Privacy Policy

Speech Gradebook — Last updated: March 2025 (FERPA Compliance Update)

Speech Gradebook (“we”, “the application”) is provided for educational use. This policy describes how we handle information in the context of the application.

Information we collect and use

When you use SpeechGradebook, we store account and usage data necessary to provide the service. This includes:

• Account information: Name, email address, institution affiliation, and role (instructor, administrator, student)
• Course data: Course names, enrollment information, and course settings
• Student educational records: Student names, speech evaluations, grades, rubrics, and feedback (protected under FERPA)
• Consent records: Student consent decisions with timestamps for audit purposes
• Usage data: System logs, access records, and audit trails for compliance

All data is stored in secure, encrypted databases (Supabase) and is used solely to operate the application, enforce role-based access controls, maintain FERPA-compliant audit logs, and provide the evaluation services you request.

Student data and FERPA compliance

SpeechGradebook is designed to comply with the Family Educational Rights and Privacy Act (FERPA) and your institution's data protection policies. We implement multiple safeguards to protect student educational records.

Consent management

Before processing student data, we require explicit consent from students through our consent management system. Students receive secure, unique consent links for each course and can choose to:

• Consent to data use: Allows their data to be stored in secure cloud storage and used for grading, platform improvement, research, and potential third-party sharing (subject to your institution's agreements).
• Decline consent: Their evaluation data is stored only on the instructor's local device and is not used for research, platform improvement, or third-party sharing. Students can still receive evaluations and grades.

Consent decisions are recorded with timestamps and cannot be modified retroactively, ensuring an auditable record of student choices.

Access controls and role-based permissions

Access to student data is strictly controlled through comprehensive role-based access controls enforced at multiple levels:

• Instructors: Can access data only for courses they teach. Access is restricted to evaluations, students, and course data within their assigned courses. Cannot access data from other instructors' courses.
• Administrators: Have institution-wide access with appropriate oversight. Can access all data within their institution but cannot access data from other institutions.
• Super Admins: Have system-wide access for platform support and maintenance. Access is logged and monitored for compliance.
• Students: Can access only their own evaluation data. Cannot view other students' records or course-wide data.

All access is:

• Authenticated: Through secure authentication (Supabase Auth) with multi-factor authentication support
• Enforced at database level: Using Row Level Security (RLS) policies that cannot be bypassed
• Enforced at application level: Additional checks in the application code
• Automatically logged: Every access attempt is recorded in audit logs
• Monitored: Unusual access patterns are flagged for review

Access controls are designed to follow the principle of least privilege, ensuring users can only access the minimum data necessary for their role.

Audit logging

To maintain FERPA compliance, we automatically log all access to student educational records through our comprehensive audit logging system. Every interaction with student data is recorded, including:

• Who accessed the data: User identity, role (instructor, admin, super admin), and institution affiliation
• What data was accessed: Specific resource type (evaluation, video, transcript, student record), resource ID, student ID, and course ID
• When access occurred: Precise timestamps for all actions
• Actions performed: Viewing, creating, updating, deleting, exporting, or downloading student data
• FERPA justification: Reason for access (e.g., "grading", "administrative", "evaluation_creation")
• Consent verification: Whether student consent was verified before access
• Action details: Specific fields changed, scores modified, or data exported
• Security context: IP address, user agent, and session information when available

These audit logs are automatically generated through database triggers and application-level logging. All logs are stored securely in encrypted databases and are retained for compliance purposes. Audit logs are accessible only to authorized administrators and super administrators for compliance reviews and incident investigation. Regular users cannot access audit logs.

Data storage and security

Student data is stored in secure, encrypted databases hosted by Supabase, which provides:

• Encryption at rest: All data is encrypted using industry-standard AES-256 encryption
• Encryption in transit: All data transmission uses HTTPS/TLS encryption
• Encryption metadata tracking: We maintain records of encryption methods, key IDs, and encryption timestamps for sensitive data
• Key management: Encryption keys are managed securely with support for key rotation
• Regular security audits: Supabase undergoes regular security audits and maintains compliance certifications
• Automated backups: Data is automatically backed up with point-in-time recovery capabilities
• Disaster recovery: Comprehensive disaster recovery procedures ensure data availability
• Geographic data residency: Data residency controls ensure data is stored in approved geographic regions

For students who decline data-use consent, evaluation data can be stored locally on the instructor's device, ensuring no cloud storage of their educational records. All cloud-stored data is encrypted both at rest and in transit.

Data retention and deletion

Student educational records are retained according to FERPA requirements and your institution's policies:

• Default retention period: 7 years (2,555 days) per FERPA requirements, unless your institution specifies a different period
• Institutional policies: Institutions can customize retention periods for different data types (evaluations, videos, transcripts, student records)
• Automatic archiving: Data can be automatically archived before deletion (configurable per institution)
• Legal holds: Data retention can be extended for legal holds or other exceptions
• Deletion: Instructors and administrators can delete student data at any time, and all deletions are permanently logged in audit trails
• Account deletion: When accounts are deleted, all associated student data is removed from our systems according to retention policies

All data retention and deletion activities are logged and audited for compliance purposes. Data retention policies can be reviewed and modified by authorized administrators.

Third-party data sharing

When students consent to data use, their data may be used for:

• Grading and evaluation purposes
• Platform and AI model improvement
• Research (with appropriate IRB approval where required)
• Third-party sharing (subject to your institution's data sharing agreements)

All third-party sharing is subject to your institution's data sharing agreements and FERPA's directory information and research exceptions, as applicable. Students who do not consent will not have their data shared with third parties.

Third-party services

We use Supabase for authentication and database hosting. If you use third-party AI providers (e.g. Google Gemini, OpenAI, Anthropic) for evaluations, their respective privacy policies apply to that usage. API keys you enter are stored locally in your browser and are not sent to our servers except as needed to call those providers when you run an evaluation.

Your rights and choices

Student rights under FERPA

Under FERPA, students have the right to:

• Inspect and review their educational records
• Request corrections to inaccurate or misleading information
• Control disclosure of their educational records (subject to FERPA exceptions)
• File complaints with the U.S. Department of Education regarding FERPA violations

Students can access their own evaluation data through the application and can request corrections through their instructor or institution.

Consent management

Students can manage their data-use consent through secure consent links provided by their instructors. Consent decisions are recorded and can be reviewed, though they cannot be retroactively changed to ensure audit integrity.

Data access and deletion

Instructors and administrators can access, export, and delete student data through the application's administrative functions. All data access and deletion actions are logged for audit purposes.

Questions and concerns

For questions about your data, this privacy policy, or FERPA compliance, please contact:

• Your institution's designated FERPA compliance officer
• SpeechGradebook support at speechgradebook@proton.me

If you believe your FERPA rights have been violated, you may file a complaint with the U.S. Department of Education's Family Policy Compliance Office.

← Back to Speech Gradebook