Last updated: February 18, 2026
Security Features
🔐
End-to-End Encryption
All data is encrypted in transit (TLS/HTTPS) and at rest (AES-256). Your worksheets and materials are protected at every stage.
🏫
FERPA Compliant
We do not collect student PII. TeachTools is designed to support schools' FERPA compliance obligations.
🚫
No Data Training
Your content is NEVER used to train AI models. We use OpenAI's API, which does not train on user data.
🛡️
Enterprise Infrastructure
Hosted on SOC 2 Type II compliant servers. Neon PostgreSQL database with automatic backups and disaster recovery.
🔑
Secure Authentication
Passwords are hashed with bcrypt. Session tokens are encrypted. Multi-factor authentication available on request.
💳
PCI Compliant Payments
Payment processing via Stripe (PCI DSS Level 1). We never store credit card information on our servers.
Trust Badges
🔒
AES-256
Encryption
✅
FERPA
Compliant
🛡️
SOC 2
Hosting
🚫
No Data
Selling
FERPA Compliance
The Family Educational Rights and Privacy Act (FERPA) protects student education records. TeachTools is designed to help schools maintain FERPA compliance:
- No Student PII Collection: We do not ask for or require student names, IDs, grades, or personally identifiable information.
- Teacher Control: Teachers decide what information (if any) to include in worksheet generation prompts.
- Secure Processing: Any student context provided by teachers is processed securely and not stored long-term.
- Data Processing Addendum: Available for school districts upon request (contact support@teachtools.co).
- Access Controls: Only authorized account holders can access their generated materials.
- Audit Logs: Available for districts to track data access and usage.
District Contracts
School districts can request a formal Data Processing Addendum (DPA) that outlines our FERPA compliance commitments and data handling procedures.
Contact: support@teachtools.co for district pricing and contracts.
How TeachTools Handles Student Data
Understanding how student data flows through TeachTools is critical for compliance:
Student Data Flow
✓ What We Do
Process teacher-provided context (e.g., "5th grade math class") to generate relevant content. Context is processed by OpenAI API but NOT stored or used for training.
✗ What We Don't Do
We do NOT collect, store, or require student names, IDs, grades, test scores, or any personally identifiable information.
✓ Teacher-Controlled
Teachers choose what information to include in generation prompts. No student data is required to use TeachTools.
✗ No Third-Party Sharing
We do NOT sell or share data with advertisers, marketers, or data brokers.
AI and Data Training
TeachTools uses AI differently than consumer tools like ChatGPT:
🔑 Key Difference: API vs. Consumer ChatGPT
Consumer ChatGPT: Conversations may be used to train and improve OpenAI's models (unless you opt out).
TeachTools (OpenAI API): Content sent via the API is NOT used to train models. This is a contractual guarantee from OpenAI for API customers.
What this means: Your worksheets, quizzes, and lesson plans remain private and are never used to improve AI models.
Data Retention by OpenAI:
- API requests are retained for 30 days for abuse monitoring only.
- After 30 days, requests are permanently deleted from OpenAI's systems.
- No data is used to train or improve AI models.
- TeachTools stores your generated content in your account so you can access, edit, and reuse it.
Infrastructure Security
🖥️ Hosting & Database
- Render: SOC 2 Type II compliant hosting with automatic HTTPS, DDoS protection, and 99.9% uptime SLA.
- Neon PostgreSQL: Serverless database with encryption at rest, automatic backups, and point-in-time recovery.
- Cloudflare: CDN and DDoS protection for global performance and security.
🔐 Encryption Standards
- In Transit: TLS 1.3 encryption for all data transmission.
- At Rest: AES-256 encryption for all database content.
- Passwords: Bcrypt hashing with per-user salt (never stored in plaintext).
- Session Tokens: Cryptographically secure, rotated regularly.
🔍 Monitoring & Incident Response
- 24/7 Monitoring: Automated alerting for security incidents and system anomalies.
- Breach Notification: We will notify affected users within 72 hours of any data breach.
- Regular Audits: Security reviews and penetration testing conducted regularly.
- Incident Response Plan: Documented procedures for handling security incidents.
Third-Party Services
TeachTools integrates with trusted, security-focused providers:
OpenAI (API)
Purpose: Content generation
Data Usage: NOT used for training
Retention: 30 days for abuse monitoring, then deleted
Compliance: SOC 2 Type II, GDPR
Stripe
Purpose: Payment processing
Data Usage: Only payment information
Compliance: PCI DSS Level 1
Access: Does not access your generated content
Your Data Rights
- Access: Request a copy of all data we store about you.
- Correction: Update your profile and account information at any time.
- Deletion: Delete your account and all associated data (contact support@teachtools.co).
- Export: Download all your generated materials in PDF or DOCX format.
- Portability: Take your content with you if you leave TeachTools.
Security Best Practices for Teachers
How you can help keep your account secure:
- Use a strong password (12+ characters, mix of letters, numbers, symbols).
- Don't share your account with other teachers or students.
- Log out on shared devices (school computers, library, etc.).
- Review generated content before distributing to students (AI is not perfect).
- Avoid including sensitive student information in generation prompts.
- Report suspicious activity immediately to support@teachtools.co.
Questions or Concerns?
If you have questions about security, compliance, or data handling, we're here to help:
- Email: support@teachtools.co
- District Contracts: Request a Data Processing Addendum (DPA)
- Security Issues: Report vulnerabilities to security@teachtools.co
Report a Security Vulnerability
If you discover a security issue, please report it responsibly to security@teachtools.co. We appreciate responsible disclosure and will respond within 48 hours.
This security page is effective as of February 18, 2026.