Compliance at Answerr AI

Built for education. Compliant by design. This page explains how Answerr AI protects student, educator, and institutional data while aligning with FERPA, and COPPA, alongside industry‑standard security and governance practices.

Summary: No customer content is used to train foundation models. Data access is least‑privileged, audited, and encrypted end‑to‑end. Contracts include DPA, SCCs where applicable, and FERPA/COPPA addenda.

Who this page is for

• University/School Administrators evaluating governance and risk
• Faculty & IT integrating AI tools into classrooms
• Legal & Procurement reviewing contracts and DPAs

Compliance Overview

Framework	Our Stance	What It Covers
FERPA (US)	School Official exception with legitimate educational interest; data used only to provide the service.	PII in Education Records; student rights; access controls
COPPA (US)	Parental/School consent model supported; data minimization and deletion on request.	Children under 13 online data protections

Data Residency: Primary hosting in regionally appropriate data centers; options for EU/India/US on request.

Security & Governance Controls

• Encryption: TLS 1.2+ in transit; AES‑256 at rest
• Access: SSO/SAML/OAuth; role‑based access control; least‑privilege; just‑in‑time approvals
• Audit & Monitoring: Centralized logging; admin audit trails for data access and exports
• Backups & DR: Daily encrypted backups; tested restore; RPO/RTO disclosed under NDA
• Vulnerability Management: Regular patching; dependency scanning; third‑party penetration testing (annual)
• Incident Response: 24×7 on‑call; notification SLAs in MSA/DPA; post‑mortem transparency

AI Usage & Data Handling

• No model training on your content: Customer prompts/outputs are never used to train public models.
• Model Providers: Enterprise agreements with LLM providers configured for no‑training and zero retention where available; requests are anonymized/pseudonymized when feasible.
• Data Minimization: Only the minimal attributes required for functionality are processed; optional fields are off by default.
• Retention & Deletion: Configurable retention windows; hard deletion on request or contract termination; backup expiry aligned with policy.

Subprocessors (Operational)

We maintain a live list; subscribe for change notifications.

Subprocessor	Purpose	Data Types	Location
Cloud Infrastructure (e.g., AWS/GCP/Azure)	Hosting, storage, networking	Account metadata, encrypted content	Regional (US/EU/IN options)
Observability (e.g., Log & Metrics)	Logs/metrics/alerts	System telemetry; no student content	Regional
Email/SMS (optional)	Notifications	Email/phone if enabled	Regional
LLM Provider (enterprise)	Text generation/summarization	Prompt and response (transient)	Regional

Full, current list available via DPA appendix.

Data Processing Addendum (DPA)

• Standard Controller–Processor DPA with FERPA, COPPA exhibits
• SCCs for international transfers when applicable
• School Official designation available for US districts
• Request our DPA: tech@answerr.ai

Click‑through: Request DPA & Security Pack

Roles & Responsibilities

You (Controller/School/University)

• Determine lawful basis/consent (COPPA)
• Configure retention, access, and sharing policies in the dashboard
• Handle data subject/parent requests (we assist as Processor)

Us (Processor/Service Provider)

• Process data only on documented instructions
• Implement security and confidentiality measures
• Assist with data subject requests and incident notifications

Student & Parent Rights

• Access & Correction: Export and rectify records on request
• Deletion: Permanent deletion supported; verifiable parent requests for COPPA
• Transparency: Clear records of processing available to admins

Frequently Asked Questions (FAQ)

Q1. Do you train your models on our data?
A. No. We do not use customer content to train public models. Enterprise LLM endpoints are configured for no‑training where supported.

Q2. Can we choose where data is stored?
A. Yes. Regional hosting options are available (US/EU/IN). Contact us for choices.

Q3. How do you handle under‑13 users (COPPA)?
A. We support a school‑consent model or verifiable parental consent flows. Features for under‑13 can be disabled at tenant level.

Q4. What happens if there’s a security incident?
A. We notify your admins per contractual SLAs, contain the issue, and provide a post‑incident report with remediation steps.

Q5. Can we get a signed DPA and SCCs?
A. Yes. Our standard DPA and SCCs are available on request; we’ll countersign electronically.

Contact Compliance

• Email: tech@answerr.ai
• Security & Compliance Pack: DPA + Subprocessors + Pen Test Letter
• Status Page: Available to customers under NDA

Recommended Internal Links

• Privacy Policy
• Terms of Service
• For Institutions
• Whitepapers

Badges (for UI)

• FERPA‑Aligned ✓
• COPPA‑Ready ✓
• Data Processing Addendum ✓
• No Training on Customer Data ✓