Skip to main content

Security and Compliance Overview

ClassLens is an AI-assistive grading and teaching tool for Google Classroom, built to fit inside K-12 district compliance requirements.

This page is for district CIOs, Technology Directors, and Data Privacy Officers reviewing ClassLens for classroom use.

Compliance at a glance

CASA Tier 2

Security assessment complete. Score 9.1 out of 10, zero Critical, zero High findings.

Google OAuth Verified

Verified by Google, including the restricted Google Drive scope.

SOC 2 Type I

Attested by Percilchofe CPA LLC (License No. 1188), as of April 4, 2026, unqualified opinion. Full report available under NDA.

FERPA School-Official Posture

Under 34 CFR 99.31(a)(1)(i)(B). No persistent student submissions, names, email addresses, grades, or AI-generated feedback are stored on ClassLens servers.

TOS v2.0.2 with Clickwrap

Affirmative consent required at sign-in, with an immutable append-only audit log of every acceptance.

COPPA-Compliant

Published data retention schedule covering every category of data we process.

Grading model

Teachers review every grade before any student sees it. There is no mode where AI-generated grades are released without teacher review.

Draft Only (default)

Grades are saved as drafts in Google Classroom. The teacher returns each grade manually through Classroom after reviewing it.

Grade & Review

After grading, the teacher sees the Batch Review Dashboard inside ClassLens. They review every grade in a summary table, edit scores and comments inline, and click Return Checked to send grades to students. One click, but the teacher always sees every grade first.

Districts can request that Grade & Review be disabled entirely for their teachers, limiting all grading to Draft Only. ClassLens is designed for low-stakes practice and formative assignments. It is not appropriate for creative, performance, or project-based work.

Data handling

Stored on ClassLens servers

  • Teacher account data (name, email, school, Google ID)
  • OAuth tokens, encrypted at rest with AES-256-GCM
  • Job metadata (assignment ID, rubric, grading settings, status, timestamps)
  • Opaque Google-issued student IDs, used only to detect resubmissions
  • Class-wide aggregate knowledge-gap data (criterion mastery booleans, no per-student text)
  • TOS acceptance log entries (immutable, IP address, user agent, timestamp)

Transient, not retained on ClassLens servers

  • Student names
  • Student email addresses
  • Student submission content
  • Student grades (written back to the teacher’s Google Classroom, not retained on ClassLens servers)
  • AI-generated feedback (written back to Google Classroom; not retained on ClassLens servers)

Student submission files are held in server memory for the duration of a single grading call, uploaded to a private Google Cloud Storage bucket controlled by ClassLens, referenced by Google Cloud Vertex AI via a gs:// URI for inference, and best-effort deleted from Cloud Storage after grading. A 24-hour bucket-level lifecycle policy serves as the failsafe.

Google Cloud Vertex AI under the Google Cloud Data Processing Addendum does not use submitted data to train Google's foundation models. Zero Data Retention is enrolled where the model supports it.

During an active grading job, student names and email addresses from the selected class are held in memory so the AI can address students by first name and feedback delivery can reach the correct mailbox. These fields are not persisted after the job completes.

Google OAuth scopes

ClassLens requests the following scopes during Google sign-in. Scopes marked restricted are subject to Google's annual CASA Tier 2 security assessment. Scopes marked required must be granted for ClassLens to function; any scope not marked required is optional under Google's granular consent and degrades the related feature gracefully if denied.

openid, email, profileRequired

Standard Google sign-in. Used to create the teacher account and to show the teacher’s name and email inside ClassLens.

classroom.courses.readonlyRequired

Read the list of Google Classroom courses the teacher owns or co-teaches so the teacher can pick which class to grade.

classroom.coursework.studentsRequired

Read student submissions attached to an assignment and write back grades and teacher feedback as drafts in Google Classroom.

classroom.rosters.readonly

Read the roster of a selected class so the AI can address students by first name in the teacher’s draft comments.

classroom.profile.emails

Read student email addresses for the selected class so email-delivery of teacher-reviewed feedback reaches the right student mailbox.

classroom.topics

Read and create Classroom topics so teachers can organize assignments into topics directly from ClassLens.

drive (restricted)Restricted

Read student submission files attached to Classroom assignments (Classroom-created files are not accessible via the non-restricted drive.file scope) and post teacher-authored feedback as Drive Comments on the student’s document. This is the scope that required a CASA Tier 2 assessment.

gmail.send (restricted)Restricted

Send from the teacher’s own Gmail mailbox for three purposes: (1) email the knowledge-gap report to the teacher; (2) deliver teacher-reviewed feedback emails to students when the teacher selects email delivery; (3) send teacher-to-teacher safety-review notifications.

Subprocessors

Google

Google Classroom, Drive, and Gmail APIs (OAuth-scoped, teacher-authorized).

Google Cloud Platform

Vertex AI for AI inference (governed by the Google Cloud Data Processing Addendum; customer data is not used to train Google’s foundation models; Zero Data Retention enrolled where the model supports it) and Cloud Storage for transient submission staging (private bucket, U.S. region, 24-hour lifecycle policy).

Amazon Web Services

Hosting in us-west-1. EBS volumes and backups encrypted at rest.

Cloudflare

Content delivery network and TLS termination.

Stripe

Subscription billing only. Stripe never receives student data.

Gotenberg

Self-hosted PDF generator. Runs on ClassLens infrastructure; not a third-party subprocessor.

Security controls

  • AES-256-GCM encryption of OAuth tokens at rest, with a versioned key format.
  • EBS volume and backup encryption at rest for all AWS storage in us-west-1.
  • httpOnly session cookies (Secure, SameSite=Lax, 24-hour sliding TTL).
  • CSRF protection via a required X-Requested-With header on all mutating session requests.
  • Nonce-based Content Security Policy with strict-dynamic.
  • Redis sliding-window rate limiting on authenticated and login routes.
  • Structured logging (pino) with automatic redaction of tokens, student content, student names, and authorization headers.
  • AWS IAM roles with no static keys, CloudTrail logging, and S3-to-Glacier backup retention.
  • Nginx security headers on every response: HSTS, nosniff, Permissions-Policy, Referrer-Policy, COOP, and Cache-Control no-store on authenticated routes.
  • TOS clickwrap with an immutable, append-only acceptance audit log.

Incident response

72-hour breach notification SLA to affected schools and districts. Report security concerns or suspected incidents to support@evolvedacademics.com.

Compliance documents available on request

  • Standard DPA template. ClassLens supports the SDPC National Data Privacy Agreement framework.
  • CoSN K-12CVAT Lite V4.1, pre-filled, 62 questions answered.
  • Security overview one-pager (PDF).
  • OAuth scope justification document.

How to approve ClassLens for your domain

If teachers in your district see “Access blocked: admin_policy_enforced” when they sign in, ClassLens has not yet been approved in your Google Workspace admin console. This is a domain-level setting: approving the app once unblocks every teacher in the organizational units you select. Either path below works.

Option 1: Install from the Marketplace (recommended)

  1. In the Google Admin console, go to Apps → Google Workspace Marketplace apps → Apps list.
  2. Click Install app and search for ClassLens, or open the Marketplace listing directly.
  3. Choose Admin install and select the organizational units, or the whole domain, that should have access.

An admin install grants ClassLens the access it needs for the selected users, so teachers in those organizational units can sign in without being blocked.

Option 2: Trust the app by OAuth client ID

  1. In the Admin console, go to Security → Access and data control → API controls.
  2. Click Manage App Access → Configure new app.
  3. Enter the ClassLens OAuth client ID:
135589175772-rj5214dbf3k43idvl10lbq03cj488qru.apps.googleusercontent.com

Select the app, then set access to Trusted.

Exact menu labels vary slightly between Admin console versions. Google's official instructions: install Marketplace apps and control third-party app access. Want a screen-by-screen PDF for your team? Email us and we'll send one the same day.

Request the full security packet

We send the DPA, K-12CVAT, security overview, and OAuth scope justification as a single PDF bundle, usually within one business day.