Student records deserve
a higher standard than the industry hands them.

DayReady is built for K-12 school districts. That means every design decision — schema, sync, surfacing — has to assume FERPA, SOPIPA, and a district's own Data Privacy Agreement apply from the first row inserted. We don't treat student-privacy obligations as a bolt-on; they are written into the codebase the same way multi-tenancy is.

Three non-negotiable principles:

1. Student records belong to the district. LogicLoft is the district's service provider, not the data owner. We don't mine, re-sell, advertise against, or retain student data beyond the contracted term.
2. Least privilege by default. Substitute teachers see only the classes they're covering, for the days they're covering, and only the accommodation summaries required for a sub to do their job safely.
3. Every access leaves a record. Who saw what, when, and why. Districts can subpoena their own audit log and use it as compliance evidence.

DayReady operates as a "school official with legitimate educational interests" under the FERPA school-official exception (34 C.F.R. § 99.31(a)(1)). Under this designation:

• LogicLoft performs a service the district would otherwise perform itself.
• District staff retain direct control over the education records in the platform.
• LogicLoft is prohibited from re-disclosing personally identifiable information from education records except as permitted by FERPA and the district's written instructions.

Education records held in DayReady include (but are not limited to): rostered student names and IDs, attendance events, IEP/504 flag summaries surfaced to substitutes, medical alert flags, seating chart position, and any end-of-day note a substitute records about a named student. Directory information published by the district is treated with the same protections as non-directory records unless the district explicitly opts to relax handling.

California's Student Online Personal Information Protection Act (SOPIPA, Cal. B&P § 22584) and AB 1584 (Cal. Ed. Code § 49073.1) govern operators of online services used for K-12 school purposes. DayReady's commitments under both statutes:

• No targeted advertising to K-12 students, parents, or guardians based on any information acquired through DayReady.
• No sale of student information, ever. Not to data brokers, not to marketers, not as part of a corporate transaction without district consent.
• No profile building for non-educational purposes.
• Security posture appropriate to the sensitivity of the information — encryption in transit and at rest, access controls, and audit logging (see §5–7).
• Deletion on contract end or district request, within timeframes specified in the governing DPA.
• Breach notification to the district in a timeline consistent with AB 1584 and the district's DPA, with a documented cooperation procedure (see §8).

LogicLoft executes the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement v1.0 with any district that requests it. The SDPC NDPA is the de facto privacy contract for California K-12 procurement and is what most district counsel expect to see on first review. Pilot and production districts receive:

• A countersigned NDPA on district letterhead, with Exhibit E completed specifically for DayReady's data elements and subprocessor list.
• A state-specific rider (California) when required, covering AB 1584 language.
• Optional IEP/504 rider — DayReady handles Special-Education accommodations for substitutes, which some districts wish to address separately from standard education records.

Contact contact@logicloft.com with your preferred NDPA template if your district uses a local variant.

• In transit: TLS 1.2 and 1.3 only (legacy TLS disabled at the web-server layer). HTTP Strict Transport Security enforced on all public hostnames with includeSubDomains.
• At rest: Daily off-site backups are compressed and AES-256 encrypted before leaving the host. Production database and application files live on hardened, private-network storage with filesystem-level access controls.
• SIS sync: Nightly one-way sync from Aeries or PowerSchool runs over encrypted SFTP. Per-district SFTP credentials are stored encrypted with a rotating per-district key — never in plaintext configuration files.
• Secrets: All signing keys, API keys, and service credentials live in environment-scoped secret storage, not in source code or version history.

Every read and write is scoped by (a) district, (b) school site where applicable, and (c) role. Roles currently enforced in code:

Substitute

Sees rosters, seating charts, and accommodation summaries only for classes they are assigned to cover, only for the day of coverage. Access expires automatically at end of day.

Teacher

Full access to their own classes and students. No visibility into other teachers' rosters or evaluations.

Site admin

Access scoped to their assigned school site — not district-wide.

HR / District admin

District-wide access as required for absence management, payroll export, and credential administration.

Super admin

Cross-district operator role (LogicLoft staff only). All actions audit-logged. Used for onboarding, incident response, and support escalations.

Role switching is blocked unless explicitly whitelisted and CSRF-protected. Districts authenticate their staff via their own SSO identity provider (Google Workspace or Microsoft Entra ID), so multi-factor-authentication policy follows the district's IdP configuration.

DayReady captures structured activity events for the operations that matter most for compliance and incident response:

• Access to sensitive student records (IEP/504 accommodation summaries, medical alerts), with viewer, timestamp, and absence context.
• Writes to student records — attendance events, end-of-day notes, behavior flags.
• Authentication events — logins, failed logins, role switches, and privilege changes.
• SIS sync jobs — input file hash, records processed, field-level diffs, and errors.
• Sub-dispatch events, including the reasons a substitute was filtered out of consideration for an assignment.

Retention is configurable per district in the governing DPA. Without district-specific instructions, activity logs follow the same retention window as the education records they describe.

If LogicLoft learns of a confirmed or reasonably suspected unauthorized disclosure of district data, we will:

1. Notify the district's designated privacy contact within the window specified in the governing DPA — and in any case no later than 72 hours after discovery.
2. Provide the district with: a summary of what happened, the data elements involved, the students or employees affected, remediation steps already taken, and the steps still pending.
3. Cooperate fully with the district's breach-response procedures, including any notifications the district is required to make to affected parents, employees, or regulators.
4. Preserve relevant logs and forensic evidence for the duration required.

DayReady uses a short, reviewable list of subprocessors. Each is bound by a written agreement requiring the same data-protection standards we commit to your district:

Material changes to this list are communicated to district privacy contacts at least 30 days before taking effect, as required by the governing DPA.

Parents and eligible students exercise FERPA rights through the district, which is the records custodian. If a district receives a request to inspect, review, amend, or delete records held in DayReady, LogicLoft will:

1. On district request, produce a copy of every record associated with the named student within 10 business days, in a portable format.
2. On district instruction, correct or amend records and preserve the original version in the audit log.
3. On district instruction, delete records beyond the district's retention policy and confirm deletion in writing.

Parents should direct requests to their district's FERPA-designated records custodian, not to LogicLoft directly. This ensures the district's own procedures and timelines are respected and that requesters are properly authenticated.

Questions about this document, DPA execution, security posture, breach procedures, or anything else on this page — write to our privacy mailbox:

This page is informational and reflects the current state of our practices. It does not modify any executed Data Privacy Agreement between LogicLoft and your district, which controls in the event of any conflict.