Security & trust

Student data is the most sensitive thing a school can hand a vendor. Here is exactly how we protect it.

FERPA school official

nOS operates as a “school official” under FERPA, acting only under each school’s direction.

Encrypted in transit & at rest

TLS 1.2+ in transit and industry-standard encryption at rest. Deprecated protocols are rejected.

US-based hosting

All data is hosted on US cloud infrastructure with logical tenant isolation per school.

Never sold, never trains AI

Student data is never sold, rented, or used to train general-purpose AI models. Ever.

72-hour breach notice

Confirmed breaches are reported to affected schools within 72 hours of discovery.

Least-privilege access

Production access is need-to-know, MFA-protected, reviewed regularly, and revoked promptly.

This overview describes the administrative, technical, and physical measures nOS maintains to protect the confidentiality, integrity, and availability of school and student data. It reflects our security posture as of the effective date; we continuously evaluate and improve our controls.

1. Organizational security

1.1 Security responsibility

nOS designates responsible personnel to oversee information-security practices, including vendor assessments, policy enforcement, and incident coordination.

1.2 Employee training

All nOS personnel with access to school or student data receive security and privacy training upon hire and at least annually, covering data-handling obligations, phishing awareness, password hygiene, and incident reporting.

1.3 Access control

Access to production systems and student data is restricted on a need-to-know basis. Privileged access requires multi-factor authentication. Access rights are reviewed periodically and revoked promptly upon employee departure.

1.4 Background checks

nOS conducts background screenings for employees who will have access to production environments or student data, consistent with applicable law.

2. Data security

2.1 Encryption in transit

All data transmitted between school users and the nOS platform is encrypted using TLS 1.2 or higher. Connections using deprecated protocols are rejected.

2.2 Encryption at rest

Student data stored in nOS production databases is encrypted at rest using industry-standard encryption algorithms.

2.3 Data isolation

nOS employs logical data-isolation controls so that data from one school tenant is not accessible to another. Our multi-tenant architecture enforces access boundaries at the application and database layers.

2.4 Database security

Database access is restricted to authorized application processes and privileged personnel via encrypted connections. Direct public access to production databases is not permitted.

3. Infrastructure and hosting

3.1 Cloud infrastructure

The nOS platform is hosted on cloud infrastructure located in the United States. nOS leverages the physical-security controls, redundancy, and compliance posture of its cloud infrastructure providers.

3.2 Availability and backups

nOS maintains automated backup procedures for production data. Backups are encrypted, stored separately from primary production systems, and their integrity is periodically verified.

3.3 Patch management

nOS applies security patches and updates to operating systems, software dependencies, and platform components in a timely manner. Critical security patches are applied on an expedited basis.

4. Application security

4.1 Secure development

nOS follows secure software-development practices, including code review and dependency vulnerability scanning. Security considerations are incorporated into feature development and release workflows.

4.2 Authentication

The platform uses session-based authentication with cryptographically signed tokens. Password requirements enforce minimum complexity standards, and session tokens expire after defined inactivity periods.

4.3 Vulnerability management

nOS reviews its platform for known vulnerabilities on a regular basis. Identified vulnerabilities are prioritized and remediated based on risk severity.

5. Incident response

nOS maintains an internal Incident Response Plan for security incidents involving school or student data. In the event of a confirmed data breach, nOS will notify affected schools within 72 hours of discovery, consistent with applicable law and the Data Processing Agreement.

6. Subprocessors

nOS engages a small number of vetted subprocessors to operate the Service. Each is contractually required to maintain data-protection standards at least as protective as our own, to process data only as directed, and to notify nOS of any security incident. Schools are notified of material changes in accordance with the DPA.

SubprocessorPurposeData location
VercelServerless application hostingUnited States
NeonPostgreSQL database hostingUnited States
AnthropicAI language-model API powering optional AI featuresUnited States
Google (Workspace)Transactional and administrative email deliveryUnited States
SentryApplication error monitoringUnited States
StripeBilling and payment processing (no student data)United States

An itemized version with the data each subprocessor processes is in our Subprocessor List (PDF). If nOS engages a new subprocessor that processes student data, schools receive advance notice and may object as set out in the DPA. Questions: bennettmiller@nosplanner.com.

7. Certifications and assessments

nOS does not currently hold SOC 2 or ISO 27001 certification. We complete reasonable security questionnaires on behalf of schools and maintain security practices commensurate with the sensitivity of the student data we process. We’re happy to walk your IT team through our controls directly.

8. Contact

Security, privacy, accessibility, and data-processing inquiries can be directed to bennettmiller@nosplanner.com. Our privacy policy, accessibility statement, and a signed Data Processing Agreement (DPA) are available to schools on request.

Last reviewed July 16, 2026. This document is provided for informational purposes and is updated to reflect material changes to our security posture.