Security at ClassLens

Built so districts can say yes.

SOC 2 Type I attested. Google CASA Tier 2 verified. Federal CISA Secure by Design Pledge signatory. Google-approved Zero Data Retention on our Vertex AI project. Student work never lives on our servers.

Download our Letter of Validation (PDF)Request the full SOC 2 report under NDA →

Signed 2026-04-28

Audited by Percilchofe CPA LLC (License No. 1188). Report dated April 4, 2026, available under NDA. Most ed-tech vendors won’t name their auditor.

What districts ask us first.

Where does student work live?

Inside Google Classroom, where your teachers already keep it. Submissions transit our infrastructure long enough to be graded, then the draft grade and feedback are written back to Classroom. We do not persist student submissions, names, emails, grades, or AI-generated feedback on ClassLens servers.

Read the full FERPA posture→

Who has reviewed your security?

A licensed CPA firm (Percilchofe CPA LLC, License No. 1188) issued an unqualified SOC 2 Type I opinion as of April 4, 2026. Google’s CASA Tier 2 assessment was completed by TAC Security on April 1, 2026. Google verified our OAuth scopes — including the restricted Drive scope — on April 9, 2026.

See attestations and dates→

Does Google use our data to train AI?

No. ClassLens runs on Google Cloud Vertex AI under the Cloud Data Processing Addendum, which contractually prohibits Google from using customer data to train its foundation models. Zero Data Retention is enrolled — Google has formally approved a no-prompt-logging exception for our Vertex AI project. We publish this here so districts do not have to ask.

See the data flow→

Attestations and verifications.

Names, dates, license numbers. No marketing adjectives.

SOC 2 Type I: SOC 2 Type I Attested by Percilchofe CPA LLC (License No. 1188); as of April 4, 2026; unqualified opinion. Full report available under NDA.
Socify Letter of Validation: Socify-issued Letter of Validation (April 27, 2026) confirming completion of the SOC 2 Type I audit cycle. Published openly as a one-click verification that the attestation exists; the underlying SOC 2 Type I report from Percilchofe CPA LLC is available under NDA.
Google CASA Tier 2: CASA Tier 2 security assessment complete (Letter of Validation submitted April 1, 2026 by TAC Security via the Google-authorized ESOF AppSec platform).
Google OAuth verification: Google OAuth verified (April 9, 2026), including the restricted Google Drive scope, gmail.send, and classroom.profile.emails.
CISA K-12 Secure by Design Pledge: Signed April 28, 2026. Federally-endorsed successor framework to the retired Student Privacy Pledge.
FERPA posture: FERPA school-official posture under 34 CFR 99.31(a)(1)(i)(B); no persistent student submissions, names, email addresses, grades, or AI-generated feedback are stored on ClassLens servers.
COPPA-aligned program: COPPA-aligned: Written Information Security Program (WISP v1.2), Data Retention Schedule v1.2, School Consent Framework v1.1, and Privacy Policy Section 7 with specific retention timeframes are deployed.
Model-training posture: Google Cloud Vertex AI under the Google Cloud Data Processing Addendum (CDPA) does not use submitted data to train Google’s foundation models. Zero Data Retention is enrolled — Google has formally approved a no-prompt-logging exception for our Vertex AI project.

What is the CISA K-12 Secure by Design Pledge?

The Student Privacy Pledge — the badge many EdTech vendors displayed for a decade — was retired by the Future of Privacy Forum on April 25, 2025, after more than 40 states codified its principles into binding law. New signatories have not been accepted since that date, and the public registry of past signatories was taken offline July 31, 2025. ClassLens commits to the substantive Pledge principles in our Privacy Policy and Terms of Service.

FPF named two successor frameworks at retirement: the SDPC National Data Privacy Agreement (NDPA), which we have drafted vendor-side exhibits A through H to execute, and the CISA K-12 Education Technology Secure by Design Pledge, a voluntary federal commitment hosted by the Cybersecurity and Infrastructure Security Agency. The CISA registry includes hundreds of established cybersecurity and EdTech vendors. The full live list is published at cisa.gov/securebydesign/pledge/secure-design-pledge-signers. Evolved Academics signed the CISA Pledge on April 28, 2026.

If your procurement rubric still asks for a Student Privacy Pledge badge, the honest industry answer is that pre-2025 signatories were grandfathered into a sunset program with no live registry, while ClassLens has aligned with the active, federally-endorsed successor.

Verify the attestation in one click.

Most vendors ask you to sign an NDA before showing you anything. We publish our SOC 2 Type I Letter of Validation openly, so you can confirm the attestation exists in one click — before you spend a minute of legal time.

Download Letter of Validation (PDF)

Issued April 27, 2026 by Socify. ~120 KB.

Need the full report? Request it under NDA.

Where student data lives — and where it does not.

ClassLens operates as a school official under FERPA 34 CFR 99.31(a)(1)(i)(B). The school or district directs us to perform a function (grading assistance) the district would otherwise perform itself, under the district’s direct control over the use and maintenance of education records.

No persistent student submissions, names, email addresses, grades, or AI-generated feedback are stored on ClassLens servers. Only opaque Google-issued student IDs are retained for resubmission detection. Submissions transit our infrastructure to be graded and the resulting drafts are written back to Google Classroom (the district’s system of record). Operational metadata (job timestamps, token counts, error logs) is retained per our Data Retention Schedule v1.2.

Google Cloud Vertex AI under the Cloud Data Processing Addendum does not use submitted data to train Google’s foundation models.

How a student submission moves through ClassLens.

Six steps. Plain English.

1A teacher signs in to ClassLens with Google. Only the OAuth scopes Google has verified are used.
2The teacher picks a Classroom assignment and configures grading preferences.
3ClassLens fetches the submission from Google Classroom using the teacher's authorized session.
4The submission is uploaded to a private Google Cloud Storage bucket and referenced by Google Cloud Vertex AI for inference under the Cloud Data Processing Addendum. Submissions are not used to train Google’s foundation models, and Zero Data Retention is enrolled — Google has formally approved a no-prompt-logging exception for our Vertex AI project. ClassLens deletes the staged file from Cloud Storage immediately after grading; a 24-hour bucket lifecycle policy is the safety net.
5The grade and feedback are written back to Google Classroom — as a draft (Draft Only mode), or to the in-app Batch Review Dashboard for the teacher to review and release (Grade & Review mode).
6The submission content is not retained on ClassLens servers after the grading job completes. Only operational metadata (timestamps, token counts, error logs) is kept, per our published Data Retention Schedule.

Subprocessors.

A current list. The same list is reflected in our Privacy Policy and in SDPC NDPA Exhibit D.

Subprocessor	Purpose	Data Category	Region
Amazon Web Services (AWS)	Application hosting, MySQL, Redis	Application data, operational metadata	us-west-1 (N. California)
Cloudflare	CDN, DDoS, TLS termination, WAF	Network metadata	Global edge
Google LLC	OAuth, Classroom API, Drive API, Gmail API	Authentication, assignment + grade write-back	US
Google Cloud Platform	Vertex AI inference + Cloud Storage submission staging	Submission content (transient). Cloud DPA. Project-level ZDR approved by Google 2026-04-29 (Cloud project 135589175772).	us-central1 (regional) / global (model-dependent)
Stripe	Subscription billing	Billing identifiers, payment method tokens	US
GitHub	Source code hosting	Source code only — no customer data	US

State student-data laws.

We adhere to the substantive privacy principles of state student-data laws including SOPIPA (California Bus. & Prof. Code 22584), AB 1584 (California Education Code 49073.1), and New York Education Law §2-d. State-specific attestations — including the New York §2-d Parents’ Bill of Rights and supplemental information disclosures — are issued upon district request as part of the contracting process. ClassLens additionally completes vendor security questionnaires for state and district frameworks (including Texas TX-RAMP-aligned questionnaires) on request. ClassLens is built on the SDPC National Data Privacy Agreement (NDPA) framework; vendor-side exhibits A through H are drafted and ready to execute with an originating LEA.

Engineering practices.

Encryption

All traffic is TLS 1.2 or higher in transit, terminated at Cloudflare. Application data at rest in AWS RDS is encrypted with AWS-managed KMS keys. OAuth tokens are encrypted at rest at the application layer with AES-256-GCM with a versioned key format.

Access

Production access is limited to the founder, gated by SSO and multi-factor authentication. AWS uses instance roles — no static keys. Inbound network access goes through a Cloudflare Tunnel; the AWS instance has no public inbound ports. Administrative actions are logged.

Incident response

Security incidents are handled per our Information Security Policy and our Written Information Security Program (WISP v1.2). Confirmed incidents involving district data trigger notification to the affected district within the timeframes specified in the executed NDPA or DPA — and never later than 72 hours after confirmation.

Frequently asked.

Are you "SOC 2 certified"?

No vendor is. SOC 2 is an attestation, not a certification — the AICPA does not issue certificates for it. We hold a SOC 2 Type I attestation from Percilchofe CPA LLC, License No. 1188, as of April 4, 2026, with an unqualified opinion. Anyone who tells you they are “SOC 2 certified” is using imprecise language. We chose not to.

Why don’t you display the Student Privacy Pledge badge?

The Student Privacy Pledge was retired by the Future of Privacy Forum on April 25, 2025, after a decade in which more than 40 states codified its principles into binding law. New vendors have not been able to sign since that date, and the public signatory registry was taken offline July 31, 2025. We commit to the substantive Pledge principles in our Privacy Policy and Terms of Service, and we have signed the federally-endorsed successor — the CISA K-12 Education Technology Secure by Design Pledge — on April 28, 2026.

Do you store student work?

No persistent student submissions, names, email addresses, grades, or AI-generated feedback are stored on ClassLens servers. Submissions transit our infrastructure to be graded; the resulting drafts are written back to Google Classroom. The district’s Classroom remains the system of record.

Does Google use our submissions to train AI?

No. We use Google Cloud Vertex AI under the Cloud Data Processing Addendum, which contractually prohibits Google from using customer data to train its foundation models. Zero Data Retention is enrolled — Google has formally approved a no-prompt-logging exception for our Vertex AI project.

Can students see grades before our teachers approve them?

No. Auto-return was permanently removed from the product on April 12, 2026. Teachers either save grades as Classroom drafts (Draft Only mode) or review them in the in-app Batch Review Dashboard before releasing to students (Grade & Review mode).

Will you sign our NDPA?

Yes. ClassLens is built on the SDPC National Data Privacy Agreement framework and our vendor-side exhibits A through H are drafted and ready to execute. Email Steven directly and we will move on it the same week.

Contact.

Security questions, NDPA execution, and procurement: steven.swanson@evolvedacademics.com.

Responsible disclosure: report suspected vulnerabilities to security@evolvedacademics.com. Read our full responsible disclosure policy; machine-readable contact at /.well-known/security.txt.

Safe harbor: we will not pursue legal action against security researchers for activities conducted in good faith and consistent with our published policy. Specifically, we will not pursue claims under any of the following, including but not limited to: the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030); the anti-circumvention provisions of the Digital Millennium Copyright Act (17 U.S.C. § 1201); the federal Stored Communications Act (18 U.S.C. § 2701 et seq.); California Penal Code § 502(c) and equivalent computer-misuse statutes in other U.S. states; or the federal Wiretap Act (18 U.S.C. § 2511) and equivalent state wiretap statutes, to the extent applicable. The list is illustrative and not exhaustive. We acknowledge reports within two business days and remediate per the SLAs in our incident management policy. We do not run a paid bounty program; we credit reporters who request it.

Last reviewed: 2026-05-09• Evolved Academics, LLC • Whittier, CA