Security & Compliance

Our Role Under FERPA

When a school district contracts with Clear Path Education Group, LLC to use Waypoint, Clear Path Education Group, LLC operates as a "school official" with a "legitimate educational interest" as permitted under FERPA (34 C.F.R. § 99.31(a)(1)). This classification allows districts to share Student Education Records with Clear Path Education Group, LLC without obtaining prior parental consent, provided the district has included Clear Path Education Group, LLC in its annual FERPA notice as a school official.

Clear Path Education Group, LLC does not act as a FERPA "data controller." The district retains full ownership of all student education records. Clear Path Education Group, LLC processes records solely on the district's behalf, under the district's instructions, and in accordance with the signed Data Processing Agreement.

FERPA-Compliant Design Principles

• Legitimate educational purpose only. All access to Student Education Records requires a valid authenticated district staff account, campus assignment, and an active district subscription. Student data is used solely to support district discipline administration and DAEP placement workflows.
• Role-based access control, enforced at the database layer. Waypoint enforces 12 distinct roles with campus-scoped access. Non-admin staff see only students at their assigned campuses. This is enforced by PostgreSQL Row-Level Security policies — bypassing the application layer does not bypass data protections.
• Parent portal isolation. The Waypoint parent portal displays only records for the authenticated parent's own children. Sensitive staff-only data is excluded from all parent-facing queries by design.
• No unauthorized disclosure. Clear Path Education Group, LLC does not share Student Education Records with any third party except infrastructure subprocessors bound by equivalent data protection agreements, or as required by law.
• No AI/LLM processing of student data. Waypoint does not send student records to any artificial intelligence or large language model provider. All alerts are generated by deterministic database logic with no AI involvement.
• Data deletion on exit. Upon contract termination, Clear Path Education Group, LLC will delete or irreversibly anonymize all Student Education Records within 90 days, with written confirmation provided upon request.

Texas State Law Compliance

• Texas Education Code §§ 32.151–32.158 (Student Data Privacy): Waypoint's DPA addresses all required elements — security measures, prohibited uses, data return/destruction, and subprocessor requirements.
• Texas Education Code Chapter 37 (Student Discipline): Waypoint enforces TEC Chapter 37 timelines, SPED manifestation determination triggers, and DAEP placement documentation requirements by design.
• Texas HB 3834 / SB 820 (Student Privacy): Clear Path Education Group, LLC agrees not to sell student data, use student data for targeted advertising, or build profiles of students for non-educational purposes.

District Responsibilities Under FERPA

For the school official exception to apply, the district must:

• Include Clear Path Education Group, LLC in its annual FERPA notification to parents as a school official with legitimate educational interest.
• Maintain a signed Data Processing Agreement with Clear Path Education Group, LLC prior to entering student data.
• Control user provisioning — districts are responsible for creating, maintaining, and deactivating staff accounts in Waypoint.
• Respond to parent rights requests — if a parent requests to inspect, amend, or restrict their child's records, the district is responsible for executing that request.

What Is a Subprocessor?

A subprocessor is a third-party company that Clear Path Education Group, LLC engages to process Student Education Records or other district-provided personal data in connection with the Waypoint service. Clear Path Education Group, LLC maintains agreements with each subprocessor that impose data protection requirements at least as protective as those in our Customer Data Processing Agreement.

This list does not include vendors that process only non-personal data or vendors that provide general business services not specific to Waypoint.

Infrastructure Subprocessors

No AI/LLM Processing

Waypoint does not send student records, discipline data, or any Student Education Records to any artificial intelligence or large language model (LLM) provider. No student data is used to train machine learning models. All repeat-offender alerts are generated by deterministic PostgreSQL triggers — no AI involvement.

Data Residency

• Database: AWS us-east-1 (Northern Virginia) via Supabase. All student data stored and processed within the United States.
• Web application: Delivered via Cloudflare Pages CDN. Static application files only — no student data stored at the edge.
• Backups: Supabase automated backups remain in AWS us-east-1.

Supabase, Inc.

Supabase is the primary database, authentication, and API provider for Waypoint. All student education records are stored and processed within Supabase's managed PostgreSQL service on AWS us-east-1.

Amazon Web Services, Inc. (AWS)

AWS is the cloud infrastructure underlying Supabase. Clear Path Education Group, LLC does not hold a direct AWS account for student data — AWS is accessed only through Supabase. Districts reviewing Waypoint typically need Supabase's DPA rather than a direct AWS DPA. Clear Path Education Group, LLC will coordinate on request.

Cloudflare, Inc.

Cloudflare delivers the Waypoint web application to end users (HTML, CSS, JavaScript). Cloudflare does not process or store Student Education Records — all student data flows directly between the user's browser and Supabase via encrypted API calls and is never stored at Cloudflare's edge.

Requesting Executed DPAs

Districts that require an executed copy of any of the above third-party DPAs as part of their vendor procurement process should contact us. Clear Path Education Group, LLC will coordinate with the relevant subprocessor to provide executed documentation, or will provide its own executed DPA that passes through the relevant obligations.