Compliance

Overview

Celerity is built for K-12 education. Compliance with federal and state student data privacy laws is foundational to how we design, build, and operate the platform. This page provides a central reference for our compliance posture, key documents, and the frameworks we follow.

Federal Compliance

FERPA

Celerity operates as a "school official" under 34 CFR §99.31(a)(1), processing education records on behalf of districts under a legitimate educational interest. Our Data Processing Agreement formalizes this relationship, including:

• Direct control by the contracting district over the purpose and scope of data access
• Prohibition on re-disclosure of personally identifiable information from education records
• Data use limited exclusively to the contracted service
• Deletion of all education records upon contract termination

COPPA

Celerity does not collect personal information directly from children under 13. Schools and districts provide consent under the COPPA school consent exception. Our platform enforces data minimization and prohibits any commercial use of student data.

State Privacy Laws

Celerity maintains compliance with state-level student data privacy statutes. Our DPA and platform controls are designed to satisfy the requirements of the following frameworks:

Additional states will be added as Celerity enters new markets. Contact us if your state has specific requirements.

Student Data Privacy Consortium (SDPC)

Celerity has signed the SDPC National Student Data Privacy Agreement, a standardized framework recognized by school districts nationwide. This streamlines procurement by providing a pre-negotiated DPA that districts can adopt.

Data Flow

Student data flows through the Celerity platform as follows:

District SIS / Data Source
        |
        v
  Keycloak (Authentication)
  OIDC / SAML 2.0 — identity verified
        |
        v
  PostgREST API (Authorization)
  JWT validated — tenant scope enforced
        |
        v
  Tenant Schema (Isolation)
  Schema-per-tenant + row-level security
        |
        v
  Amazon RDS (Storage)
  AES-256 at rest — TLS 1.2+ in transit
  US-only data residency

Each tenant's data is isolated at the database schema level. Cross-tenant access is architecturally prevented by row-level security policies enforced at every query.

Data Classification

Data Retention & Deletion

• Customer data is retained only for the duration of the service agreement
• Upon contract termination, all tenant data is purged within 30 days
• Districts may request a data export before deletion
• Celerity provides a signed deletion certification letter confirming all data has been destroyed
• Backups containing tenant data are purged on the same schedule

Prohibited Uses

Celerity will never:

• Sell student data or use it for targeted advertising
• Use student data to build profiles for non-educational purposes
• Train machine learning or AI models on student data
• Share data with third parties except as required to operate the service (see sub-processor list in DPA)

Parent & Guardian Rights

Under FERPA, parents and eligible students have the right to inspect and review education records. Celerity supports this process:

• Districts submit data export requests through the Celerity portal or via their account representative
• Celerity provides the requested data export within 10 business days
• Requests for amendment or correction are handled by the contracting district, with Celerity providing technical support as needed

Documents

The following compliance documents are available. Per-customer agreements (DPA, MSA) are provided during onboarding and are accessible through the customer portal.

Contact

Compliance inquiries: privacy@celerityedu.com

Security inquiries: security@celerityedu.com