Trust Center
Trust, Security, and Privacy at SpEd Coach
SpEd Coach supports sensitive educational workflows and records used by special education teams, evaluators, service providers, and the organizations that coordinate this work. Privacy, accountability, and operational clarity are foundational design priorities - not afterthoughts layered on top of a generic productivity tool.
The platform is built for special education operational environments where human review remains central to every meaningful decision. SpEd Coach supports the responsible handling of educational data through tenant-isolated architecture, role-aware workflows, audit visibility, and AI governance designed around reviewer-centered processes.
Questions from procurement or compliance teams? Reach us at support@spedcoach.com.
Our Approach
Security Built Into Daily Workflows
Six operational pillars guide how SpEd Coach handles access, data, and accountability.
Authenticated sessions, role-aware permissions, and short-lived launch tokens scoped per user and module.
Each organization operates inside an isolated workspace enforced by row-level security policies.
Uploaded educational documents are transmitted over TLS and stored behind access-controlled storage.
Authentication, administrator actions, module launches, and AI invocations are recorded for review.
AI features are opt-in, scoped per organization, and designed around review-centered workflows.
Retention, export, and deletion workflows are designed to support customer-controlled data handling.
Scope
What SpEd Coach Helps Organizations Manage
SpEd Coach may help organizations organize, review, and coordinate the following types of sensitive special education workflows and records.
- Individualized Education Programs (IEPs)
- Evaluations and evaluation planning
- ARD / IEP team deliberations
- Related services documentation
- Progress monitoring records
- Accommodations documentation
- Behavioral documentation
- Draft prior written notices
- Scheduling workflows
- Compliance review artifacts
- Parent communication records
- Uploaded educational documents
Organizations are responsible for ensuring their own lawful use and handling of educational records.
Governance
Security Principles
Foundational commitments that shape how features, workflows, and AI capabilities are built.
Educational determinations require qualified human review. Platform outputs are drafts and working artifacts, not final decisions.
Members only see what their role and organization require. Access is granted explicitly, not by default.
Organization data is scoped at the database layer with row-level security, not only enforced in the UI.
Sensitive actions produce durable audit trails so administrators can reconstruct what happened and when.
Cross-module handoffs are explicit and signed; the platform avoids hidden side effects across workflows.
AI is governed per organization and per module. Administrators can disable AI or restrict it to specific workflows.
Workflows are designed to request only the information needed to complete the task at hand.
Implementation
Technical Security Practices
A conservative summary of how the platform is currently operated. Controls evolve alongside our infrastructure and readiness roadmap.
Educational Records
FERPA-Aware Operational Design
SpEd Coach is designed with awareness of the operational expectations that come with handling educational records.
- Workflows are designed with awareness that educational records may include personally identifiable information.
- Least-access principles limit visibility to the members whose role and organization require it.
- Role-aware workflows separate administrative, operational, and member capabilities.
- Tenant separation prevents cross-organization access at the database layer.
- Audit visibility supports organizational review of who accessed or modified records.
- Document handling is structured to support responsible storage, sharing, and deletion of uploaded materials.
Accountability
Human Oversight and Educational Decision-Making
The platform is designed so qualified humans remain in control of every educational decision.
AI capabilities inside SpEd Coach exist to assist staff with drafting, organization, and review of working artifacts. They do not act as autonomous decision-makers, and they do not finalize work on behalf of an organization.
- AI assists with drafting, summarization, and review support inside workflows.
- Humans remain responsible for every educational determination.
- No autonomous educational decisions are made by the platform.
- No automatic eligibility determinations are produced or applied.
- No automatic placement decisions are produced or applied.
- No automatic finalization of IEPs, prior written notices, or related documents.
- Outputs must be reviewed by qualified staff before any educational use.
AI Governance
AI and Sensitive Data
How AI is positioned, governed, and constrained inside SpEd Coach workflows.
AI-generated drafts must be reviewed by qualified staff before any educational use, signature, or distribution.
AI invocations are scoped per organization and per module, with administrator-controlled enablement.
The platform does not auto-finalize IEPs, PWNs, eligibility determinations, or placement decisions.
AI is positioned as drafting and review support - not as a replacement for professional judgment.
Readiness
SOC 2 Readiness Roadmap
SpEd Coach is not currently SOC 2 certified. We are following a staged readiness roadmap with realistic milestones.
- 01
Security Foundation
Baseline access controls, tenant isolation, audit logging, and AI governance are in place across the platform.
- 02
Operational Readiness
Policy development, internal review workflows, vendor management documentation, and incident response procedures are being formalized.
- 03
SOC 2 Type I Preparation
Control mapping, evidence collection, and pre-audit readiness review with the goal of a Type I report.
- 04
SOC 2 Type II Maturity
Sustained evidence over an observation window, ongoing governance maturation, and continuous control monitoring.
Current State
Trust Stack
A plain summary of where each area of the platform stands today.
| Area | Current Status |
|---|---|
| Encryption (in transit & at rest) | Implemented |
| Authentication | Implemented |
| Access Controls | Operational |
| Audit Logging | Operational |
| Tenant Segmentation | Implemented |
| AI Governance | Operational |
| Incident Response Planning | In Progress |
| Backup Awareness | Operational |
| Vendor Management | In Progress |
| Operational Monitoring | Operational |
| SOC 2 Type I | Roadmap |
| SOC 2 Type II | Planned |
Vendors
Subprocessors
Infrastructure and operational vendors that support the platform.
| Vendor | Purpose | Status |
|---|---|---|
| Supabase | Managed database, authentication, and storage | Active |
| Cloudflare | Edge delivery, DNS, and runtime infrastructure | Infrastructure Provider |
| Stripe | Payment processing for organization billing | Active |
| Google Gemini | AI model provider for drafting and review assistance | Operational |
| Resend | Transactional email delivery | Active |
| Google Workspace | Internal business communications and operations | Operational |
Lifecycle
Data Retention and Deletion
How data persists, how it can be removed, and where operational backups fit in.
Customer-controlled retention
Organizations control how long records persist inside active workflows, subject to their own policies and obligations.
Operational backups
Managed infrastructure providers maintain backups for disaster recovery. These are not exposed as customer-facing point-in-time restores.
Deletion workflows
Records can be removed through standard product workflows. Deletion takes effect in active systems immediately; backup rotation continues on the provider's schedule.
Account closure handling
When an organization requests closure, active workspace data is removed according to the closure workflow and confirmed back to the organization administrator.
Support-coordinated requests
Bulk deletion, bulk export, and historical record requests can be coordinated through the support workflow.
Closure
Account Closure
Organizations may request account closure at any time. Active workspace data is removed according to the closure workflow. Some data may remain temporarily in operational backups during normal rotation and will age out on the infrastructure provider's schedule.
Closure is handled through a support workflow so the organization administrator can confirm scope and timing.
To begin a closure request, email support@spedcoach.com.
Operations
Incident Response
A calm, procedural approach designed around investigation and communication.
- 01
Identify
Detect and confirm the scope of a potential security event through monitoring, reports, or operational review.
- 02
Investigate
Assess affected systems, data, and tenants. Preserve relevant logs and operational evidence.
- 03
Respond
Contain the issue, apply remediation, and adjust controls to reduce recurrence risk.
- 04
Communicate
Notify affected organizations consistent with applicable obligations and operational policies.
Shared Model
Customer Responsibilities
SpEd Coach provides the platform. Organizations remain responsible for how it is used inside their environment.
- Ensuring lawful use and handling of educational records under applicable law.
- Managing organization-level access, including invitations, role assignments, and offboarding.
- Configuring user permissions appropriately for each staff member's role.
- Training staff on responsible use of the platform and AI-assisted workflows.
- Maintaining secure endpoints, devices, and credentials used to access the platform.
- Reviewing exported content before sharing it externally or with families.
- Meeting the organization's own compliance, retention, and recordkeeping obligations.
Security Reports
Responsible Disclosure
We welcome coordinated disclosure from security researchers and customers. Suspected vulnerabilities or operational security concerns may be reported responsibly and will be acknowledged, reviewed, and prioritized based on impact.
Please avoid publicly disclosing issues before we have had a reasonable opportunity to investigate and remediate.
Reports may be sent to support@spedcoach.com.
FAQ
Frequently Asked Questions
Answers to common questions from administrators, procurement, and compliance reviewers.
Procurement
Vendor Review Readiness
SpEd Coach supports district and organizational procurement processes with documentation that continues to mature.
Ownership
Data Ownership
- Customers retain ownership of the educational data they upload or create inside the platform.
- Organizations control the operational use of their workspace, including roles, AI enablement, and module access.
- Export workflows are available for supported record types; broader exports may be coordinated through support.
- Deletion requests may be submitted by organization administrators through standard product or support workflows.
Built for Trust. Designed for Sensitive Educational Workflows.
SpEd Coach is designed to support responsible, review-centered educational workflows with privacy-aware operational practices and human oversight at the center.
See also the Security Overview and AI Disclosure.