Security + privacy

Built to be the easy approval on a district's procurement list.

Storytime is engineered AWS-first, with a short sub-processor list, a standard NDPA, and a documented controls attestation. We do the boring legal work so your superintendent can say yes faster.

Standard NDPA, signed quickly.

We provide a standard NDPA aligned to the Student Data Privacy Consortium template. Most districts close in 2-3 weeks; we don't redline boilerplate.

FERPA + COPPA + applicable state laws.

Storytime operates as a school official under FERPA. We comply with COPPA, CCPA-equivalents, and state-specific laws (NY Ed Law 2-d, IL SOPPA, CT, etc.) — full list on request.

AWS US-East data residency.

All student data is stored in AWS US-East regions, encrypted at rest with KMS-managed keys, and encrypted in transit with TLS 1.2+. No data leaves AWS-controlled infrastructure.

Short sub-processor list. Disclosed.

Storytime runs on AWS. AI services, payments, edge security, and transactional email are handled by a short list of additional sub-processors disclosed under NDA. Our standard NDPA covers all of them.

No data sold. No advertising.

Storytime does not sell student data, share data with advertisers, or use student data to train third-party AI models. Period.

Independent security review.

We follow recognized cloud-security baselines (AWS Well-Architected, CIS) and provide written attestation of our controls to evaluating districts on request.

Sub-processors

Our primary infrastructure provider — the rest, under NDA.

Storytime's primary infrastructure provider is published here. The complete list — AI services, payments, transactional email, edge security — ships with our security questionnaire response under NDA.

Primary infrastructure provider

Amazon Web Services (AWS)

Purpose: Compute, storage, content delivery, identity
Region: US-East-1

Additional sub-processors

Available under NDA with the security questionnaire response.

Storytime engages a small number of operational sub-processors for AI services, payments, transactional email, and edge security. The complete list — purposes, regions, data-handling postures — ships with our security questionnaire response under NDA. Districts under NDA get notified 30 days before any change.

For your legal team

Privacy, terms, and a single contact path.

NDPAs, security questionnaires, sub-processor lists, controls attestation — all handled through one form so nothing slips between inboxes.

Send us your district's questionnaire.

Most district security questionnaires we see are 70-150 questions. We respond inside one business week with a full filled-in copy. Use the contact form to attach it or ask any other security question.