Trust & Security
Informative Academy is built with security, privacy, and compliance at its core. We protect our learners — especially children — with enterprise-grade safeguards.
Our commitments
How we handle your data
These are non-negotiable principles that guide every decision we make about data.
We never sell personal data
Student, parent, and educator data is never sold, rented, or shared for advertising purposes.
We minimise data collection
We collect only what is necessary to deliver the educational service. Every field has a documented purpose.
We protect children first
Enhanced protections for users under 18, with verifiable parental consent for younger learners.
We give parents control
Parents can review, export, delete, and update consent for linked learner accounts through dedicated parent routes and support workflows.
We don't use student data for AI training
Personal data is never used to train AI models. AI features process anonymised educational prompts only.
We audit ourselves regularly
Quarterly compliance reviews, PII inventory audits, and security assessments are part of our standard operating rhythm.
Security architecture
Enterprise-grade security controls
63 controls across 10 domains, mapped to SOC 2 Trust Service Criteria and ISO 27001 Annex A.
Encryption
All data encrypted in transit (TLS 1.2+) and at rest (AES-256). No exceptions.
Authentication
Firebase Auth with email verification, role-based access control, and session timeout enforcement.
Access Control
Principle of least privilege enforced through Firestore security rules. Every API route requires authentication, App Check, and role verification.
Audit Logging
Comprehensive audit trail on all security-relevant events. Structured logging across 37 domains with tamper-resistant server-side writes.
Data Retention
Defined retention windows with automated daily cleanup. No data kept longer than necessary.
Incident Response
Documented incident response plan with severity classification, containment procedures, and regulatory notification timelines.
Compliance
Framework alignment
We align our security and privacy practices to internationally recognised standards and regulations across the regions we operate in.
SOC 2 Type II
Trust Service Criteria for Security, Confidentiality, and Privacy. Our controls are mapped and evidence collection is ongoing.
ISO 27001
International standard for Information Security Management Systems. Our control register maps directly to Annex A requirements.
COPPA
Children's Online Privacy Protection Act. Verifiable parental consent, data minimisation, and parent rights are core to our platform.
GDPR
General Data Protection Regulation. Data subject rights, lawful basis, and international transfer safeguards.
UK Age Appropriate Design Code
15 standards for online services likely to be accessed by children, including privacy by default and data minimisation.
FERPA
Family Educational Rights and Privacy Act. Student data protection for school and district partnerships.
PDPA
Personal Data Protection Act. Data protection obligations for organisations collecting personal data in Singapore.
Children's privacy
Built for young learners
Informative Academy is primarily built to serve learners aged 11-16, but is available for use from 8-18 years old. Protecting children is not an afterthought, it is the foundation of our platform design.
Parental consent
Parents and guardians must create their own account and verify consent before a child can fully participate. Children without verified consent can only access preview content.
Parent controls
Parents can use linked parent account surfaces and dedicated privacy routes to review learner information, request export or deletion, and withdraw consent when needed. and withdraw consent at any time through their parent dashboard.
Data minimisation
We collect only what's necessary for the educational experience. No behavioural advertising, no social media tracking, no unnecessary profiling.
Age-appropriate design
Privacy-protective defaults, no dark patterns, no nudge techniques designed to extract data. Our design prioritises the best interests of the child.
Transparency
Sub-processors
We use a limited number of trusted service providers to deliver our platform. Each processes only the data necessary for their specific function.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Google Cloud (Firebase) | Authentication, database, file storage, serverless functions | Account data, educational content, uploaded files | Multi-region (US/EU) |
| Vercel | Web hosting and edge delivery | Request metadata | Global edge network |
| Stripe | Payment processing | Parent billing information only | US / EU |
| MailerSend | Transactional email delivery | Email addresses, first names | EU |
| OpenAI | AI-powered educational features | Anonymised prompts (no personal data) | US |
Questions about security or compliance?
If you are evaluating Informative Academy for your school, district, or organisation, we are happy to discuss our security practices, provide documentation, or answer specific compliance questions.