How Findmino protects student data and meets the compliance requirements schools expect.
Student education records protected. We act as a school official with legitimate educational interest.
Parental consent for under-13. Schools provide consent on behalf of parents for educational use.
Canadian privacy compliance. Age-appropriate consent, data minimization, and deletion rights.
Findmino is a Member of the Access 4 Learning (A4L) Community and actively contributes to data privacy standards (NDPA v2.3) and interoperability initiatives (SIF, OneRoster).
We are a signatory of the CISA Secure by Design Pledge, committing to measurable security improvements across our platform.
Students authenticated via institutional SSO (ClassLink, Clever, Google Classroom) bypass individual age verification. The school's signed DPA and SIS enrollment data serve as consent under COPPA/FERPA.
Role-Based Access Control (RBAC)
Roles: Student, School Coordinator, Parent (read-only, token-based), Admin
MongoDB Atlas — US-based data centers
SOC 2 Type II, ISO 27001, HIPAA capable
Students and parents can download all personal data at any time via their account settings.
Request full deletion of all personal data. Accounts are anonymized and data permanently removed.
Export in standard formats (JSON). Schools receive full data export upon contract termination.
Aligned with the SDPC National Data Privacy Agreement (NDPA) v2.3 framework
Version 2.0 — March 2026
Student Data means any data, whether gathered, created, or inferred by Findmino or provided by the School, its users, students, or students' parents/guardians, for a school purpose, that is descriptive of the student including, but not limited to, information in the student's Education Record as defined by FERPA (34 CFR § 99.3), persistent unique identifiers, or any other information that would provide information about a specific student. This includes: name, email address, school enrollment, grade level, assessment responses (RIASEC personality quiz), career exploration activity, portfolio content, counselor communications, and application usage metadata.
Findmino processes Student Data solely to provide career guidance, college planning, scholarship matching, and student portfolio services as directed by the School under this Agreement. No Student Data will be used for advertising, marketing, or any purpose unrelated to the School's educational mission. Findmino shall not sell or disclose any Student Data, or any portion thereof, including user content or other non-public information and/or Personally Identifiable Information.
Findmino collects only the minimum data necessary to provide the Service: student name, email, school affiliation, grade level, assessment responses, career exploration activity, portfolio content (saved careers, colleges, scholarships, AI-generated documents), and counselor communications. No Social Security numbers, financial data, medical records, disciplinary records, or transportation data are collected.
Findmino implements administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. Measures include: TLS 1.2+ encryption in transit, AES-256 encryption at rest (MongoDB Atlas), role-based access control (RBAC) with four tiers (Student, Coordinator, Parent, Admin), comprehensive audit logging of all data access, and Auth0 authentication with MFA support. Findmino adheres to the NIST Cybersecurity Framework (CSF) as its cybersecurity standard, consistent with NDPA Exhibit F requirements.
Findmino will conduct a security audit or assessment no less than once per year, and upon any confirmed Data Breach. Upon 10 days' notice and execution of a confidentiality agreement, Findmino will provide the School with a summary of the audit report, subject to reasonable and appropriate redaction of proprietary information.
Findmino uses the following subprocessors: MongoDB Atlas (database hosting — SOC 2 Type II, ISO 27001 certified), Auth0/Okta (authentication — SOC 2 Type II certified), Brevo (transactional email delivery), Google Cloud/Gemini (AI features — no student PII is stored or retained by AI providers). Findmino enters into Subprocessor Agreements with all subprocessors, requiring them to protect Student Data in a manner no less stringent than the terms of this DPA. Every Subprocessor Agreement provides that the subprocessor will not sell Student Data. The School will be notified in advance of any material changes to subprocessors.
Findmino requires all employees and contractors with access to Student Data to comply with this DPA and to maintain appropriate confidentiality agreements. Access to Student Data is restricted on a need-to-know basis using role-based access controls.
Students, parents, and the School may: (a) request export of all Student Data in a standard format (JSON/CSV), (b) request deletion of Student Data, (c) request correction of inaccurate data. Findmino will respond to verified requests within 30 days. Self-service data export and deletion tools are available directly within the platform.
Student Data is retained for the duration of the School's active subscription. Upon termination of this Agreement or upon written request from the School, all Student Data will be deleted or provided to the School within 60 days. The duty to delete shall not extend to De-Identified Data or to student-generated content that the student has independently chosen to retain. Audit logs may be retained for up to 3 years for compliance purposes.
Findmino agrees not to attempt to re-identify De-Identified Data without written direction from the School. De-Identified Data may be used solely for product improvement, research, and development purposes. Findmino shall not publish any document that names the School or could identify individual students without the School's prior written approval.
In the event that Findmino confirms a Data Breach affecting Student Data, Findmino will notify the School within 72 hours of confirmation, unless notification within this timeframe would disrupt a law enforcement investigation. Notification shall include: the nature of the breach, the types of data involved, the number of individuals affected, steps taken to mitigate harm, and a point of contact for further information. Findmino maintains a written Data Breach response plan and will provide a summary to the School upon request.
Findmino operates in compliance with FERPA, COPPA, CCPA/CPRA, VCDPA, and PIPEDA. Findmino acts as a 'school official' with a 'legitimate educational interest' under FERPA 34 CFR § 99.31(a)(1). For COPPA purposes, the School provides consent on behalf of parents for students under 13. Findmino will cooperate with any state or federal government-initiated audit of the School's use of the Services.
Either party may terminate this Agreement with 30 days written notice. Upon termination, Findmino will export all Student Data to the School in a standard format (JSON/CSV) and delete all copies within 60 days, unless otherwise directed by the School. Findmino shall continue to be bound by the terms of this DPA for as long as it retains any Student Data. In the event of a Change of Control of Findmino, the School will be notified in writing within 60 days, including a signed assurance that the successor entity will assume all obligations under this DPA.
Need a signed copy? Contact info@findmino.com for a DPA customized to your district.
Industry standards: This DPA is aligned with the SDPC National Data Privacy Agreement (NDPA) v2.3 framework, used by 12,600+ school districts across the US. We are a signatory of the CISA Secure by Design Pledge. We contribute to data privacy initiatives through the A4L Community.
Security researchers: We maintain a public Vulnerability Disclosure Policy and a security.txt file. Report vulnerabilities to info@findmino.com.
Our team is ready to support your procurement and security review process.