When we started building Attendly, we made a decision early: student data security wouldn’t be an afterthought. It would be foundational. Every architecture choice, every vendor selection, every policy we wrote was shaped by one question — would a California school district trust us with their students’ data?
Two years later, we’re making that work visible. Today we’re launching the Attendly Trust Center, a single destination where districts can see exactly how we think about security, privacy, and compliance.
Why a Trust Center, Why Now
District IT directors, data privacy officers, and procurement teams have been asking the right questions. They want to know where student data is stored. They want to verify our compliance claims. They want to see our subprocessor list before signing an agreement.
Until now, that meant emails back and forth, PDF attachments, and phone calls with our team. The information existed — it just wasn’t in one place.
The Trust Center changes that. Everything a district needs to evaluate Attendly’s security posture is now publicly accessible, verifiable, and kept up to date.
What You’ll Find
Compliance Certifications
Attendly is compliant with the full stack of California student data privacy laws:
- FERPA — We operate as a school official, processing student records solely on behalf of contracting districts
- COPPA — We rely on the school consent exception, collecting children’s data only for educational purposes
- SOPIPA (Cal. Bus. & Prof. Code §22584) — We never sell student data, build profiles for non-educational purposes, or use data for targeted advertising
- AB 1584 (Cal. Ed. Code §49073.1) — Student records remain the property of and under the control of the district
- CA-NDPA — We’re a signatory through CITE (California IT in Education), valid through February 2028. California districts can adopt our existing agreement without negotiating a separate DPA
Our security controls also align with the NIST Cybersecurity Framework.
Infrastructure and Architecture
Every district gets its own isolated environment on Google Cloud Platform. There’s no shared database, no commingled data. This single-tenant architecture means one district’s data is never accessible to another — by design, not by policy.
All student data is stored in US-based data centers (GCP us-east4). Data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Our infrastructure runs on SOC 2 Type II certified cloud providers.
Subprocessor Transparency
We publish our complete subprocessor list — every third-party vendor that touches district data, what they do, what data they process, and where they’re located. If we add a new subprocessor, affected districts are notified before the change takes effect and have 30 days to raise concerns.
Policies and Agreements
Our Privacy Policy and Terms of Service are published in full. No paywalls, no “request access” gates. If your district needs a Data Processing Agreement or has questions about our CA-NDPA, our security team is a direct email away at security@attendly.com.
Questions Every District Should Be Asking Their EdTech Vendors
Launching our Trust Center forced us to hold ourselves to a high standard. But these aren’t questions that should be unique to Attendly — they’re questions every California district should be asking every vendor that touches student data. We believe this is what excellence looks like.
On compliance:
- Can your vendor show you a signed CA-NDPA, and is it verifiable through CITE?
- Does your vendor publish their compliance status with FERPA, COPPA, SOPIPA, and AB 1584 — or do they just say “we’re compliant” without specifics?
- Can your vendor cite the specific California statutes they comply with and explain how?
On infrastructure:
- Where exactly is your student data stored? Which cloud provider, which region?
- Is your district’s data isolated from other districts, or does it sit in a shared database?
- Are the underlying cloud providers SOC 2 Type II certified — and can your vendor name them?
On transparency:
- Does your vendor publish a complete subprocessor list? Do you know every third party that handles your students’ data?
- Will your vendor notify you before adding a new subprocessor — and give you time to object?
- Can you read their Privacy Policy and Terms of Service right now, without requesting access?
On data rights:
- What happens to your data when the contract ends? Within how many days is it deleted?
- Can you export your data at any time in a standard format?
- Does your vendor use student data for any purpose beyond the contracted educational service — including product development, analytics, or AI training?
If your current vendor can answer all of these clearly and publicly, that’s great. If they can’t — or if the answer is “let me get back to you” — it’s worth understanding why.
We built the Trust Center because we believe the answers to these questions should never be hard to find.
What This Represents
The Trust Center isn’t a marketing page. It’s a commitment to transparency.
Over the past two years, we’ve built single-tenant infrastructure for every district we serve. We’ve selected vendors that meet our security requirements and documented every one. We’ve written policies that reflect what we actually do, not what sounds good. We’ve had our CA-NDPA negotiated and signed through CITE so districts don’t have to start from scratch.
This is the culmination of that work — brought together in one place where the people responsible for protecting student data can evaluate it on their terms.
Take a Look
Visit the Attendly Trust Center to review our security practices, compliance certifications, subprocessor list, and frequently asked questions.
If you have questions or want to discuss your district’s specific requirements, reach out to our security team at security@attendly.com.
