Built for schools. Secured for students.
GradingPal is designed from the ground up to meet the privacy and security requirements of K-12 institutions. FERPA, COPPA, SOPIPA, and NY Ed Law 2-d compliant — with full legal documentation published and a custom DPA ready to sign for your district.
Compliance you can count on
GradingPal meets the legal standards required to use student data in K-12 settings.
Student education records are handled in full compliance with the Family Educational Rights and Privacy Act.
View Student DPAChildren's data is protected in line with the Children's Online Privacy Protection Act. Schools provide authorization under the school operator exception.
COPPA authorization detailsWe do not use student data for targeted advertising or profiling. NY Education Law 2-d vendor certification is included in our Student DPA.
NY vendor certificationWe've appointed DataRep as our EU/UK representative and rely on Standard Contractual Clauses and the EU-US Data Privacy Framework for transfers.
EU/UK Privacy NoticeHow we protect your data
Security practices built into the product from day one.
Encrypted end-to-end
All student data is encrypted at rest (AES-256) and in transit (TLS 1.2+). No plaintext data is ever exposed outside our secure systems.
Data minimization
We only collect what's needed to deliver the service. Student submissions are used solely for grading — never for advertising or model training.
Role-based access
Teachers see only their own classes. Admins see only their school. Access by GradingPal staff is strictly limited and audited.
Reliable infrastructure
Hosted on enterprise-grade cloud infrastructure with automatic backups and redundancy. No student data is stored on personal devices.
Activity logging
Data access and processing events are logged via Axiom. Admins can request activity reports for any time period.
Incident response
We maintain a documented breach response plan. Affected institutions are notified promptly in line with FERPA, NY Ed Law 2-d, and applicable privacy laws.
What we do — and don't do — with student data
We do
- Process submissions to generate AI feedback and scores
- Encrypt all data at rest (AES-256) and in transit (TLS 1.2+)
- Restrict access by role — teacher, admin, district
- Delete data on request or at end of contract within 30 days
- Provide activity logs to admins on request
- Sign Data Processing Agreements with districts
- Notify institutions promptly in the event of a breach
We never do
- Sell student data to any third party
- Use student data for advertising or targeting
- Train AI models on student data without explicit written consent
- Share data with unauthorized third parties
- Retain data beyond the agreed retention period
- Store student data on personal or unencrypted devices
- Grant staff access without formal authorization
Getting a DPA signed is simple
Most districts complete a DPA in under a week. We work with your legal and IT teams at no extra cost.
Request a DPA
Fill out the form below or email us with your district name and a procurement contact.
We send a draft
Our team sends a pre-filled DPA within 1–2 business days covering data types, processing purposes, and retention.
Review & redline
Your legal or IT team can redline. We work with your district's standard templates where possible.
Countersign & done
Once both parties sign, GradingPal is formally approved for use in your district.
We work with your district's process
Every district has different procurement requirements. We adapt to your process — whether that means using your template, answering a security questionnaire, or joining a call with your IT team.
Common questions from IT & compliance teams
All legal documents, publicly available
No NDAs required to review our compliance posture. Everything your legal and IT teams need is published here.
Privacy Notice
How we collect, use, and protect personal data for all users.
Data Processing Addendum
GDPR-compliant DPA covering processor obligations, SCCs, and international transfers.
Student Data Privacy Addendum
FERPA, COPPA, SOPIPA & NY Ed Law 2-d compliance terms for K-12 schools.
Sub-processor List
Every third party that processes personal data on our behalf.
EU/UK Privacy Notice
GDPR and UK GDPR disclosures, lawful bases, and your rights.
Terms of Use
The full terms governing use of the GradingPal platform.
Ready to get GradingPal approved?
Whether you need a DPA, have security questions, or want to start procurement — we make it easy for IT teams and school leaders.
Get GradingPal approved at your school
Fill out our approval request form. We'll prepare a security brief, DPA, and any documentation your district's procurement process requires.
Start Approval Process- DPA included at no cost
- Response within 1 business day
- Works with your district's process
Review our legal documents
All compliance documentation is publicly available — no NDA required. Share directly with your legal or IT team.
- Privacy Notice
- Data Processing Addendum
- Student Data Privacy Addendum
- Sub-processor List
- EU/UK Privacy Notice
- Terms of Use
Questions? Contact us directly
hello@gradingpal.com