Sure Step Education
IEP Compliance Tracker

Privacy Policy

Last updated: July 2, 2026
The IEP Compliance Tracker ("the Service") is a special-education compliance tool provided by Sure Step Education to school districts. This policy explains what information the Service handles, where it is stored, who can access it, and the choices available to districts and their staff. We aim to state our actual practices plainly and not to overstate our protections.
Who controls the data. The school district is the educational agency that owns and controls student education records. Sure Step Education acts as the district's service provider (a "school official" with a legitimate educational interest under FERPA, and a service provider under California SOPIPA and AB 1584). Parents and eligible students exercise their rights over education records through their district, not through Sure Step.

1. Information the Service handles

Staff enter or import the following categories of student data to track IEP compliance:

Caseload files exported from SEIS are parsed in the staff member's browser. The original file is not uploaded; only the parsed records are saved to the destinations described below.

2. Where the data is stored

3. Who can access student data

Access is enforced at the database with row-level security, so it cannot be bypassed by the app:

RoleCan access
Case ManagerOnly their own students.
Site AdministratorStudents at their own school site.
DirectorStudents across all sites in their district, plus aggregate compliance reports.
Founder (Sure Step)No student data and no staff roster. Founders see only which districts have access, contract information, and headcount/enrollment counts — for business administration. This restriction is enforced at the database.

Sure Step personnel do not access a district's student records except where a district explicitly requests support and authorizes it in writing.

4. How the data is used

Student data is used solely to provide the compliance-tracking Service to the district: tracking deadlines, scheduling meetings, generating required notices, and producing compliance reports for district staff. We do not sell student data, use it for advertising, or build advertising profiles, and we do not use it to train artificial-intelligence models. The Service contains no third-party advertising or analytics trackers.

4a. AI-assisted Prior Written Notice drafting

The Service offers an optional feature that uses artificial intelligence (Anthropic's Claude) to help a case manager draft a Prior Written Notice from the district's own template and a few answers the staff member provides. This feature is designed to minimize what is shared:

This feature is off unless a district uploads a PWN template and a staff member chooses to use it. Anthropic is listed as a subprocessor below.

5. Subprocessors

We use the following service providers. Each is engaged under its own terms; those that store or transmit student data do so under a data-protection commitment.

ProviderPurposeStudent data?
SupabaseDatabase, authentication, hosting of records (US region)Yes
VercelHosting of the static web applicationNo (serves app files only)
GoogleOptional "Sign in with Google" identityIdentity only (email), not student records
Anthropic (Claude)Optional AI drafting of Prior Written NoticesDe-identified text only — names replaced with placeholders before sending; not used to train models
ResendTransactional email (e.g. notifying a site administrator that a meeting needs approval)Minimal — a student's last name + first initial, grade, and meeting date/room; never disability or IEP content
jsDelivr / SheetJS (CDN)Delivery of the sign-in, Excel-reader, and document-parsing librariesNo

Adding any new subprocessor that touches student data is disclosed here before it is used.

6. Security

No system is perfectly secure, and we do not claim otherwise. We work to protect data using reasonable, industry-standard measures appropriate to the sensitivity of student records.

7. Data retention and deletion

8. Rights of parents and eligible students

Because the district controls its education records, requests to review, correct, or delete a student's records are handled by the district under FERPA and California law. Sure Step supports the district in fulfilling such requests.

9. Data-protection agreements

Sure Step enters into data-protection/privacy agreements with districts (for example, an NDPA-style DPA) that govern the handling of student data consistent with FERPA, California Education Code §49073.1 (AB 1584), and SOPIPA (California B&P Code §22584). Districts should have such an agreement in place before loading real student data.

10. Children's privacy

The Service is used by district staff, not by students, and collects student information only from the district as part of providing the Service. It is intended for a school context under the district's authority.

11. Changes to this policy

If we make a material change to how student data is handled, we will update this page and notify districts as required by applicable law before the change takes effect.

12. Contact

Questions about this policy or a district's data can be directed to:
Nicholas Crabtree, Sure Step Education — nick@surestepeducation.com

© 2026 Sure Step Education. This policy describes the IEP Compliance Tracker Service and is provided for transparency; it does not itself constitute a data-protection agreement between Sure Step and a district.  ·  ← Back to the app