Security and compliance

How we protect student data.

SageReport handles sensitive student information. We treat that responsibility seriously.

This page explains how we protect your data, what compliance measures are in place, and what we're working toward. If you have questions not covered here, contact us.

What we commit to

Your data is never used to train AI

We do not train any AI models on your data. Your cases, reports, and student information are used only to provide the service to you, nothing else.

We don't access your data

Our team does not access your student data in the normal course of operations. When access is necessary for support or maintenance, it is limited to the minimum required and fully logged.

Secure cloud infrastructure

All data is stored on Google Cloud Platform (GCP) in the United States, with enterprise-grade security controls.

Encryption everywhere

Data is encrypted in transit (TLS) and at rest (AES-256). Access controls and audit logs track every interaction with the system.

You control your data

Export your reports anytime. Delete cases when you choose. If you close your account, data is retained for 30 days as a recovery window, then permanently deleted.

FERPA compliance

SageReport is designed to support FERPA-compliant workflows for schools and districts.

We maintain the administrative, technical, and physical safeguards required for handling student education records.

If your district requires specific documentation or agreements, contact us and we'll work with your team.

What we're working toward

We're building SageReport to meet the highest standards in the industry. Here's where we are:

Standard Status
FERPA compliance In place
BAA with Google Cloud In place
SOC 2 Type II In progress
HIPAA In progress

We'll update this page as we complete additional certifications.

District security reviews

We know districts have procurement and IT review requirements. We're prepared to complete security questionnaires, provide documentation on data handling practices, sign data processing agreements, and work with your IT and compliance teams directly.

Visit our Trust Center for procurement documents including our W-9, DPA, and sole source letter.

Start a security review

Common questions

Who hosts your infrastructure?
Google Cloud Platform (GCP).
Do you have access to our student data?
Our team does not access your student data in the normal course of operations. Any access for support or maintenance is limited to the minimum required and fully logged.
What happens if there's a data breach?
We maintain incident response procedures and will notify affected users and districts promptly in accordance with applicable laws.
Can we get a copy of your security policies?
Yes. Contact us and we'll share relevant documentation for your review.
Do you carry cyber liability insurance?
Yes.

Questions about security?

Contact Us

We're happy to discuss your district's specific requirements.

Report a vulnerability

If you discover a security vulnerability, please contact us at security@sagereport.com. We will acknowledge reports within 5 business days. We ask that you give us reasonable time to address issues before any public disclosure.