Last updated: February 2026
SparkPath is built for schools serving children with special needs. We understand that trust is earned through transparency, rigorous data protection, and compliance with the laws that protect students. This page summarizes our compliance posture across federal, state, and industry standards.
SparkPath is an AI-powered adaptive learning platform designed for K-12 students with special needs, including students with IEPs and 504 Plans. Given the sensitive nature of the data we handle -- educational records of children with disabilities -- we hold ourselves to the highest standards of data protection and regulatory compliance.
Our compliance program is built on three principles: transparency in our data practices, minimization in what we collect, and control for the schools and families we serve.
Family Educational Rights and Privacy Act (20 U.S.C. § 1232g)
SparkPath operates as a “school official” under FERPA’s school official exception, handling education records under the direct control and supervision of the educational institution.
| Requirement | Status | Implementation |
|---|---|---|
| Legitimate educational interest | Active | Platform used solely for educational content generation and learning analytics |
| Access controls | Active | Role-based access control (RBAC) with Coordinator, Team Member, and Child roles |
| No re-disclosure | Active | Student data is never shared with unauthorized third parties |
| Parental inspection rights | Active | Full data accessible via Coordinator dashboard; export available on request |
| Data deletion | Active | Complete cascade deletion across 23 database tables via API |
| No directory information disclosure | Active | No student data is treated as directory information |
| Audit trail | Active | Access logging for all child data operations |
For full details, see our Privacy Policy, Section 4.
Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501-6506)
SparkPath’s architecture is designed from the ground up to comply with COPPA by ensuring no personal information is collected directly from children.
| Requirement | Status | Implementation |
|---|---|---|
| No direct collection from children | Active | Children access via pre-generated tokens; no registration, no PII entry |
| Parental consent mechanism | Active | School consent serves as parental consent under 16 CFR § 312.5(c)(3) |
| No behavioral advertising | Active | No ads, no tracking pixels, no advertising networks |
| No third-party data sharing | Active | Children’s data never shared for commercial purposes |
| Parental access and deletion | Active | Available through school Coordinator; complete data deletion supported |
| Data minimization | Active | Only educationally necessary data collected; no photos, audio, video, or geolocation |
For full details, see our Privacy Policy, Section 5.
Section 508 of the Rehabilitation Act & WCAG 2.1 AA
As a platform serving children with special needs, accessibility is not just a compliance requirement -- it is core to our mission. SparkPath is committed to meeting WCAG 2.1 Level AA standards and Section 508 requirements.
We are transparent about where we are: SparkPath does not yet claim full WCAG 2.1 AA conformance and has not completed a third-party accessibility audit. The items below are on the near-term roadmap.
All student data is protected by encryption both in transit and at rest.
SparkPath maintains an incident response plan for addressing security events and potential data breaches. Our response framework is designed to meet the requirements of FERPA, state breach notification laws, and industry best practices.
SparkPath is preparing for independent third-party security audits to provide institutions with additional assurance about our security and privacy practices.
We are planning to pursue SOC 2 Type II certification, which evaluates the effectiveness of security controls over time. The audit will cover the Trust Service Criteria relevant to educational technology:
As SparkPath grows to serve more school districts, we are evaluating FedRAMP authorization to facilitate adoption by federal and large public-sector educational institutions. Our infrastructure planning includes AWS deployment with FedRAMP-authorized services.
Regular penetration testing by qualified third-party security firms is planned as part of our security assurance program.
SparkPath offers Data Processing Agreements (DPAs) to school districts and educational institutions as part of our standard onboarding process.
To request a DPA, contact [email protected]. We also accept institution-provided DPAs and state-specific data privacy agreements.
SparkPath aligns its security practices with the NIST Cybersecurity Framework (CSF), providing a structured approach to managing cybersecurity risk.
Asset inventory, risk assessments, data classification for all Student Data categories.
Access controls (RBAC), encryption (at rest and in transit), security awareness, and data minimization practices.
Access logging, anomaly monitoring, and automated alerting for suspicious activities on student data.
Incident response plan with defined roles, communication procedures, and 72-hour notification commitments.
Database backup and recovery procedures, service restoration plans, and post-incident improvement processes.
In addition to federal compliance, SparkPath monitors and complies with state-level student privacy laws. Below are key state laws we actively track and align with:
| State | Law | Key Requirements |
|---|---|---|
| California | SOPIPA (SB 1177) | Prohibits use of student data for non-educational purposes, targeted advertising, and sale of student information. Requires deletion of data upon request. |
| New York | Education Law 2-d | Requires data privacy and security plans, Parents’ Bill of Rights, breach notification, and third-party contract provisions for vendors handling student PII. |
| Illinois | ISSPA (105 ILCS 85) | Illinois Student Online Personal Protection Act (SOPPA) requires written agreements, data breach notification, data destruction timelines, and prohibits targeted advertising to students. |
| Colorado | HB 16-1423 | Student Data Transparency and Security Act requires transparency in data collection, security standards, and parental access rights. |
| Connecticut | PA 16-189 | Student Data Privacy Act requires written contracts, security plans, and breach notification for vendors handling student data. |
| Maryland | Ed. Art. § 4-131 | Student Data Privacy Act prohibits use of student data for advertising and requires security safeguards. |
SparkPath’s data practices -- no advertising, no data sales, data minimization, complete deletion support, and DPA availability -- are designed to meet or exceed the requirements of all major state student privacy laws. If your state has specific requirements, please contact us to discuss compliance.
As an AI-powered platform serving children, we maintain rigorous governance over our AI systems and the content they generate.
Only anonymized child profile data is included in AI prompts: age, interests, abstraction level, and accommodation needs. No names, email addresses, school identifiers, or other directly identifying information is sent to AI models.
All AI-generated content passes through an automated quality assurance pipeline that evaluates safety, age-appropriateness, accommodation alignment, and educational value before delivery to students.
AI-generated content is designed to be reviewed by educators. SparkPath recommends that all generated content be evaluated by qualified professionals before use with students. The platform supports educator review workflows.
SparkPath uses API-tier AI services that do not use customer data for model training. Student data is never used to train, fine-tune, or improve AI models.
We welcome questions about our compliance practices and are happy to provide additional documentation to school districts conducting vendor assessments.
SparkPath, Inc.
Compliance inquiries: [email protected]
Privacy inquiries: [email protected]
Legal inquiries: [email protected]
We can provide upon request:
© 2026 SparkPath, Inc. All rights reserved.