Security & Privacy

Security & privacy for schools

MeritBoard turns student work into verified proof — and treats student data with the care schools require. Here is what your IT and procurement teams need to know.

Our posture

Teacher-certified results

The computer does a first-pass assessment; a teacher reviews and must Confirm & Publish every result. Nothing goes public automatically.

Student work never trains AI

Submissions are sent to providers only to judge that contest. Neither we nor they use the data to train models.

FERPA & COPPA aligned

We operate as a "school official" under FERPA, with parental-consent flows for younger students. We do not sell data.

Minimized public data

Public pages show a first name and last initial, or a screen name chosen by the teacher or family.

Deletable within 30 days

Teachers and families can delete any data anytime; deletion completes within 30 days.

We sign your DPA

We execute your district’s Data Privacy Agreement or a standard SDPC/NDPA exhibit on request.

Who processes the data

SupabaseDatabase & authentication
VercelWeb hosting
StripePayments (receives no student work)
OpenAI (GPT-4o)Judging — primary model
Anthropic (Claude)Judging — second judge
Google (Gemini)Judging — tiebreaker only
ResendTransactional email (no student work)

Full list and links to each provider’s policy in the Privacy Policy, §5.

Compliance

MeritBoard aligns with FERPA (as a "school official"), COPPA, and SOPIPA, with data minimization and teacher certification of every result. We are in the process of earning:

  • SDPC National Data Privacy Agreement (in progress)
  • Common Sense Privacy rating (in progress)
  • 1EdTech TrustEd Apps, incl. GenAI self-assessment (in progress)

Full documents

Procurement questions?

We’re ready to sign your DPA or answer any IT, security, or privacy question.