For School IT & Procurement

NostaView Compliance Center

Everything your district needs to review, approve, and deploy NostaView — FERPA, COPPA, data security, and signed agreements in one place.

✎ Request Signed SDPA 📄 Review Student DPA
All compliance documents current. Last reviewed: April 17, 2026. Questions? supports@nostaview.com

Compliance at a Glance

Key requirements your district's IT security review will check for.

✓ Verified
📜

FERPA Compliant

NostaView operates as a school official under direct LEA control. No re-disclosure of education records. Annual FERPA notice guidance provided.

✓ Verified
👤

COPPA Compliant

No PII collected from contributors (no account required). School consent model documented. Parental deletion rights honored.

✓ Verified
📋

SDPA Available

Student Data Privacy Agreement ready for district signature. Modeled on SDPC national template. Countersigned PDF within 2 business days.

✓ Verified
🔒

Data Security

AES-256 at rest, TLS 1.2+ in transit. Role-based access control. No data stored outside the United States. 24-hour breach notification.

✓ Verified
🚫

No Data Sale

Student data is never sold, rented, or shared for commercial purposes. Revenue comes from school subscriptions only.

✓ Verified
🌎

US-Based Storage

All student data stored on US infrastructure (Render Oregon, Cloudflare R2 US). No international transfers of student data.

Legal Documents

Review and download all NostaView legal documents. District IT and procurement teams typically need the SDPA and Privacy Policy.

★ US Districts

Student Data Privacy Agreement (SDPA)

The primary document for US school district procurement. Covers FERPA, COPPA, data use limitations, no-sale commitment, security, breach notification, and state privacy laws. Modeled on the SDPC national template.

View full SDPA →
All Schools

Privacy Policy

Full data privacy practices including FERPA educational records treatment, COPPA compliance, data collection scope, sub-processors, retention schedule, and breach notification procedures.

View Privacy Policy →
EU / UK Schools

Data Processing Agreement (GDPR DPA)

For EU, UK, and EEA schools operating under GDPR or UK GDPR. Formalizes the controller-processor relationship with Standard Contractual Clauses and Schrems II safeguards.

View DPA →
All Schools

Terms of Service

The full service agreement covering subscription tiers, FERPA school official status, COPPA obligations, content ownership, liability limits, and governing law for US and international schools.

View Terms of Service →
All Schools

Acceptable Use Policy

Guidelines for appropriate use of the photo collection service, photo consent requirements, prohibited content, and enforcement procedures for school administrators and contributors.

View Acceptable Use →
All Schools

Cookie Policy

Details on cookies used by the platform, their purpose, duration, and how administrators and contributors can manage cookie preferences. No advertising or tracking cookies used.

View Cookie Policy →

Data Practice Summary

Quick-reference table for vendor security reviews and questionnaires.

Requirement NostaView Practice Status
FERPA complianceSchool official status; no re-disclosure; educational purpose only✓ Yes
COPPA complianceNo PII from under-13 without school consent; anonymous QR upload flow✓ Yes
Student Data Privacy AgreementSDPC-modeled SDPA available; signed copy provided within 2 business days✓ Yes
Data stored in the United StatesRender (Oregon) + Cloudflare R2 (US region)✓ Yes
Encryption at restAES-256✓ Yes
Encryption in transitTLS 1.2+✓ Yes
Data sale prohibitionAbsolute prohibition; no exceptions; survives termination✓ No sale
Behavioral advertising prohibitionNo advertising technology or targeting on student data✓ No advertising
Breach notification timelineLEA notified within 24 hours of confirmed or suspected breach✓ 24 hours
Data deletion on terminationAll student data deleted within 60 days; written certification provided✓ Yes
Parental deletion rightsDelete photos of specific students on request; completed within 30 days✓ Yes
Access controlsRole-based access; school data isolated by account; session timeouts✓ Yes
Facial recognitionNot used. No biometric data collected.✓ Not used
AI training on student dataNo AI training on identifiable student photos without explicit LEA consent✓ Not done
Sub-processor disclosureFull list in SDPA; 30-day notice of changes✓ Yes
Annual security reviewAnnual security review and penetration testing procedures✓ Yes

IT & Procurement FAQ

Common questions from district IT security offices and procurement teams.

Does NostaView qualify as a school official under FERPA?
Yes. NostaView operates under the direct control of the school, processes data only for the school's legitimate educational purposes, and is subject to FERPA's re-disclosure prohibition. Schools should include NostaView in their annual FERPA notice to parents as a service provider used to collect event photos. See Terms of Service, Section 3 and SDPA, Section 11.
Is student photo data stored outside the United States?
No. All data — including photos — is stored on US-based infrastructure: Render (Oregon data center) for application hosting and Cloudflare R2 (US region) for photo storage. Student data does not leave the United States. See SDPA, Section 6.
What personal information is collected from students?
Minimal. QR contributors (students and parents uploading photos) are not required to create accounts, provide names, or provide email addresses. The only data collected in the QR upload flow is: the photo itself, an upload timestamp, and a temporary IP address (for security only, not displayed publicly). Student names, IDs, email addresses, grades, and behavioral data are never collected. See SDPA, Section 3 and Privacy Policy.
Does NostaView use facial recognition?
No. NostaView does not perform facial recognition or collect biometric data of any kind. The Pro tier uses Google Cloud Vision for photo quality analysis (detecting blurry, dark, or duplicate photos) — this does not identify individuals or create facial templates.
How are security breaches handled?
NostaView notifies the school LEA within 24 hours of a confirmed or reasonably suspected breach involving student data. Written incident reports are provided within 72 hours. The school is then responsible for notifying parents and regulatory authorities per applicable law. Full breach notification procedure is in SDPA, Section 7.
How do we request deletion of all student data?
You can request deletion via: (1) the administrator dashboard using the account deletion feature, or (2) emailing supports@nostaview.com with subject "Student Data Deletion Request." Deletion is completed within 30 days and NostaView provides written certification of destruction. You can also export all data first via the admin dashboard.
Does NostaView comply with California SOPIPA, New York Ed. Law § 2-d, or other state student privacy laws?
Yes. NostaView's SDPA and practices are designed to comply with major state student data privacy laws including California SOPIPA and AB 1584, New York Education Law § 2-d, Texas SCOPE Act, Illinois SOPPA, and others. A full state law compliance matrix is in SDPA, Section 12. Contact supports@nostaview.com for state-specific questions.
How do I get a countersigned SDPA for our district's records?
Email supports@nostaview.com with subject "SDPA Signature Request" and include your district name, contact name, and state. We'll return a countersigned PDF within 2 business days. The signed SDPA can be submitted to your district's vendor compliance office for procurement approval.
Does NostaView appear on any state-approved vendor lists?
We are in the process of registering on state SDPC registries. If your state uses the SDPC registry and you would like to add NostaView to your district's approved vendor list, contact supports@nostaview.com — we'll work with you to complete the registration.

Ready to move forward?

Our team responds to IT security reviews and procurement requests within 2 business days.

✎ Request Signed SDPA 💋 Security Review Inquiry