- SOC 2 Type 1 Attested
- FERPA Aligned
- COPPA Aligned
- VPAT 2.4 / WCAG 2.0 AA Conformant
- Student Privacy Pledge Signatory
- US Data Residency GCP, United States
Privacy and Security
documents
Documents that cover security, accessibility, privacy, and the contract for K-12 schools and districts.
- Security Current
SOC 2 Type 1 Report
Last updated January 2025
Independent service auditor report on the design of CoGrader's security controls, mapped to the AICPA Trust Services Criteria.
- Accessibility Current
VPAT 2.4 / WCAG 2.0 AA
Last updated February 2026
Voluntary Product Accessibility Template documenting conformance with WCAG 2.0 Levels A and AA and Revised Section 508.
- Privacy Current
Privacy Policy
Last updated April 2026
How CoGrader collects, uses, discloses, and protects personal information. Aligned with the Student Privacy Pledge, FERPA, and COPPA.
- Legal Current
Terms & Fulfillment
Last updated April 2026
Master terms, intellectual property, liability, fulfillment, refunds, cancellation, and service-level commitments.
- Contract Available on request
Master Services Agreement + DPA
Last updated May 2026
Reference Master Services Agreement for K-12 schools and districts, with Order Form (Exhibit A) and Data Processing Addendum (Exhibit B).
- AI Transparency Current
AI Transparency Note
Last updated April 2026
How CoGrader uses AI responsibly: providers, model handling, parent opt-out rights, and alignment with the EdSAFE AI SAFE framework.
Read the full CoGrader Privacy Policy
How we collect, use, and protect student and teacher data. Aligned with FERPA, COPPA, and the Student Privacy Pledge.
Need more? Reach out at security@cograder.com.
SOC 2 Type 1 Report
Independent service auditor report on the design of our security controls, mapped to the AICPA Trust Services Criteria.
Service commitments
- Databases encrypted at rest with AES-256
- TLS 1.2+ for all data in transit over public networks
- Least-privilege identity and access management
- MFA enforced wherever supported
- Full-disk encryption and screen locks on workstations
- Security awareness training for all employees
- Background checks on new hires, subject to local law
- Quarterly vulnerability scans and continuous threat monitoring
- Annual third-party penetration tests and risk assessments
- Documented incident response and BC / DR plans, tested annually
Accessibility conformance
Voluntary Product Accessibility Template covering WCAG 2.0 A and AA and Revised Section 508.
| Standard | Conformance |
|---|---|
| WCAG 2.0 Level A | Supports |
| WCAG 2.0 Level AA | Supports |
| Revised Section 508 (January 2017) | Supports |
Highlights
- All Level A and Level AA success criteria reported as Supports
- Bypass blocks, page titles, focus order, and link purpose conform across the web app
- Authoring-tool criteria for content creation and PDF export documented as Supports
- Captions, audio description, and user controls in supported media flows
To report an accessibility issue, request an alternate format, or get help mapping CoGrader to a district checklist, email security@cograder.com.
Privacy Policy
CoGrader does not sell student data and does not use student data to train AI models. Aligned with the Student Privacy Pledge, FERPA, and COPPA.
We will not
- Sell student personally identifiable information (PII)
- Use student data for behavioral advertising or non-educational profiling
- Use or permit third-party AI providers to use student data to train AI models
- Make material privacy changes without prominent notice to institutions
- Retain student PII beyond the period required to support educational use
We will
- Collect, use, and retain student PII only for authorized educational purposes
- Disclose clearly what is collected and how it is used in policies and contracts
- Maintain a security program with administrative, technical, and physical safeguards
- Support access and correction of student PII through the institution
- Require vendors who handle student PII to follow these same commitments
- Incorporate privacy and security by design when developing or improving products
What we collect
- Teachers
- Name, email address, school affiliation, contact information.
- Students
- Indirect data only, provided by teachers (names or identifiers for grading).
- Grading data
- Assignment questions, rubrics, and student answers, treated as FERPA educational records.
- Usage
- IP address, device information, browser type, and interaction patterns.
Terms & Fulfillment
Master terms covering eligibility, governing law, service-level commitments, fulfillment, refunds, cancellation, and the free trial.
Service-level agreement
- Target uptime of 99.9% on production services
- Scheduled maintenance announced at least 48 hours in advance
- Status updates published during unexpected disruptions
Fulfillment
- Account activation within 24 hours of subscription purchase
- School and district onboarding scheduled within 5 business days
- All tier features available for the subscription period
Refunds and cancellation
- 14-day satisfaction window from initial purchase
- Refunds processed within 5 to 7 business days
- Self-service cancellation through account settings
- Annual and multi-year plans take effect at the end of the term
Free trial
- No payment information required to begin a free trial
- Email notification before trial expiration
- Account downgrades to limited functionality if no subscription starts
MSA + Data Processing
Reference Master Services Agreement for K-12 schools and districts. Includes the standard Order Form (Exhibit A) and Data Processing Addendum (Exhibit B) covering FERPA, COPPA, sub-processors, and AI training prohibitions.
How to use it
- Share this MSA with legal and procurement as a starting redline.
- Request a counter-signed copy or proposed edits at security@cograder.com.
- Use Exhibit A to specify students, submissions per year, term length, and payment cadence.
- Use Exhibit B for district privacy review. SOC 2 reports may substitute for the annual audit right.
Student data ground rules
- FERPA school-official designation with a legitimate educational interest
- No use of student data for advertising, marketing, or non-educational profiling
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- AI-assisted grading is advisory and always subject to educator review
Reach the right team
One inbox routes to security, privacy, accessibility, and contracts.
Contact for procurement and compliance
Contact us- Security & SOC 2
DPAs, SOC 2 letters, custom security questionnaires.
- Accessibility & VPAT
Conformance questions, alternate formats, remediation status.
- Privacy & FERPA
Data subject requests, deletion, parent inquiries, SDPC NDPA.
- Contracts & MSA
MSA redlines, Order Forms, district-wide rollouts.
Want to see what Education looks like in 2026?
Teacher?
Sign up to use CoGrader for free and check if out for yourself it helps you free up time.
Admin?
Schedule a demo to learn more how you can streamline your grading process and save time.
Frequently Asked Questions
Quick answers for district IT, procurement, privacy, and accessibility teams.
Is CoGrader FERPA compliant?
Yes. CoGrader helps institutions meet their FERPA obligations. We act as a school official with a legitimate educational interest, treat student work as FERPA educational records, and require the same of any sub-processor that handles student PII. See the Privacy Policy and the Data Processing Addendum in our MSA for the full commitments.
Is CoGrader COPPA compliant?
Yes. CoGrader supports COPPA through the school-consent exception: schools and districts authorize use on behalf of students under 13, and we collect only the minimum data needed to provide grading and feedback. CoGrader does not sell student PII and does not use it for behavioral advertising.
Is CoGrader SOC 2 certified?
CoGrader has a current SOC 2 Type 1 attestation against the AICPA Trust Services Criteria for Security. The report is available on request at security@cograder.com.
Does CoGrader use student data to train AI models?
No. CoGrader does not use student data to train AI models, and we contractually prohibit each of our AI inference providers (OpenAI, Anthropic, Azure OpenAI, Google Gemini) from using customer data for training, fine-tuning, or model improvement.
Where is CoGrader data stored?
All customer data is stored and processed in the United States on Google Cloud Platform, primary region us-central1 (Council Bluffs, Iowa). Backups are encrypted and managed by GCP. See the Data Residency page for details.
Does CoGrader sign Data Processing Agreements?
Yes. Our reference Master Services Agreement includes a Data Processing Addendum (Exhibit B) covering FERPA, COPPA, sub-processors, US data residency, breach notification within 72 hours, retention and deletion, and a contractual prohibition on AI model training. We sign the SDPC National Data Privacy Agreement where district policy requires it.
Does CoGrader have a VPAT?
Yes. CoGrader publishes a current VPAT 2.4 documenting conformance with WCAG 2.0 Levels A and AA and the Revised Section 508 standards.
Is CoGrader WCAG 2.0 AA compliant?
Yes. All WCAG 2.0 Level A and Level AA success criteria are reported as Supports in our current VPAT.
Who are CoGrader's sub-processors?
Hosting and database: Google Cloud Platform and Firebase. AI inference: OpenAI, Anthropic, Microsoft Azure OpenAI, and Google Gemini. All operate within the United States and are contractually prohibited from using customer data for AI training.
Does CoGrader sell student data?
No. CoGrader does not sell student personally identifiable information and does not share it for behavioral advertising or non-educational profiling.
How fast does CoGrader notify customers of a security incident?
Within 72 hours of awareness, in line with our Data Processing Addendum. Notifications include the nature of the incident, affected data categories, and remediation steps.
How do I request the SOC 2 report or the MSA?
Email security@cograder.com. We send the current SOC 2 letter, the reference MSA + DPA, and any custom questionnaire responses needed for procurement.