Company · Security
Security & Trust
Updated July 5, 2026 · Sure Step Education LLC
Security contact
Our named security contact is Devin Farren, co-founder. Reports to security@surestepeducation.com reach a founder directly and are acknowledged within one business day. If you believe you've found a vulnerability in our site or products, tell us — we will thank you, not lawyer you.
Breach notification: our 72-hour commitment
If we determine that unauthorized acquisition, access, use, or disclosure of student records has occurred — or is reasonably believed to have occurred — we will:
- Notify each affected district in writing within 72 hours of determination, including what happened, which data elements and students were affected, when, and the containment steps already taken.
- Cooperate fully with the district's own notification obligations under Ed. Code §49073.1 and Civ. Code §1798.29/§1798.82, including supplying what the district needs to notify families — at our expense where the breach arose from our systems.
- Investigate and remediate: root-cause analysis and a written post-incident report to affected districts within 30 days.
- Follow the district's lead on family communication — districts control how their families hear about their students.
- Never charge a district for breach response arising from our or our subprocessors' systems.
How we build
- Access rules live in the database. Row-level security enforces who can see what — the interface is a convenience, not the boundary. A misbehaving client can't widen its own access.
- We can't casually read your data. In our student-record products, the same database rules that bind district staff bind us. Maintenance access is an explicit, founder-only, reason-required, time-limited exception — and it's logged where the district can see it.
- Encryption everywhere: TLS 1.2+ in transit, AES-256 at rest. Student data stays in the United States.
- Append-only audit trails in student-record products: record access, exports, configuration changes, and every privileged exception.
- No ads, no trackers, no analytics SDKs — on this site or in any product. There is nothing to audit because there is nothing there.
- Least-privilege keys and versioned changes: browsers only ever hold anonymous, database-restricted credentials; privileged keys exist only server-side; schema changes ship as numbered migrations, snapshot-first.
Our current subprocessors — and which of them touch student data — are listed in the privacy policy.
Support, beyond one inbox
General questions go to hello@surestepeducation.com; security reports to security@surestepeducation.com. District partners get more than an inbox: every pilot and agreement comes with a named founder contact and a direct line, because when a teacher is standing in front of a class with a tool that won't load, "we'll get back to you" isn't an answer.
Continuity
Districts rightly ask what happens to their data and their workflows if a small vendor stumbles. Our agreements put the answer in writing: your records are always yours, exportable in standard formats on request; termination triggers certified return or deletion on your terms; and for district-wide agreements we offer source-code escrow and continuity arrangements so an adopted tool can't simply vanish. We'd rather earn renewal than lock you in.
The honest part
We're an early-stage company and we won't pretend otherwise. We don't yet hold our own SOC 2 report (our infrastructure providers do), and independent penetration testing is on the roadmap rather than behind us. What we offer in the meantime is surface area small enough to actually inspect: no ads, no trackers, one database, one region, and founders who will sit down with your IT team and walk through all of it. We welcome district-led security reviews — they make the product better.