Compliance & Security

Effective: August 25, 2025

Overview

SmartCampus Attendance is operated as a school official under FERPA, aligned with Utah’s Student Data Protection Act (Title 53E-9) and USBE Rule R277-487. The executed DPA/NDPA with each Local Education Agency (LEA) governs data elements and safeguards. The system is configured for attendance and hall-pass/call-down operations and supports emergency accounting by showing a student’s last-known location and time from scan/attendance events. Exports are policy-controlled and fully audited.

Scope & Data Minimization: We process student identifiers, attendance/scan events (with class/room/teacher context), and audit logs. We do not perform continuous device tracking, targeted advertising, or unrelated data collection.

Compliance Matrix

Law / Rule	Requirement	What It Means Here	Implementation & Controls	Status
FERPA (34 CFR Part 99)	Parents/eligible students may inspect & obtain copies of education records through the LEA.	Provide a single-student export pathway via LEA admins.	District-Admin export UI; server-side policy flag exportsEnabled (default OFF). Role/whitelist checks and full audit (allow/deny) on export attempts. Exports performed only upon LEA-approved requests.	Policy-Controlled
FERPA — School Official & Legitimate Educational Interest	Access limited to authorized staff for legitimate educational purposes.	Role-based access (teacher, secretary, admin, district admin); no public endpoints.	Authentication required; role checks on client + server. Teacher reads scoped to their students/rosters. No student-facing accounts.	Compliant
FERPA — Health & Safety Emergency	Information may be disclosed to appropriate parties during an actual emergency.	Emergency accounting shows last-known location & time from scan/attendance events to authorized staff; no continuous tracking.	Read-only, last-event view for authorized staff; all access audited. Truthful wording (“last-known location & time”).	Compliant
Utah SDPA (Title 53E-9)	Confidentiality; data minimization; vendor acts under LEA direction.	Operate only the attendance/hall-pass scope with minimal fields.	Only identifiers + attendance/scan context; no unrelated collection. Configuration reads for policy are restricted to admins. Public policy pages clarify LEA ownership of student data.	Compliant
USBE Rule R277-487	Protect student data; maintain confidentiality; incident response.	Defense-in-depth security and prompt LEA notification on incidents.	HTTPS, authN/authZ, Firestore rules, server-side policy checks. Audit logging for administrative actions (incl. exports). Incident response with LEA notification “without undue delay.”	Compliant
Data Exports (LEA policy)	Exports must be appropriately authorized and logged.	Provide only single-student exports; disabled by default.	exportsEnabled flag (default OFF); admin-only UI. Denied attempts return “permission-denied” and are audited.	Policy-Controlled
Data Minimization / No Tracking	Collect only what’s necessary; avoid unnecessary tracking.	Event-based “last-known” only; no continuous device/geolocation tracking.	Presence inferred from recent attendance/scan events. No GPS/Wi-Fi beacons; no advertising IDs.	Compliant
Audit & Accountability	Maintain records of access/administrative actions.	Audit all export attempts; log key admin actions.	Audit entries: actor, action, timestamp, outcome (allow/deny). Reviewable by authorized admins.	Compliant
Secure Handling & Delivery	Protect PII; avoid email/unsanctioned cloud storage; use secure channels.	No PII via email; exports via district-approved secure delivery only.	Secure portal/SFTP as designated by the district. Vendor does not use personal cloud drives for PII.	Compliant
Cookies & Advertising	No targeted advertising to students; limit cookies to essential purposes.	No ad tech; essential session storage only.	No third-party advertising cookies. Only functional cookies/local storage for sessions.	Compliant

Security Controls

Access Control: Authentication for all data; role-based authorization; teacher reads limited to their students.
Server-Side Policy: Administrative controls (e.g., exportsEnabled) enforced on Cloud Functions; client reads of configuration restricted to admins; UIs fail safe.
Rules: Firestore security rules deny client writes where server authority is required; sensitive/config paths restricted to admins.
Transport/Hosting: HTTPS, strict security headers (HSTS/CSP/frame/permissions), minimized third-party calls.
Auditing: Export attempts and administrative actions recorded for oversight and incident review.
Encryption in transit: All pages and APIs are served over HTTPS/TLS; HTTP requests redirect to HTTPS. No mixed-content loads.
HSTS enabled; TLS 1.2+; secure cookies; modern security headers (CSP/HSTS/frame/permissions).

District Commitments (Utah LEAs)

This service is operated under district direction and the Utah NDPA. The following commitments reflect common Utah LEA data governance and IT security expectations:

Approved Vendor & Subprocessors: Smart Campus Systems operates under the district’s Utah NDPA. Google LLC (Firebase/Cloud Firestore, Cloud Functions, Cloud Storage) is named as a subprocessor in the NDPA. Data is stored and processed in U.S. regions only.
No PII by Email: We do not email student PII. When legally authorized, single-student records are delivered via a district-approved secure method (e.g., secure portal/SFTP) and never placed in personal cloud drives.
Audit Log Retention: Administrative and export audit logs are retained for at least 180 days (and never fewer than 90 days), available to authorized district personnel upon request.
Least-Privilege Access: Role-based access (teachers see only their students); no public endpoints; no student accounts.
Incident Response: If an incident is confirmed, the district is notified without undue delay and we coordinate with district leadership per policy.
No District Network Access Required: The service is cloud-hosted over HTTPS and does not require vendor remote access to district internal networks/VPN.
Business Continuity: Regular backups and disaster-recovery procedures are maintained to support availability and restoration.
Training Alignment: District staff with access to PII should complete annual privacy/security training; we provide usage guidance to support that training.

For District Reviewers: The executed NDPA and Subprocessor Schedule (listing Google/Firebase), a one-page Data Inventory, and a Security Summary are available on request. We do not process real student PII until the NDPA is fully executed.

Emergency Accounting (Last-Known Location)

For drills and real incidents, authorized staff may view a student’s last-known location and time based on recent classroom scans and attendance events. This is a read-only view; there is no continuous tracking. Access is role-restricted and audited.

Retention & Deletion

We follow LEA retention schedules. On written instruction from an LEA, we delete or return data within agreed timelines, subject to legal requirements.

Incident Response (R277-487)

We promptly investigate suspected security incidents and notify the LEA without undue delay once confirmed, supporting the LEA’s obligations for state reporting and communications.

Appendices

For district reviewers: the following summaries are included for convenience. Full NDPA and Subprocessor Schedule are provided upon request.

Appendix A — Data Inventory (1 page)

Effective: August 25, 2025

Product: SmartCampus Attendance (GetSmartCampus)
Provider: Smart Campus Systems, LLC
Purpose: Classroom attendance & hall-pass/call-down operations; support emergency accounting by showing a student’s last-known location & time from scan/attendance events (no continuous tracking).
Legal basis/role: School-official service under FERPA; aligned with Utah SDPA (Title 53E-9) and USBE Rule R277-487; governed by the district’s Utah NDPA.

Data Subjects

Students (operational attendance context)
Authorized staff users (teachers, secretaries, admins, district admins)

Student Data Elements (minimal set)

Identifiers & roster context: student name, student ID, school, grade (if provided), class/section, period/term, teacher ID/name.
Attendance/scan events: timestamp, room/teacher reference, status (present/tardy/absent), staff actor.
Operational status: temporary hall-pass/call-down state (if used).
System metadata: document IDs/refs needed to operate.
Audit logs: administrative actions (e.g., export attempts/outcomes), actor, timestamp, reason/result.

Staff User Data

Name, work email/ID, role/permissions, and activity/audit logs needed for security and support.

Not Collected / Not Used

No GPA/transcripts; no counselor notes; no behavior/discipline analytics; no health/IEP/504 data; no biometric data; no continuous device/geolocation tracking; no targeted advertising identifiers.

Derived / Aggregate

De-identified service metrics (e.g., usage counts, uptime) for reliability and planning—never for advertising.

Sources & Sharing

Sources: LEA-provided rosters/schedules; staff-initiated attendance/scan events.
Sharing: Within the LEA to authorized staff only; no sale of student data; disclosures only per FERPA/Utah law.
Subprocessor: Google LLC (Firebase/Google Cloud) — Cloud Firestore (DB), Cloud Functions (server logic), Cloud Storage (static assets). U.S. regions only.

Exports & Delivery

Single-student exports only, admin-only, policy-controlled (default OFF), and fully audited. No PII by email; when authorized, delivery uses a district-approved secure channel (e.g., secure portal/SFTP).

Retention & Deletion

Follows district retention schedules and written instructions; vendor deletes/returns data upon request. Audit logs retained ≥180 days (currently indefinite, never fewer than 90 days).

Appendix B — Security Summary (1 page)

Effective: August 25, 2025

Architecture: Web application for authorized staff; backend on Google Cloud Firebase (Cloud Firestore, Cloud Functions, Cloud Storage) in U.S. regions.

Access Control & Identity

Staff-only; teachers see only their students (least privilege).
Role-based authorization (teacher/secretary/admin/district admin).
Sensitive operations (e.g., exports) are admin-only and policy-gated (default OFF).

Data Protection

In transit: HTTPS/TLS for all traffic; HSTS/CSP/modern headers.
At rest: Encryption via Google Cloud.
Data minimization: only identifiers, roster context, attendance/scan events, and audit logs. No continuous tracking.

Application Security

Defense-in-depth: server-side policy checks; Firestore Security Rules (deny client writes where server authority is required; restrict reads by role/roster); restricted client access to configuration; input validation and error handling.
Secrets & config managed in cloud environment; least-privilege service accounts.
No public endpoints for student data.

Exports & Delivery

Single-student exports only; admin-only; policy-controlled; fully audited.
No PII via email; authorized copies delivered through district-approved secure transfer (e.g., secure portal/SFTP).

Auditing & Monitoring

Log administrative actions and export attempts (actor, timestamp, action, result/reason).
Retention ≥180 days (currently indefinite; never fewer than 90 days).
Logs available to authorized district personnel upon request.

Incident Response & Continuity

Investigate suspected incidents and notify the district without undue delay once confirmed; coordinate per district policy (R277-487).
Regular backups and disaster-recovery procedures; cloud multi-zone resilience.

Compliance Alignment

FERPA (school-official role; parental access supported via admin-run single-student export).
Utah SDPA (Title 53E-9) and USBE Rule R277-487 (confidentiality, least privilege, incident handling).
No targeted advertising; no sale of student data.

Subprocessors

Google LLC (Firebase/Google Cloud) — Cloud Firestore, Cloud Functions, Cloud Storage (U.S. regions). Listed on the NDPA Subprocessor Schedule; changes notified per contract.

Contacts

District questions: LEAs should contact their own Data Privacy Officer for student-record requests and policy matters.
Product security & privacy: Please use the Contact link in this site’s footer to reach our security/privacy team.

This page summarizes technical and organizational controls. Contractual terms are governed by the executed DPA/NDPA with each LEA.