Attendly Trust Center

Attendly uses a single-tenant architecture where each school district receives its own isolated environment on Google Cloud Platform. All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. We employ role-based access controls with per-tenant isolation, secure authentication via email/SMS verification codes with encrypted session tokens (A256GCM), and automated error monitoring and alerting via Sentry with cloud-native security monitoring and DDoS/WAF protection via Cloudflare and GCP Cloud Operations. Our security controls align with the NIST Cybersecurity Framework.

No. Attendly never sells, rents, or trades student data. We do not use student data for targeted advertising, behavioral profiling, or any purpose unrelated to the contracted educational services. This commitment is contractually binding under our agreements with school districts and is required by SOPIPA (Cal. Bus. & Prof. Code §22584) and FERPA.

When a contract terminates, districts have up to 30 days to request a data export in CSV or JSON format. After that, all district data is deleted from production systems within 60 days of contract termination. Deletion confirmation is provided to the district. Data is also removed from backups within the backup rotation cycle.

Attendly notifies affected districts within 72 hours of breach confirmation, in accordance with CA-NDPA requirements. Our notification includes the date of discovery, nature of the incident, types of data affected, number of individuals affected, steps taken to contain and remediate the incident, and a remediation plan. Districts are responsible for notifying affected students and parents as required by law.

Yes. Attendly operates as a "school official" under FERPA, processing student education records solely on behalf of contracting school districts. We access only the data necessary to provide our attendance management services, maintain direct control by the district over the use of education records, and comply with all FERPA requirements regarding use, re-disclosure, and data protection.

All student data is stored in US-based data centers (GCP us-east4). CDN providers (Cloudflare, Vercel) may route traffic through global edge nodes for performance but do not store student data outside the US. Our primary infrastructure runs on Google Cloud Platform, with managed PostgreSQL databases provided by Crunchy Data, both located in the United States.

For non-student data (such as parent/guardian data collected outside of an educational context, website visitor data, and staff data), California residents have the right to know what personal information is collected, request deletion of personal information, opt out of the sale or sharing of personal information, and not be discriminated against for exercising these rights. Student data collected in an educational context is exempt from CCPA under the student data privacy exemption. To exercise your CCPA rights, contact privacy@attendly.com.

We notify affected districts before adding new subprocessors that handle student data. Districts may object within 30 days if the new subprocessor presents concerns. Our current subprocessor list is maintained on this page and updated whenever changes occur. All subprocessors are required to sign data protection agreements, implement appropriate security measures, and process data only as instructed by Attendly.

No. Attendly has a signed CA-NDPA through CITE (California IT in Education), valid through February 2028. California districts can adopt this existing agreement directly without negotiating a separate DPA. Visit CITE's website to verify our agreement status.

Attendly relies on the school consent exception under the Children's Online Privacy Protection Act (COPPA). Under this exception, schools may consent on behalf of parents for the collection of children's personal information, but only when the data is used exclusively for an educational purpose. Attendly collects only the data necessary to provide attendance tracking services, does not use student data for any commercial purpose (including advertising), and does not disclose data to third parties except as necessary to provide the contracted educational service. Schools are provided with our full privacy policy and a description of our data collection practices so they can provide informed consent on behalf of parents.

The Student Online Personal Information Protection Act (Cal. Bus. & Prof. Code §22584) is California's landmark student data privacy law that directly regulates K-12 edtech vendors like Attendly. Under SOPIPA, Attendly is prohibited from: (1) using student data for targeted advertising, (2) building student profiles for non-educational purposes, (3) selling student data, and (4) disclosing student data except for K-12 school purposes. Attendly implements reasonable security procedures to protect student data and will delete student records upon request from the school or district.

Yes. Under AB 1584 (Cal. Ed. Code §49073.1), student records remain the property of and under the control of the school district. Students retain the ability to access, export, and transfer their records. Districts can request data exports in commonly available formats (CSV, JSON) at any time. Upon contract termination, districts have up to 30 days to request a data export before deletion begins. Parents and students exercise these rights through their school district, which coordinates with Attendly to facilitate requests.