Data Governance & Compliance: The Open Source Standard

1. Our Mission: Privacy-First Pedagogy

ConnectedClassroom.org ("we," "us," or "our") provides the Intelligence Suite (REAL Connections, CrossLink, UDL Architect, WonderWeb, Unautomatable AI, EdConnect, and SchoolConnect) to empower educators through authentic, globally connected learning. Unlike "Data-First" corporate platforms, we operate on a "Privacy-by-Design" framework. We are a mission-driven research initiative, not a data brokerage.

2. Radical Data Minimization (Zero Data Commitment)

We follow the principle of Data Minimization: if we don’t need it for the tool to work, we don’t collect it.

  • Educators: We do not collect any account information (Name, Email, School/Role) for access or authentication.

  • Students (COPPA Compliance): We do not collect personally identifiable information (PII) from students. Our tools are designed for educator-facing instructional design.

  • Content Inputs: Lesson plans or standards submitted to our AI tools are processed in ephemeral sessions and are explicitly NOT stored or retained.

  • No Selling of Data: We never sell, rent, or trade user data. Our only "stakeholder" is the educator.

  • No Commercial Profiling: We do not build "user profiles" or track students/teachers for commercial purposes.

  • No Third-Party Marketing: User data is never used for third-party marketing or advertising.

  • No Targeted Advertising: This site contains zero advertisements and no behavioral tracking.

3. AI Architecture & Data Residency
To provide exceptional pedagogical insights, we utilize advanced Large Language Models (LLMs) with custom educational fine-tuning.

  • Model Specification: Our tools are powered by Claude Sonnet 4.5 and Google Gemini, optimized via a secure serverless proxy.

  • Data Residency: EdConnect conversation logs are stored on secure AWS servers within the United States.

  • 30-Day Purge Policy: To ensure educational focus, EdConnect logs are stored solely for operational monitoring and are permanently deleted every 30 days. No PII is attached to these logs.

  • No Training on Your Data: We explicitly do not train models on user data. All applications are built through pedagogical architecture designed by an educator. Your unique lesson ideas remain your property.

4. CISA "Secure by Design" Signatory: Progress Toward 7 Goals
Connected Classroom is a formal signatory of the CISA (Cybersecurity & Infrastructure Security Agency) Secure by Design Pledge. We align our architecture with the federal gold standard for software security:

  • Goal 1: Multi-Factor Authentication (MFA): By utilizing a "No-Login" architecture, we eliminate the need for traditional passwords, thereby removing the primary attack vector that MFA is designed to protect.

  • Goal 2: Default Passwords: We have eliminated the risk of default passwords entirely by removing user accounts and authentication requirements for our core tools.

  • Goal 3: Reducing Entire Classes of Vulnerability: We utilize a serverless Google Apps Script proxy and standard web frameworks to prevent SQL injection and cross-site scripting (XSS) at the architectural level.

  • Goal 4: Security Patches: Our cloud-native infrastructure ensures that all security patches are applied automatically by our primary providers (Google/AWS) without requiring manual intervention from the educator.

  • Goal 5: Vulnerability Disclosure Policy (VDP): We maintain a public VDP (see Section 7) to authorize and encourage the ethical reporting of any identified bias or pedagogical vulnerabilities.

  • Goal 6: CVEs (Common Vulnerabilities and Exposures): We commit to transparency in reporting and will issue/disclose any critical vulnerabilities found within our open-source tools in a timely manner.

  • Goal 7: Evidence of Intrusions: We monitor de-identified system logs to detect patterns of misuse or intrusion attempts, ensuring that the "Glass Box" remains secure for all users.

5. Compliance & User Rights
We honor all global data rights and educational privacy standards:

  • FERPA: Schools maintain 100% control over educational records. We do not store or manage student records.

  • COPPA: We do not collect data or identifying information from children under 13.

  • GDPR/CCPA: We adhere to the "Right to be Forgotten" via our automatic 30-day purge policy for EdConnect and immediate ephemeral purging for the Intelligence Suite.

  • AI Redress: Users have the right to request a human review of any AI-generated suggestion they find biased or inaccurate.

6. The "Schools Choice" Donation Model
ConnectedClassroom.org is a mission-driven research project, not a data-brokerage.

  • Democratized Access: We operate on a donation basis to ensure that high-quality, ethical AI tools are available to all educators, regardless of their district’s budget.

  • No Monetization: We never sell, rent, or trade your data. Our "Schools Choice" model ensures our only "stakeholder" is the educator.

7. Accountability & Ethics Reporting (VDP)
Connected Classroom operates with a commitment to Radical Transparency.

  • Vulnerability Disclosure: If you identify a technical security risk or a pedagogical/ethical bias in our tool outputs, please report it immediately to ethics@connectedclassroom.org.

  • Response Guarantee: We commit to investigating all reports within 72 hours and taking rapid corrective action (logic-tuning or architectural updates).

  • Ethics Advisory Board (In Development): Our practices will be informed by an informal board of practicing K-12 educators and instructional designers.

8. Changes & Contact
This policy is a living document. As a research initiative, we will update these terms to reflect new standards in global AI safety and security.

Contact Information: