Montessori Makers Group

MMAP Compliance

Security & Compliance

MMAP is built from the ground up for schools. FERPA-aligned by design, with the technical safeguards and legal paperwork to back it up.

Compliance frameworks

MMAP is designed to comply with US federal and state student data privacy laws. Every school that licenses MMAP signs a Data Processing Agreement (DPA) that names us as a FERPA "school official" and obligates us to the commitments below.

  • FERPA (20 U.S.C. § 1232g) — MMAP operates as a "school official" under 34 C.F.R. § 99.31(a)(1)(i)(B)
  • COPPA (15 U.S.C. § 6501 et seq.) — school acts as parent's agent for consent under § M.1
  • New York Education Law § 2-d and 8 NYCRR Part 121 (Parents' Bill of Rights supplement included in DPA)
  • California SOPIPA (Ed Code § 22584) and AB 1584 (§ 49073.1)
  • Colorado HB 16-1423
  • Connecticut student data privacy law
  • E-SIGN Act / UETA for in-platform signed documents

Technical safeguards

US data residency

Database and application hosted in US regions. Supabase us-east-1 (Virginia) and Vercel US edge network.

Tenant isolation

Row-level security enforced at the Postgres layer. Cross-school access is blocked at the database, not just the application.

Encryption

TLS 1.2+ in transit (HSTS enforced). AES-256 at rest for both database and file storage.

Authentication & MFA

JWT-based auth on every data endpoint. Multi-factor authentication required for admin roles.

Role-based access

Nine distinct roles with scoped permissions: platform_admin, admin, faculty, guide, specialist, coach, board, board_view, parent.

Idle session timeouts

Role-aware timeouts from 30 to 120 minutes. Dismissible warning before automatic logout.

Audit logging

Write actions on student records are logged. FERPA § 99.32 disclosure log records every third-party disclosure.

Backups & recovery

Daily automated backups with 7+ day retention. RTO 4 hours, RPO 24 hours. Quarterly restore testing.

Secrets hygiene

API keys and service tokens stored in Supabase secret store and Vercel environment variables. No secrets in git.

PII-safe logging

Edge function logs sanitized to exclude student PII. Query strings stripped from logged URLs.

Privacy flags per student

Directory-information opt-out (FERPA § 99.37), photo-release consent, media consent, and AI-processing opt-out tracked per student.

Parent amendment workflow

FERPA § 99.20 amendment requests tracked with full status history through hearing completion.

Our commitments to schools

  • No selling or renting of student, family, or staff data — ever.
  • No advertising or marketing use of student data.
  • No training external ML models on school data. Anthropic Claude API is contractually prohibited from training on customer data.
  • No student profiling beyond authorized educational use.
  • 72-hour breach notification from confirmation of a security incident.
  • 30-day data return or deletion on termination, with a certificate of destruction on request.
  • 30 days' notice before adding or replacing any sub-processor.

Honest about what's still in progress

Transparency matters. Here's where MMAP is still maturing, with target remediation timelines:

  • Read-access audit log — currently only write actions are logged. Target: Q3 2026.
  • Self-service parent inspect/amend UI in the family portal. Target: Q3 2026.
  • Third-party penetration test. Target: before the 10th school.
  • SOC 2 Type II for MMAP itself. (Our hosting infrastructure — Supabase and Vercel — are already SOC 2 Type II.) Target: Year 2+.
  • Cross-region database failover. Target: on Supabase Team plan upgrade.

Documents for school review

Everything your privacy officer, IT director, or district counsel needs to complete vendor review. Request any of the following from privacy@montessorimakersalignmentmap.com:

  • · Data Processing Agreement (DPA) template with NY Parents' Bill of Rights supplement
  • · Data Security Plan (NIST CSF 2.0 aligned)
  • · Incident Response Plan with 72-hour notification playbook
  • · Parent Rights workflow (FERPA inspect / amend / consent / complain)
  • · Pre-answered K-12 vendor security questionnaire (CoSN TLE / SDPC format)

See also: Privacy Policy · Terms of Service · Sub-processors

MMAP · Built for schools

Privacy PolicyTerms of ServiceSecurity & FERPASub-processors