Security & trust
Student data is the most sensitive thing a school can hand a vendor. Here is exactly how we protect it.
Student data is the most sensitive thing a school can hand a vendor. Here is exactly how we protect it.
nOS operates as a “school official” under FERPA, acting only under each school’s direction.
TLS 1.2+ in transit and industry-standard encryption at rest. Deprecated protocols are rejected.
All data is hosted on US cloud infrastructure with logical tenant isolation per school.
Student data is never sold, rented, or used to train general-purpose AI models. Ever.
Confirmed breaches are reported to affected schools within 72 hours of discovery.
Production access is need-to-know, MFA-protected, reviewed regularly, and revoked promptly.
This overview describes the administrative, technical, and physical measures nOS maintains to protect the confidentiality, integrity, and availability of school and student data. It reflects our security posture as of the effective date; we continuously evaluate and improve our controls.
nOS designates responsible personnel to oversee information-security practices, including vendor assessments, policy enforcement, and incident coordination.
All nOS personnel with access to school or student data receive security and privacy training upon hire and at least annually, covering data-handling obligations, phishing awareness, password hygiene, and incident reporting.
Access to production systems and student data is restricted on a need-to-know basis. Privileged access requires multi-factor authentication. Access rights are reviewed periodically and revoked promptly upon employee departure.
nOS conducts background screenings for employees who will have access to production environments or student data, consistent with applicable law.
All data transmitted between school users and the nOS platform is encrypted using TLS 1.2 or higher. Connections using deprecated protocols are rejected.
Student data stored in nOS production databases is encrypted at rest using industry-standard encryption algorithms.
nOS employs logical data-isolation controls so that data from one school tenant is not accessible to another. Our multi-tenant architecture enforces access boundaries at the application and database layers.
Database access is restricted to authorized application processes and privileged personnel via encrypted connections. Direct public access to production databases is not permitted.
The nOS platform is hosted on cloud infrastructure located in the United States. nOS leverages the physical-security controls, redundancy, and compliance posture of its cloud infrastructure providers.
nOS maintains automated backup procedures for production data. Backups are encrypted, stored separately from primary production systems, and their integrity is periodically verified.
nOS applies security patches and updates to operating systems, software dependencies, and platform components in a timely manner. Critical security patches are applied on an expedited basis.
nOS follows secure software-development practices, including code review and dependency vulnerability scanning. Security considerations are incorporated into feature development and release workflows.
The platform uses session-based authentication with cryptographically signed tokens. Password requirements enforce minimum complexity standards, and session tokens expire after defined inactivity periods.
nOS reviews its platform for known vulnerabilities on a regular basis. Identified vulnerabilities are prioritized and remediated based on risk severity.
nOS maintains an internal Incident Response Plan for security incidents involving school or student data. In the event of a confirmed data breach, nOS will notify affected schools within 72 hours of discovery, consistent with applicable law and the Data Processing Agreement.
nOS engages a small number of vetted subprocessors to operate the Service. Each is contractually required to maintain data-protection standards at least as protective as our own, to process data only as directed, and to notify nOS of any security incident. Schools are notified of material changes in accordance with the DPA.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Vercel | Serverless application hosting | United States |
| Neon | PostgreSQL database hosting | United States |
| Anthropic | AI language-model API powering optional AI features | United States |
| Google (Workspace) | Transactional and administrative email delivery | United States |
| Sentry | Application error monitoring | United States |
| Stripe | Billing and payment processing (no student data) | United States |
An itemized version with the data each subprocessor processes is in our Subprocessor List (PDF). If nOS engages a new subprocessor that processes student data, schools receive advance notice and may object as set out in the DPA. Questions: bennettmiller@nosplanner.com.
nOS does not currently hold SOC 2 or ISO 27001 certification. We complete reasonable security questionnaires on behalf of schools and maintain security practices commensurate with the sensitivity of the student data we process. We’re happy to walk your IT team through our controls directly.
Security, privacy, accessibility, and data-processing inquiries can be directed to bennettmiller@nosplanner.com. Our privacy policy, accessibility statement, and a signed Data Processing Agreement (DPA) are available to schools on request.
Last reviewed July 16, 2026. This document is provided for informational purposes and is updated to reflect material changes to our security posture.