Security & Compliance

• All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Hosted on US-based infrastructure (Supabase/AWS)
• No student data shared with third parties, ever
• Row-level security enforces role-based access at the database level

• ServeSeal is designed for FERPA compliance
• Student PII is only accessible to authorized school/district personnel
• Parents and eligible students can request data access or deletion
• We sign Data Processing Agreements (DPAs) with districts on request

Contact security@serveseal.org for DPA requests.

• Role-based access: students see only their own data, supervisors see only their queue, school admins see only their school
• All admin actions are logged in an immutable audit trail
• Session tokens expire after inactivity
• Optional SSO via Google Workspace or Microsoft 365

• Every verified hour is cryptographically signed (SHA-256)
• Ledger entries are immutable — no one can alter or delete verified records
• Signature includes: claim ID, hours, service date, supervisor ID, and timestamp

• Student records are retained as long as the district account is active
• Districts can request full data export or deletion at any time
• Student transcripts remain accessible to the student even after graduation or school transfer

Contact hello@serveseal.org for data requests.

• Security incidents are investigated within 24 hours
• Affected parties are notified per FERPA requirements

Contact security@serveseal.org to report a concern.