Trust & Safety
Security & Compliance
How VarsitySync protects your data and supports school and organizational compliance requirements.
Section 01
Our Security Philosophy
VarsitySync is intentionally designed to be a low-risk, low-footprint platform. We believe the best security posture for a display platform is to collect as little data as possible, expose as few attack surfaces as possible, and be transparent about everything we do.
The safest data is the data we never collect. VarsitySync does not require student accounts, does not track display viewers, and does not collect personal information directly from students. Schools may upload content that includes student information, and VarsitySync acts solely as a storage and display platform for that content. Our architecture is built around this principle — not retrofitted to it.
Section 02
Infrastructure & Hosting
VarsitySync’s technology stack is built on established, certified providers. Each component of our infrastructure is managed by vendors who have undergone independent security audits.
| Component | Provider | Certifications |
|---|---|---|
| Platform hosting | GoDaddy managed infrastructure | Managed, monitored infrastructure |
| Media storage | Backblaze B2 Cloud Storage | SOC 2 Type II, ISO 27001, HECVAT, GDPR, CCPA/CPRA |
| Payment processing | Stripe | PCI-DSS Level 1 compliant |
| Data transmission | HTTPS / TLS encryption | All endpoints encrypted in transit |
Backblaze B2 — Education Compliance Credentials
VarsitySync uses Backblaze B2 for media storage. Backblaze has completed education-specific compliance assessments that are directly relevant to school deployments:
Section 03
Data Security Controls
VarsitySync implements layered security controls across all aspects of the platform:
- HTTPS encryption All data transmitted between users and VarsitySync is encrypted using TLS across every endpoint
- Password hashing Passwords are securely hashed using modern standards — plain-text passwords are never stored anywhere in our system
- Role-based access Users only access the areas of the platform appropriate to their role — no unauthorized cross-account access is possible
- Read-only display devices Apple TV, Fire TV, and browser display devices are strictly read-only — no data can be submitted or uploaded from a display device
- No public write access Content can only be changed by authenticated account holders — there is no anonymous or public editing capability
- Display code access control Access is controlled via unique display codes — each screen requires its own code to load content
- Continuous monitoring Platform systems are actively monitored for performance, reliability, and security anomalies
- No tracking scripts VarsitySync does not embed advertising, analytics, or behavioral tracking scripts in display output
Section 04
Privacy by Design
VarsitySync’s architecture was built from the start to minimize data exposure. This is not a compliance retrofit — it is a foundational design decision.
| Design Feature | Privacy Benefit |
|---|---|
| No student accounts required | Students never interact with the platform — eliminating COPPA obligations from student use |
| Read-only display model | Viewers cannot submit or expose personal information through the display interface |
| No behavioral tracking of viewers | Display audiences are never profiled, tracked, or identified |
| No SIS or LMS integration | VarsitySync never connects to or receives data from student record systems |
| Content controlled by school staff | All uploaded content is school-managed — VarsitySync has no editorial control or access to content meaning |
| Minimal account data collection | Only name, email, role, and password are collected from staff account holders — nothing more |
Section 05
FERPA & COPPA Compliance Positioning
This section directly addresses the compliance questions most commonly raised during K-12 vendor review processes. For full details including our FERPA and COPPA policy language, see our Privacy Policy.
FERPA
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. VarsitySync’s compliance position is straightforward:
| FERPA Question | VarsitySync Position |
|---|---|
| Does VarsitySync collect personal information directly from students? | No — never directly from students |
| Does VarsitySync operate as a student information system or education record repository? | No |
| May schools upload content that includes student names or photos? | Yes — schools control all uploaded content and are responsible for applicable consent and compliance |
| Does VarsitySync integrate with SIS or LMS systems? | No |
| Does VarsitySync track, profile, or analyze student data? | No |
| Does VarsitySync require student accounts? | No |
| Is VarsitySync subject to FERPA as a school official? | Typically no — VarsitySync acts as a storage and display platform, not an education record processor |
| Are Data Processing Agreements available? | Yes — available upon request |
| Is HECVAT documentation available? | Yes — via Backblaze B2, available upon request |
Schools control all content uploaded to VarsitySync. When schools upload content that includes student names or photos — such as “Player of the Game” or “Student of the Month” recognition slides — VarsitySync acts solely as a storage and display platform for that content. The school is responsible for ensuring appropriate parental consent, FERPA directory-information compliance, and any other applicable obligations with respect to student-identifiable content. VarsitySync does not analyze, profile, monetize, or share uploaded content beyond what is necessary to display it on authorized screens.
COPPA
The Children’s Online Privacy Protection Act (COPPA) governs online collection of personal information from children under 13. VarsitySync’s compliance position:
| COPPA Question | VarsitySync Position |
|---|---|
| Does VarsitySync collect personal information directly from children? | No — never directly from students or viewers |
| Do students under 13 create accounts? | No — accounts are for staff only |
| Do display viewers submit any data? | No — displays are strictly read-only |
| Is any data collected from students who view screens? | None collected from viewers |
| May school-uploaded content include student names or photos? | Yes — schools control uploaded content and are responsible for applicable parental consent and FERPA compliance |
Section 06
Incident Response & Breach Notification
VarsitySync maintains a documented incident response process. In the event of a confirmed data security incident:
- Immediate investigation All available resources directed to assessing scope and impact within hours of detection
- 72-hour notification Affected users notified via email within 72 hours of discovery, where feasible
- Containment & remediation Immediate steps taken to contain the incident and prevent recurrence
- Legal compliance All applicable state and federal breach notification requirements fulfilled
- Post-incident review Root cause analysis and security improvement plan following any confirmed incident
Section 07
Compliance Documentation
VarsitySync supports school and organizational procurement processes. The following documentation is available to verified institutions:
| Document | Availability | How to Request |
|---|---|---|
| Privacy Policy | Public | varsitysync.com/privacy-policy |
| Security & Compliance Overview | Public | This page |
| Subprocessor List (Backblaze, Stripe) | Public | Documented on this page and in Privacy Policy |
| HECVAT Documentation (assessment completed by Backblaze B2) | Available on request | Email support@varsitysync.com — reference “HECVAT Request” |
| Data Processing Agreement (DPA) | Available on request | Email support@varsitysync.com |
| Purchase Order support | Available | Email PO and tax-exempt ID to support@varsitysync.com |
| SOC 2 Type II (VarsitySync platform) | In progress | Targeted for Year 2 — contact us for timeline |
VarsitySync is school-procurement friendly. We accept purchase orders, support tax-exempt purchasing, and provide Data Processing Agreements upon request. Contact us at support@varsitysync.com with “Compliance Request” in the subject line and we will respond within 2 business days.
Section 08
Honest Limitations
We believe transparency about what we haven’t yet achieved is as important as documenting what we have. VarsitySync is an early-stage platform and we want to be honest with our customers about our current compliance posture.
| Certification / Standard | Current Status |
|---|---|
| SOC 2 Type II (VarsitySync platform) | Not yet certified. Backblaze B2 (our storage provider) holds SOC 2 Type II. We are pursuing our own certification as we grow. |
| ISO 27001 (VarsitySync platform) | Not yet certified. Backblaze B2 holds ISO 27001. We are evaluating this certification for the future. |
| Common Sense Privacy evaluation | Not yet listed. We are in the process of submitting for evaluation. |
| SDPC App Registry listing | Not yet listed. We are evaluating participation. |
Section 09