COPPA & FERPA Compliance - NexGen Secure LLC

COPPA Compliant FERPA Aligned

NexGen Secure LLC is committed to protecting the privacy and security of children and students. This page outlines how we comply with the Children's Online Privacy Protection Act (COPPA) and align with the Family Educational Rights and Privacy Act (FERPA) to ensure the safety of K-12 student data.

1. What is COPPA?

The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law that protects the online privacy of children under 13 years of age. It requires operators of websites and online services directed at children to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.

Our COPPA Commitment

NexGen Secure does not collect personal information directly from children under 13. Student accounts are created exclusively by authorized schools, teachers, or parents/guardians.

2. What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records. It applies to schools that receive federal funding and gives parents rights over their children's education records until the student turns 18.

Our FERPA Alignment

NexGen Secure acts as a school official with a legitimate educational interest when processing student data on behalf of schools. We handle student education records solely for the purpose of delivering cybersecurity education services as designated by the school or district.

3. Student Data We Collect

We follow a strict data minimization approach. We only collect what is absolutely necessary to provide cybersecurity education:

Data Type	Collected?	Purpose
First Name	Yes	Student identification within classroom
Last Name	Yes	Student identification within classroom
Class Affiliation	Yes	Classroom assignment and teacher association
Educational Progress	Yes	Course completion, quiz scores, badges earned
Email Address	No	Not collected from students
Date of Birth	No	Not collected from students
Phone Number	No	Not collected from students
Home Address	No	Not collected from students
Photos / Images	No	Not collected from students
Geolocation	No	Not collected from students
Social Media	No	Not collected from students

4. Student Authentication

K-12 students use a lightweight, privacy-respecting login process:

No passwords required for students. Students authenticate using their first name and last name within their assigned class.
Teacher-approved access. Students cannot access the platform until their teacher approves their enrollment request.
Class-scoped access. Students can only see their own class and their own progress data.
Automatic session timeout. Student sessions expire after 5 minutes of inactivity for added security.

5. Age Verification

NexGen Secure implements age-appropriate access controls:

School/Teacher accounts: Created by adult educators and administrators. No age verification needed as these are adult-only account types.
Student accounts: Created exclusively by authorized schools, teachers, or parents/guardians. Students under 13 cannot self-register.
Individual memberships: Require age verification at checkout. Users under 13 are directed to have a parent or guardian create the account on their behalf.

6. Parental and Guardian Rights

Parents and guardians of students using NexGen Secure have the following rights under COPPA and FERPA:

Right to Access: Request a copy of your child's data held by NexGen Secure.
Right to Review: Review the types of information collected and how it is used.
Right to Correction: Request corrections to any inaccurate student records.
Right to Deletion: Request deletion of your child's personal information.
Right to Refuse: Refuse further collection or use of your child's information.
Right to Data Export: Request a portable copy of your child's educational records.

How to Exercise Your Rights

Parents and guardians can submit data requests through our Parent/Guardian Data Request Form or by emailing nexgensecure.us@gmail.com with the subject line "Data Request." We commit to responding within 30 days.

7. How Schools Use NexGen Secure

When schools and districts use NexGen Secure:

The school acts as the consenting authority under COPPA's school consent provision, authorizing NexGen Secure to collect limited student data for educational purposes.
NexGen Secure operates as a school official with a legitimate educational interest under FERPA.
Student data is never used for advertising, marketing, or commercial purposes unrelated to education.
Student data is never sold or shared with third parties for non-educational purposes.
Data is isolated per school using multi-tenant security — one school cannot access another school's data.

8. IP Address Handling

IP addresses associated with student activity are school network subnet addresses — shared institutional IP addresses used by all users on the school's network (via VPN, SSO, or school network infrastructure).

IP addresses are logged only in server-side security audit logs for fraud prevention and security monitoring.
This falls under COPPA's "support for internal operations" exception, which permits activities necessary to maintain or analyze the functioning of the website.
IP addresses are not stored in student profile records or associated with individual student identities.
IP addresses are not used for tracking, profiling, or advertising.

9. Data Security

NexGen Secure employs industry-standard security measures to protect student data:

Encryption: All data is encrypted in transit (TLS/SSL) and at rest.
Row Level Security (RLS): Database-level access controls ensure students and teachers can only access their own data.
Multi-tenant isolation: School data is isolated using school-level identifiers.
Security headers: Helmet.js security headers, CORS policies, and rate limiting.
Session management: Automatic 5-minute timeout for student sessions, with time-limited signed URLs for content access.
No third-party advertising: The platform contains no advertisements and no advertising tracking.

10. Data Retention and Deletion

Active accounts: Student data is retained only for as long as the student has an active enrollment with their school on NexGen Secure.
School departure: When a school discontinues use of the platform, all associated student data is deleted within 90 days.
Individual requests: Parents and guardians may request immediate deletion of their child's data at any time via our Data Request Form.
Backups: Deleted data may persist in encrypted backups for up to 30 additional days before permanent removal.

11. Third-Party Services

NexGen Secure uses the following third-party services to operate the platform. None of these services receive student personal information for advertising or non-educational purposes:

Supabase: Database hosting and authentication (SOC 2 Type II certified).
Vercel: Website hosting and content delivery.
Stripe: Payment processing (for school/member subscriptions only — no student financial data).
Resend: Email notifications (for administrators and parents only — no student emails).

12. Cookie Usage

NexGen Secure uses only essential cookies required for platform operation (authentication, session management, and security). We do not use cookies to track students across the internet or for advertising. For full details, see our Cookie Policy.

13. Changes to This Compliance Page

We may update this COPPA/FERPA compliance page as regulations evolve or as our practices are refined. Material changes will be communicated to partnering schools and posted on this page with an updated date.

Operator Contact Information

NexGen Secure LLC

Email: nexgensecure.us@gmail.com

Website: nexgensecure.us

Contact Form: nexgensecure.us/contact

For parent/guardian data requests, please use our Parent/Guardian Data Request Form or include "Data Request" in your email subject line.