Built for Trust in School Settings

FERPA protects students' education records. Sped.AI is designed from the ground up to minimize the personal data we hold — which means less compliance risk for you and your district.

• Initials only. Sped.AI never asks for a student's full name. You enter initials and date of birth — that's it. No names are stored in our database.
• No student ID or grade stored. Fields that could identify a student within a school system are not collected or retained.
• Scores, not records. You enter assessment scores. Sped.AI generates narrative text from those scores. There are no electronic education records transmitted to or stored by Sped.AI.
• Your account, your reports. Reports are tied to your account only and are never shared, indexed, or made accessible to anyone else.
• No data sold or shared. We do not sell, license, or disclose any user or student data to third parties for any purpose.

Sped.AI is hosted on Render, a SOC 2 Type II certified cloud infrastructure provider. Your data is protected both at rest and in transit.

• Encryption at rest: All database records are stored with AES-256 encryption. OAuth tokens and sensitive credentials use AES-256-GCM with unique per-record initialization vectors.
• Encryption in transit: All connections to Sped.AI use TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
• Database: PostgreSQL hosted on Neon with SSL-enforced connections. Neon operates on AWS infrastructure with SOC 2 Type II and ISO 27001 certifications.
• Infrastructure provider: Render (render.com) is SOC 2 Type II certified. Production servers run in isolated environments with automatic security patching.
• No local data storage: Sped.AI is a server-side application. Assessment data is processed server-side and returned to your browser — it is not persisted in browser storage or third-party analytics tools.

This is the question districts ask most. Here is a direct, unambiguous answer:

• Processing only. Assessment scores are sent to the AI model to generate a narrative report. The interaction ends there. Sped.AI uses Anthropic's API under terms that explicitly prohibit using customer data for model training.
• No persistent AI memory. Each report generation is a stateless API call. The AI model does not retain any memory of previous submissions.
• Minimal context. Only the numerical scores and basic demographic context (initials, age) required to write a clinically accurate narrative are included in the AI prompt. No other student information is transmitted.
• No behavioral profiling. Sped.AI does not aggregate student scores across users or create student profiles of any kind.

Privacy isn't a checkbox we ticked — it shaped every design decision in Sped.AI.

• Initials-only workflow. The UI was designed around initials from day one. There is no "full name" field to remove later — it was never built.
• Sample data is fictional. The sample reports and demo content on this site use entirely fictional assessment scores and initials. No real student data is ever displayed.
• No behavioral tracking pixels. Sped.AI does not load Facebook Pixel, Google Analytics, or other third-party tracking tags. Analytics are server-side only, using hashed IP addresses — never tied to student activity.
• Session-scoped access. Report generation is tied to an authenticated session. Unauthenticated users cannot access any report data.
• Data minimization. We collect only what is necessary to generate a report. Nothing more is stored.

• Password-protected accounts. All user accounts require email and password authentication. Passwords are hashed using bcrypt with a per-user salt.
• Session management. Authenticated sessions are stored server-side with a 30-day expiry. Sessions are invalidated on logout.
• Account isolation. Users can only access their own reports. There is no cross-account data access.
• Admin oversight. Administrators can view account activity and revoke access codes. Audit logging is available for compliance review.
• Secure cookies. Session cookies are marked HttpOnly, Secure, and SameSite=Lax to prevent XSS and CSRF attacks.

Sped.AI is a focused tool for school psychologists, not a large enterprise SaaS platform. Our compliance posture reflects our actual risk surface: minimal PII, no student records, and built-in privacy constraints.

Questions about compliance?

District IT teams and compliance officers are welcome to reach out. We'll respond to security and compliance inquiries within one business day.