Dashboard
Trust & Privacy
Encryption, isolation, role-based access and regulatory alignment — the three things a head teacher needs answered before signing. Status labels show the platform control baseline, with evidence tags for follow-up verification.
Encryption in transit
All traffic enforced over TLS 1.2+ via Vercel and Firebase. HSTS enabled.
TLS 1.2+ / HSTS
Encryption at rest
Firestore + Cloud Storage encrypt with Google-managed keys (AES-256) by default.
AES-256 GMK
Customer-managed keys (CMEK)
Available on request for Cloud Storage; enable per organisation if your jurisdiction requires it.
On request
Organisation data isolation
Reads and writes are scoped by organisation boundaries in deployed Firestore security rules and server-side org checks.
Deployed Firebase rules + API authorization
Parent visibility
Per-relation `viewGrades` and `viewAttendance` permissions. School admins decide exactly what each parent sees.
parentStudentRelations.permissions
Role-based access control
Six roles enforced server-side: super_admin · admin · head_teacher · head_of_faculty · subject_leader · teacher · student.
types/phase2 · OrganizationRole
Multi-factor authentication
Enabled by enrolling staff via Firebase Auth MFA. Configurable per organisation.
FERPA-aligned practices
Student records access restricted to authorised school staff and verified parents/carers. Data Processing Agreement available on request.
FERPA (20 U.S.C. § 1232g)
COPPA-aligned practices
Under-13 student accounts created only via verified school onboarding. No directed advertising. School acts as agent for parental consent.
COPPA · 15 U.S.C. § 6501
Hong Kong PDPO
Personal Data (Privacy) Ordinance principles applied for HK schools — purpose, accuracy, retention, access, security.
PDPO Cap. 486
These checks are enforced server-side and in Firestore security rules — the UI cannot grant access the rules deny.
| Resource | Super admin | Admin | Head teacher | Teacher | Student | Parent |
|---|---|---|---|---|---|---|
| Whole-school analytics (Attainment Hub) | view, edit | view, edit | view | own classes | — | — |
| Classroom analytics | view | view | view | own classes | — | — |
| Student records & grades | view | view | view | own students | self | linked child (permissioned) |
| Lesson + resource generation | create | create | create | create | — | — |
| Marking + feedback | edit | edit | view | own classes | view own | view linked child |
| Parent-teacher messaging | audit | audit | audit | send + receive | — | send + receive |
| Organisation settings & billing | edit | edit | view | — | — | — |
Need a copy of our DPA or sub-processor list? Email trust@teachai.io.