Security & privacy

You're being asked to trust us with students. We take that literally.

This page says what we actually do — in plain language your IT lead can interrogate. Bring them to the demo; we like those questions.

Isolation enforced by the database, not by good intentions.

Per-school tenant isolation

Every school's data is walled off with row-level security at the database layer, not just application logic — the isolation rule lives where the data lives. We audit these policies on a recurring basis and close gaps as we find them.

Controlled enrollment, by design

A school can self-serve onboard in minutes — but once you're set up, students and staff never self-register. Every account starts from an invitation your school issued, with codes that expire. There's no open student signup to police.

Least-privilege roles

Students, teachers, advisors, administrators, and IT each get the narrowest access that does the job. Elevation paths are explicit and controlled — roles can't quietly grant themselves more.

Audited staff actions

Administrative actions leave an audit trail your school can review. When someone asks "who changed this?", the answer is a lookup, not an investigation.

Our own access

The strictest rules apply to us.

Most vendors talk about outside threats. The harder promise is about the inside: what can NexusPlan's own team see?

De-identified by default

Our support and onboarding staff work from de-identified views — short reference IDs, not student names or personal details.

Guarded troubleshooting

School-side troubleshooting uses a guarded "view as" tool — logged, role-restricted, and never a shared password.

Encrypted, scoped credentials

SIS API credentials are stored encrypted, scoped to your school, and used only to run your school's sync.

We red-team ourselves

We run recurring internal adversarial security reviews against our own system, and close what they find — including gaps in access controls, before they ever reach a real school.

Minimal in. Nothing sold. Clean exit.

Data minimization

We sync what planning needs — assignments, due dates, rosters, grades — and no more. Data that isn't collected can't be leaked.

No ads. Not for sale.

Student data is never sold, never shared for advertising, never used to build profiles for anyone else. Schools pay for the product; that's the whole business model.

Your data leaves with you

Offboarding is a product feature: export what's yours, then have it removed. No hostage negotiations at renewal time.

Privacy from the student's side, too

Some data is protected from the interface itself: students see per-assignment feedback, never a looming overall average; there are no streaks or public leaderboards. Wellbeing is a privacy issue.

Built to support your FERPA obligations

Your school stays in control of education records: access is role-scoped, our staff access is minimized and logged, and records are exportable and deletable on your instruction.

Have a vendor security questionnaire? Send it — we answer them directly, and your IT lead gets an engineer on the call, not a sales deck.

Due diligence welcome

Bring your hardest questions.

Book a walkthrough with your IT lead in the room. We'll show the isolation model, the audit trail, and the offboarding path live.