattern-matching detectors cover person names (via title-prefix, context, possessive, and speaker-label triggers), SSNs, phone numbers, email addresses, physical addresses, dates of birth (context-keyword windowed), and student ID numbers. A clinical allowlist of 40+ assessment tools and therapy methods (CELF, GFTA, WISC, Lindamood, Orton-Gillingham, etc.) prevents false positives on legitimate clinical terminology.

Every session records the count of PII entities caught by each layer and which categories were detected. Districts can audit exactly what was scrubbed and when.

If Layer 2 encounters an error, the system proceeds with Layer 1 protection only and flags the session as "single-layer-only" so it can be reviewed.

A curated allowlist of 80+ assessment tools, clinical terms, and therapy method names ensures the scrubber never removes legitimate clinical vocabulary from transcripts.

Pre-filled responses to the 10 most common district IT security questions. Download a print-ready PDF for your vendor review process.

Independent third-party penetration testing of all SPEDScribe infrastructure and application layers. Results available to districts under NDA.

Our full FERPA compliance statement, including school official designation under 34 CFR 99.31(a)(1) and student data rights documentation.

Targeted Q1 2027

Infrastructure providers are ISO 27001 certified

All stored data encrypted with dedicated key management

Continuous backup with point-in-time recovery capability

A dedicated security contact is available at all times for incident triage and response.

Breach notification provided without unreasonable delay as required by FERPA.

Written notification to affected districts within 72 hours of confirmed breach discovery.

Written root cause analysis and remediation report provided to affected districts within 30 days.