tiersphere

Student Data Privacy

Last updated: March 19, 2026

This page summarizes TierSphere's student data privacy commitments for school districts and education partners, including the Parents' Bill of Rights for Data Privacy and Security and supplemental vendor information commonly requested under New York Education Law Section 2-d and similar district privacy reviews.

Parents' Bill of Rights

High-level family and district-facing privacy commitments, including purpose limitation, non-sale of PII, subprocessor oversight, and complaint rights.

Supplemental Information

Data categories, safeguards, subprocessors, breach handling, and return or deletion expectations for district customers.

Parents' Bill of Rights for Data Privacy and Security

When TierSphere receives student data or teacher or principal data under a school or district agreement:

  • the data remains under the control of the customer organization and is used only to provide the contracted services;
  • student, teacher, and principal personally identifiable information is not sold and is not used for advertising or unrelated marketing purposes;
  • access is limited to authorized personnel, subprocessors, and systems that need the data to deliver, secure, support, or improve the contracted service;
  • TierSphere requires service providers with access to protected data to follow comparable confidentiality, privacy, and security obligations;
  • TierSphere uses administrative, technical, and operational safeguards designed to protect protected data against unauthorized access, disclosure, alteration, and destruction;
  • upon expiration or termination of the agreement, TierSphere coordinates return, deletion, or both as required by contract and law; and
  • parents, eligible students, teachers, and principals may direct privacy complaints to their district and, where applicable, to the New York State Education Department.

Supplemental Information for Education Customers

Data Categories

Depending on the customer configuration and enabled workflows, TierSphere may process account and profile records, organization membership data, class or program participation, attendance and engagement data, badge and outcome information, parent or guardian contact details, uploaded files, messaging records, and administrative or reporting metadata.

Authorized Purposes

TierSphere uses protected education data only for purposes authorized by the customer agreement, such as account provisioning, community engagement and opportunity management, attendance and participation tracking, dashboards and reporting, communication workflows, support, security, and compliance.

Safeguards

  • transport encryption for production web and API traffic;
  • password hashing, secure session handling, and role-based authorization controls;
  • protected object storage and managed cloud infrastructure for stored application data;
  • logging, rate limiting, and monitoring controls to detect misuse and investigate incidents; and
  • tokenized, expiring, privacy-sanitized public sharing flows for dashboard links.

If enabled, Google Analytics is limited to public, unauthenticated pages and is not intended to run on authenticated pages that contain student, family, teacher, or principal records.

Subprocessors and Service Providers

Depending on deployed features and customer configuration, TierSphere may use third-party providers for infrastructure, payments, communications, support, analytics, error monitoring, CAPTCHA, document signing, or mapping. These may include Amazon Web Services, Stripe, Mailgun, Google services, Sentry, Zendesk, and Dropbox Sign. Where Google Analytics is enabled, its use is limited to public, unauthenticated pages rather than authenticated product workflows.

Breach and Incident Notification

If TierSphere becomes aware of an unauthorized disclosure or release of protected education data, we will investigate, work to contain and remediate the issue, cooperate with the affected customer, and provide notice consistent with the governing agreement and applicable law. For New York district agreements, that includes prompt notice to the district and coordination on any required follow-up.

Return or Deletion of Data

At contract end, TierSphere coordinates return, deletion, or both according to the customer agreement, the district's written instructions, and applicable law. Operational backups are retained only for the limited period required by system recovery processes and are deleted in the ordinary course.

Complaints and Contact Information

Questions about TierSphere's education privacy practices may be sent to help@tiersphere.com.

Parents and eligible students may also file complaints with their school district. For New York Section 2-d matters, complaints may additionally be directed to the New York State Education Department, Chief Privacy Officer, 89 Washington Avenue, Albany, NY 12234, or CPO@mail.nysed.gov.

Related Policies

For more information, review our Privacy Policy, Cookies Policy, and Terms and Conditions.