Skip to main content
Legal

Trust & Security

Last updated: May 23, 2026

1. Overview

Veradic is built for use in K-12 education. Protecting student data and supporting the trust of teachers, administrators, and families is foundational to how we design, build, and operate the platform.

This page summarizes Veradic's security and trust posture in plain English. It is intentionally non-technical and high-level. For technical detail, vendor questionnaires, data privacy agreements, or other procurement documentation, contact support@veradicai.com and we will respond promptly.

2. How Veradic Handles Student Data

Veradic acts as a school official under the direction of each contracting district. Student work, grades, and related records remain under the district's control and are used solely to provide the contracted service.

Student data is never used to train AI models, ours or anyone else's. This applies to student work, conversations with the AI tutor, integrity-review transcripts, grades, and any other student-generated content.

Third-party AI service providers used by Veradic to generate tutoring responses receive only the content necessary to do so. They do not receive student identity.

Veradic does not sell personal information to third parties. We do not use student data for advertising.

3. Account Security & Authentication

Veradic uses modern, industry-standard methods to protect user accounts:

  • Passwords are protected using current cryptographic standards. Plaintext passwords are never stored or logged.
  • Access tokens are short-lived. If a token were compromised, the window of risk is small.
  • Repeated failed login attempts trigger automatic protective measures.
  • Account deactivation takes effect immediately across all sessions.

4. Authorization & Access Controls

Veradic uses role-based access control. Every request is checked against the user's role and permissions before sensitive data is returned.

  • Students access only their own work and assigned coursework.
  • Teachers access only the students enrolled in their assigned sections.
  • Administrators have scoped administrative access necessary for their role.

Cross-account access is prevented by application authorization checks on every request. Attempting to access another user's resources returns a permission-denied response without revealing whether the resource exists.

5. Encryption

All data transmitted between Veradic and user devices is encrypted in transit using current Transport Layer Security standards. HTTPS is enforced across the platform.

Data stored by Veradic is encrypted at rest using industry-standard encryption methods provided by our cloud infrastructure.

6. Infrastructure & Operations

Veradic operates on established cloud infrastructure providers with mature compliance programs. Production systems are continuously monitored, with automated alerting on operational and security events.

System secrets and credentials are managed using current secure-storage practices and are never embedded in client-side code.

7. Application Security

Veradic applies industry-standard web application security practices, including:

  • Modern HTTP security headers across all responses
  • Strict input validation on all user-submitted content
  • Parameterized database queries to prevent injection
  • File-upload validation that inspects content rather than relying on file extension
  • Bounded request and field sizes to prevent resource exhaustion

We track the OWASP Top 10 and broader industry guidance as part of our ongoing engineering practice.

8. Monitoring & Auditing

Authenticated activity is logged with traceable per-request identifiers, enabling end-to-end tracing of any individual interaction. Logs are structured for analysis and stored securely.

AI service calls made on behalf of users are recorded with sufficient detail to support debugging, cost accounting, and post-incident review.

9. Incident Response

In the event of a confirmed data security incident affecting customer data, Veradic will notify affected districts within 72 hours of confirmation and provide a written summary describing the nature of the incident, the data affected, and the remediation steps taken or planned.

Our incident response procedures are available on request as part of procurement documentation.

10. Privacy & Compliance

Veradic is designed to support common education-sector privacy requirements:

  • FERPA — Veradic operates as a school official under the direction of each district. Student education records remain under district control.
  • COPPA — For students under 13, Veradic relies on the school-consent exception standard for classroom-deployed educational technology.
  • State-level laws — Veradic supports state-specific data privacy addenda on request, including New York Education Law §2-d, California SOPIPA, Illinois SOPPA, and others.
  • Data Privacy Agreements — Veradic will sign your district's standard data privacy agreement, including the National Data Privacy Agreement (NDPA) template used by most US districts.

Refer to the Privacy Policy for details on data collection, use, retention, and user rights.

11. Responsible Disclosure

If you discover a security vulnerability in Veradic, please contact support@veradicai.com with the details. We commit to acknowledging reports within 5 business days and will work in good faith to address valid issues.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate.

12. Documentation & Procurement Support

Veradic supports district procurement processes. The following documentation is available on request:

  • Data Privacy Agreement (DPA) template and state-specific addenda
  • Security questionnaire responses
  • Incident response procedure
  • Accessibility statement
  • Subprocessor list and data flow summary

To request any of the above or to discuss district-specific requirements, contact support@veradicai.com.

13. Contact

For all trust, security, privacy, and procurement inquiries, contact: