Trust Center

Security Overview

Last Updated: March 10, 2026

Hosting & Infrastructure

Asobo Education is hosted on Google Cloud Platform (GCP) via Firebase. All data is stored in US-based data centers. GCP provides enterprise-grade physical security, redundancy, and availability. Our infrastructure benefits from Google’s ISO 27001, SOC 1/2/3, and FedRAMP certifications.

Authentication

• Firebase Authentication handles all user identity management
• Supports email/password login and OAuth providers (Google, Clever, ClassLink)
• Session tokens are securely stored and validated server-side on every API request
• Passwords are never stored in plaintext — Firebase Auth uses industry-standard hashing
• Admin access requires a separate authentication mechanism

Encryption

• In transit: All data transmitted between clients and our servers is encrypted via TLS 1.2 or higher
• At rest: All data stored in Firestore and Google Cloud Storage is encrypted using AES-256 (GCP default encryption)
• Encryption keys are managed by Google Cloud Key Management Service

Access Controls

• Role-based access: Users are assigned roles (student, teacher, parent, school administrator) that determine what data they can access
• Server-side enforcement: All API routes verify the user’s identity token and role before returning data
• Principle of least privilege: Internal staff access is limited to what is necessary for their role
• Student isolation: Students can only see their own data; teachers see only their classrooms

Logging & Monitoring

• Application-level logging for API access and errors
• Firebase and GCP audit logs for infrastructure operations
• Error tracking and alerting for application issues
• Legal acceptance events are logged with timestamps for compliance auditing

Backups & Recovery

• Firestore provides automatic data replication across multiple availability zones
• Point-in-time recovery is available via GCP backup services
• We maintain backup and recovery procedures aligned with our data retention policies

Incident Response

In the event of a security incident involving personal data:

• We will investigate and contain the incident promptly
• Affected users, schools, and parents will be notified within 72 hours as required by applicable law
• We will cooperate with school and district IT teams during any incident investigation

Report security concerns to: security@asoboeducation.com

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please contact security@asoboeducation.com. We will acknowledge receipt within 48 hours and work with you to understand and address the issue.

Compliance Status

• Student Privacy Pledge: Asobo Education is a signatory of the Student Privacy Pledge, committing to responsible stewardship of student personal information
• FERPA: We handle student education records in accordance with the Family Educational Rights and Privacy Act
• COPPA: We obtain appropriate consent before collecting data from children under 13
• PPRA: We comply with the Protection of Pupil Rights Amendment — we do not conduct surveys collecting sensitive information from students without prior consent
• NY Education Law 2-d: We maintain compliance with New York’s student data privacy requirements, including a Parents’ Bill of Rights. See our Privacy Policy for details
• CCPA/CPRA: California residents have additional rights detailed in our Privacy Policy
• SOC 2 Type II: In progress — not yet certified. Our practices are aligned with SOC 2 trust service criteria
• Infrastructure: Hosted on GCP, which maintains SOC 1/2/3, ISO 27001, and FedRAMP certifications

Subprocessors

Last Updated: March 10, 2026 · We will notify school administrators of changes to this list.

The following third-party service providers (“subprocessors”) may process data as part of Asobo Education’s platform operations. Each subprocessor is bound by contractual obligations to protect data and use it only for the specified purpose.