Security + privacy

Built to be the easy approval on a district's procurement list.

Storytime is engineered AWS-first, with a short sub-processor list, a standard NDPA, and a documented controls attestation. We do the boring legal work so your superintendent can say yes faster.

Standard NDPA, signed quickly.

We provide a standard NDPA aligned to the Student Data Privacy Consortium template. Most districts close in 2-3 weeks; we don't redline boilerplate.

FERPA + COPPA + applicable state laws.

Storytime operates as a school official under FERPA, and under COPPA's school-authorization model — the school consents on parents' behalf, strictly for its own educational purposes. Compliant with the amended COPPA Rule (April 2026), CCPA-equivalents, and state laws (NY Ed Law 2-d, IL SOPPA, CT, etc.) — full list on request.

Consent is real and provable.

No adult account exists without affirmatively accepting the current Terms and Privacy Notice. Every acceptance lands in an append-only ledger with document version and timestamp; when terms change, everyone re-accepts before continuing. School and district authorizations are recorded at the organization level.

Child audio has a complete lifecycle.

Reading recordings exist only when a teacher assigns a fluency activity, are never used to train AI — contractually prohibited with every vendor, attested in writing — and are permanently deleted 30 days after capture by infrastructure-level policy, not application code that can fail.

Parental rights work today.

Parents can review, export, request deletion, and refuse further collection — including audio recording — from their own portal. Refusal deletes stored audio immediately and blocks future capture before a single byte is stored. Deletion requests don't wait out a retention window.

AWS US-East data residency.

All student data is stored in AWS US-East regions, encrypted at rest with KMS-managed keys, and encrypted in transit with TLS 1.2+. No data leaves AWS-controlled infrastructure.

Short sub-processor list. Disclosed.

Storytime runs on AWS. AI services, payments, edge security, and transactional email are handled by a short list of additional sub-processors disclosed under NDA. Our standard NDPA covers all of them.

No data sold. No advertising. Minimal by design.

Storytime does not sell student data, share data with advertisers, or use student data to train third-party AI models. Students have no email, no full last name, no birthdate, and no photos in the system — and no advertising or analytics SDKs load on student surfaces. Period.

Independent security review.

We follow recognized cloud-security baselines (AWS Well-Architected, CIS) and provide written attestation of our controls to evaluating districts on request.

Sub-processors

Our primary infrastructure provider — the rest, under NDA.

Storytime's primary infrastructure provider is published here. The complete list — AI services, payments, transactional email, edge security — ships with our security questionnaire response under NDA.

Primary infrastructure provider

Amazon Web Services (AWS)

Purpose: Compute, storage, content delivery, identity
Region: US-East-1

Additional sub-processors

Available under NDA with the security questionnaire response.

Storytime engages a small number of operational sub-processors for AI services, payments, transactional email, and edge security. The complete list — purposes, regions, data-handling postures — ships with our security questionnaire response under NDA. Districts under NDA get notified 30 days before any change.

For your legal team

Privacy, terms, and a single contact path.

NDPAs, security questionnaires, sub-processor lists, controls attestation — all handled through one form so nothing slips between inboxes.

Send us your district's questionnaire.

Most district security questionnaires we see are 70-150 questions. We respond inside one business week with a full filled-in copy. Use the contact form to attach it or ask any other security question.