Trust & data protection

Built so schools can say yes.

Picture day means trusting a vendor with children’s photos and roster data. Here’s exactly how we protect it — the security, the privacy promises, and the paperwork.

Security posture

Security that’s built in, not bolted on.

Our Written Information Security Program covers encryption, access control, and monitoring. The highlights:

  • Encrypted everywhere

    Student data is encrypted at rest with AWS KMS and in transit over TLS. No exceptions.

  • Tenant isolation

    Each school’s data is scoped with tenant-bound encryption keys — one school can never read another’s.

  • Audit logging

    Every meaningful action is written to a tamper-resistant audit log, retained for compliance.

  • MFA on admin access

    Multi-factor authentication is required for every administrator account that can touch roster data.

Student privacy

No faceprints. No surprises.

We sort photos by when they were taken, not by scanning kids’ faces — so there’s no biometric data for your district to inherit.

  • No facial recognition of students — photos match by time, not faces
  • FERPA-ready master DPA with per-state addenda
  • COPPA-safe: we never collect biometric data on children
  • Per-student directory-information opt-out, enforced end to end

Read the full privacy story →

Subprocessors

Every vendor, in the open.

We publish the full list of third parties that help us run the service, what each one does, and what data it sees. Analytics never receives student names; our print lab only ever sees an EXIF-stripped image and a shipping address.

See the subprocessor list →

If something goes wrong

A clear breach commitment.

If a data incident ever affects a school’s information, we notify the school promptly and within the timelines committed in our signed Data Processing Agreement. You’ll never learn about an incident from a headline first.

We’re finalizing these commitments with legal counsel. Contact us at privacy@photochalk.com with any questions.

Data Processing Agreement

Request a DPA.

Photo Chalk offers a FERPA-ready master Data Processing Agreement with state-specific addenda, so your district’s privacy office can review terms that already account for your state’s student-data law. Tell us your school or district and we’ll send the agreement.

Request a DPA

Want the details before you sign?

Our privacy, terms, and subprocessor list are all public — no sales call required.