Built to the standards your district already requires.
Parthion is FERPA and COPPA compliant, with SOC 2 Type II certification underway. Student data is encrypted at rest and in transit, isolated by district, and never used to train external AI models. Security isn't a feature — it's a precondition for everything else we build.
Certifications & frameworks
FERPA
Family Educational Rights and Privacy Act — Parthion processes student education records as a school official under district direction, with access strictly limited to legitimate educational interest.
COPPA
Children's Online Privacy Protection Act — collection of personal information from students under 13 occurs only with district authorization, in support of the district's educational mission.
SOC 2 Type II
Security, availability, and confidentiality controls audited against the AICPA Trust Services Criteria. Type II certification in progress; controls already operational.
State Student Privacy Laws
Aligned with state-level frameworks including NY Ed Law 2-d, California SOPIPA, Illinois SOPPA, and Connecticut PA 16-189. District-specific DPAs supported.
Technical controls
Encryption at rest and in transit
AES-256 at rest, TLS 1.3 in transit. Encryption keys managed via AWS KMS with automatic rotation.
Role-based access controls
Granular permissions by role (admin, teacher, special ed, counselor). Every action is logged for audit.
No training on student data
Student data is never used to train external or third-party AI models. AI features run within an isolated district tenant.
Isolated district tenancy
Each district's data is logically isolated. No cross-district queries, no aggregated training corpora.
Full audit logging
Every read, write, export, and configuration change is recorded with user, timestamp, and IP — retained per district policy.
Penetration testing
Annual third-party penetration testing and continuous vulnerability scanning across infrastructure and application layers.
Data handling practices
Data minimization
Parthion ingests only the fields required to power early warning, MTSS, and IEP workflows — nothing more. Districts control what is shared.
Data ownership
Districts own their data. Parthion is the processor, not the owner. Data is returned or destroyed on contract termination per district preference.
No advertising, ever
Parthion does not sell student data, does not serve advertising, and has no advertising business model. Revenue comes from district subscriptions only.
Parental rights
Districts can fulfill FERPA inspection, amendment, and disclosure requests directly within Parthion. Data export tools are built in.
Breach notification
Documented incident response plan with district notification within contractually agreed timeframes (typically 72 hours) of any confirmed incident.
Sub-processors
Limited, named sub-processors (cloud infrastructure, transactional email). Full list and DPAs provided to districts; changes communicated in advance.
Need our security documentation?
District CISOs and DPOs can request our security whitepaper, SOC 2 progress letter, sub-processor list, and a draft Data Processing Agreement.
security@parthion.io© 2026 Parthion · Whole-Child Early Warning System · All rights reserved