Security & Compliance Whitepaper
Version: 2.0 (Enhanced) | Date: December 2025
Prepared for: Wisconsin K-12 School Districts, Private Schools, and Charter Schools
Provider: NAS (Neeraj's AI Services) | Contact: Dr. Neeraj Agrawal, Founder & CEO
Email: nas.neeraj@gmail.com | Website: nasneeraj.com
Executive Summary
At NAS, we understand that protecting student data is not just a technical requirement—it is a moral imperative. This document outlines the comprehensive security measures, compliance frameworks, and infrastructure standards employed by the NAS Student Information System (SIS) and Learning Management System (LMS).
Our Commitment
- WSDPA Ready Full WSDPA Compliance - Ready to sign the Wisconsin Student Data Privacy Agreement immediately
- Enterprise Security Enterprise-Grade Security - SOC 2 Type 2 certified infrastructure without the enterprise price tag
- Transparent Transparent Operations - Complete visibility into our security practices and compliance measures
- Local Support Local Support - Wisconsin-based development and support team
- Affordable Affordable Pricing - 40% cost savings vs. legacy vendors
1. Compliance Alignment
NAS is fully committed to complying with federal and state regulations governing student privacy.
1.1 Wisconsin Statute § 118.125 (Pupil Records)
We adhere strictly to Wisconsin's pupil records law, which governs the confidentiality and disclosure of pupil records.
Compliance Measures:
- ✅ All student data is treated as confidential "Pupil Records"
- ✅ No disclosure to third parties without explicit LEA authorization
- ✅ Parent/guardian consent required for any external disclosure
- ✅ Annual notification of parental rights regarding pupil records
- ✅ Secure storage and access controls for all pupil records
- ✅ Audit trail of all access to pupil records
Legal Citation: Wis. Stat. § 118.125
1.2 FERPA (Family Educational Rights and Privacy Act)
NAS acts as a "School Official" with a "legitimate educational interest" under FERPA.
FERPA Compliance Framework:
- Data Ownership: The LEA retains full ownership of all student data. NAS has no ownership rights to student data. Student data is never sold or used for commercial purposes.
- Data Control: LEAs can access all student data at any time, request corrections, request deletion (subject to legal retention requirements), and use data export tools.
- Parental Rights: Parents have the right to inspect and review student records, request amendment of inaccurate records, and opt-out of directory information disclosure.
- No Ad-Mining: We never scan student data for advertising or marketing purposes, create student profiles for commercial use, or share student data with advertisers.
Legal Citation: 20 U.S.C. § 1232g, 34 C.F.R. Part 99
1.3 WSDPA (Wisconsin Student Data Privacy Agreement)
We are ready and willing to sign the standard WSDPA (WI-NDPA V1) with any Wisconsin district, contractually binding us to these privacy standards.
WSDPA Readiness:
- ✅ Pre-prepared WSDPA contract template available
- ✅ All required provisions included
- ✅ Ready to execute immediately upon LEA request
- ✅ No additional compliance costs
1.4 COPPA (Children's Online Privacy Protection Act)
Where applicable, NAS complies with COPPA requirements for children under 13 years of age.
- ✅ Parental consent mechanisms
- ✅ Limited data collection (only what's necessary)
- ✅ Parental review and deletion rights
- ✅ Clear privacy notice to parents
- ✅ Reasonable security measures
Legal Citation: 15 U.S.C. §§ 6501-6506
2. Security Infrastructure
NAS leverages world-class, SOC 2 Type 2 certified cloud infrastructure providers to ensure maximum security and reliability.
2.1 Infrastructure Components
| Component | Provider | Certification Status | Data Location |
|---|---|---|---|
| Database Hosting | Supabase (AWS) | SOC 2 Type 2 HIPAA Ready | United States (AWS) |
| Cloud Computing | Vercel / AWS | SOC 2 Type 2 ISO 27001 | Global CDN |
| Identity Management | Supabase Auth | SOC 2 Type 2 | United States (AWS) |
| Email Service | Resend | SOC 2 Type 2 | United States |
| File Storage | Supabase Storage (AWS S3) | SOC 2 Type 2 | United States (AWS) |
3. Technical Security Controls
We employ "Defense in Depth" strategies to secure data at every layer of our application stack.
3.1 Encryption
Data at Rest
- Algorithm: AES-256 (Advanced Encryption Standard)
- Standard: Industry standard for banking and government data
- Scope: All pupil records stored in databases
- Key Management: Managed by Supabase (AWS KMS)
- Backup Encryption: All backups encrypted with AES-256
Data in Transit
- Protocol: TLS 1.2 or higher (Transport Layer Security)
- Enforcement: Unencrypted traffic (HTTP) is automatically rejected
- Certificate Management: Automatic SSL/TLS certificate provisioning
- Perfect Forward Secrecy: Enabled for all connections
- HSTS: HTTP Strict Transport Security enabled
3.2 Access Control & Authentication
Role-Based Access Control (RBAC)
- Strict Permission Levels: Five distinct roles (SuperAdmin, Admin, Teacher, Guardian, Student)
- Principle of Least Privilege: Users only have access to data necessary for their role
- Role Verification: All roles verified at authentication and enforced at database level
Row-Level Security (RLS)
- Database-Level Enforcement: RLS policies applied directly to PostgreSQL database
- 100% Coverage: All tables have RLS policies enabled
- School-Level Isolation: Users can only access data from their assigned school
- Role-Based Filtering: Data filtered based on user role and permissions
4. Data Protection & Privacy
4.1 Data Minimization
We collect only the minimum Student Data necessary to provide the Services:
- Student names, dates of birth, enrollment information
- Guardian/parent names, email addresses, phone numbers
- Academic records (grades, assignments, assessments)
- Attendance records (daily logs)
- Financial transaction records (fees, payments)
Data NOT Collected:
- Social Security Numbers (SSN)
- Protected Health Information (PHI) under HIPAA
- Biometric data
- Location tracking data (except as needed for attendance)
4.2 Data Ownership
All Student Data remains the exclusive property of the LEA and the student. Provider acknowledges that it has no ownership rights to Student Data.
4.3 Prohibited Uses
Provider SHALL NOT:
- Sell Student Data to any third party
- Use Student Data for advertising or marketing purposes
- Use Student Data for any purpose other than providing the Services
- Disclose Student Data to third parties except as expressly permitted
- Mine Student Data for commercial purposes
- Create profiles of students for non-educational purposes
5. Incident Response & Breach Notification
5.1 Security Breach Notification
In the event of an unauthorized disclosure of Student Data, Provider shall:
- Notify the LEA within 72 hours of discovery
- Provide detailed information about the breach
- Cooperate with the LEA in investigating and remediating the breach
- Comply with all applicable breach notification laws
6. Audit & Monitoring
6.1 Audit Logs
Provider shall maintain comprehensive audit logs of:
- All access to Student Data
- All modifications to Student Data
- All exports or transfers of Student Data
- All security events and incidents
Audit Trail Retention: Audit logs shall be retained for a minimum of one (1) year or as required by law.
7. Data Retention & Deletion
7.1 Retention Period
Provider shall retain Student Data only for as long as:
- Necessary to provide the Services
- Required by applicable law (Wis. Stat. § 16.61 - minimum 7 years for public records)
- Authorized by the LEA
7.2 Deletion Upon Termination
Upon termination of this Agreement or upon written request by the LEA:
- Provider shall delete or return all Student Data within thirty (30) days
- Provider shall provide written confirmation of deletion
- Provider may retain de-identified, aggregated data for service improvement (with LEA consent)
8. Contact & Support
For questions about security, compliance, or to request a WSDPA contract:
Dr. Neeraj Agrawal, Founder & CEO
NAS (Neeraj's AI Services)
Email: nas.neeraj@gmail.com
Website: nasneeraj.com
Document Version: 2.0 | Last Updated: December 2025 | Next Review: December 2026