BrailleBuddyby Lonia AI

Compliance & Security

Built for the standards schools require

Detailed compliance and security documentation for procurement teams and school administrators.

FERPA

BrailleBuddy is designed to comply with the Family Educational Rights and Privacy Act (FERPA). Student education records uploaded to BrailleBuddy are protected through multiple layers of security.

  • All student data is encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access controls restrict data visibility by user role (teacher, admin, student)
  • Tenant isolation ensures each school or district's data is logically separated
  • Audit logs record every action — uploads, conversions, downloads, and assignments — with timestamps and user identity
  • Configurable data retention policies allow administrators to set automatic deletion schedules
  • No student data is shared with third parties for advertising or profiling

IDEA — Individuals with Disabilities Education Act

The Individuals with Disabilities Education Act requires schools to provide accessible instructional materials to blind and low-vision students in a "timely manner." Federal case law and Office for Special Education Programs guidance have repeatedly held that braille materials delivered days or weeks after sighted peers receive print materials are not timely — late access is a denial of access.

BrailleBuddy directly supports IDEA timeliness obligations. Conversions that traditionally take a contracted transcriptionist days to weeks complete in minutes inside the application, which means a teacher of the visually impaired can deliver Monday's worksheet on Monday, not Thursday. Audit trails record who requested, who converted, and when each student received each assignment, providing the documentation a district needs if a parent files a state complaint or due process hearing about timeliness.

BrailleBuddy does not eliminate every IDEA obligation a district carries — IEP development, qualified personnel, and braille instruction itself remain the district's responsibility. What BrailleBuddy removes is the operational bottleneck that causes most IDEA timeliness failures: the gap between when a sighted student gets a document and when a blind student gets the same content in an accessible format.

SOC 2 Alignment

BrailleBuddy's infrastructure and practices align with SOC 2 Trust Service Criteria across five principles:

  • Security: Access controls, encryption, and vulnerability management
  • Availability: Cloud infrastructure with uptime monitoring and incident response
  • Confidentiality: Data classification, access restrictions, and secure disposal
  • Privacy: Data collection limited to service delivery, user consent respected
  • Processing Integrity: Braille translation accuracy validated against reference implementations

WCAG 2.2 AA & Section 508

BrailleBuddy meets WCAG 2.2 Level AA success criteria and Section 508 requirements for federal accessibility standards. As a product built for blind and low-vision students, accessibility is foundational — not an afterthought.

  • Designed for screen reader use; NVDA, JAWS, and VoiceOver testing in progress
  • Full keyboard navigation — every feature accessible without a mouse
  • 7:1 contrast ratio for critical content, exceeding AA requirements
  • Semantic HTML and ARIA labels throughout
  • No time-dependent interactions that could exclude users
  • Focus indicators visible on every interactive element
  • Color is never the sole means of conveying information

GDPR / UK GDPR

For schools operating under GDPR or UK GDPR, BrailleBuddy supports:

  • Right to access — users can request a copy of their data
  • Right to erasure — users can request deletion of their data
  • Right to portability — data can be exported in standard formats
  • Regional data residency options (planned for future release)

Data Architecture

BrailleBuddy's technical architecture is designed for security and compliance from the ground up.

  • Authentication: OAuth SSO only — no passwords are stored in BrailleBuddy
  • Database: Supabase PostgreSQL with row-level security (RLS) policies enforcing tenant isolation
  • File Storage: Encrypted file storage with signed URLs and configurable expiry
  • Auto-delete: Administrators can enable automatic deletion of uploaded files after a configurable retention period
  • Infrastructure: Built on SOC 2 Type II certified sub-processor infrastructure (Supabase, AWS). BrailleBuddy itself does not yet hold an independent SOC 2 attestation; the criteria below describe our operational practice.

Questions about compliance?

For institutional compliance inquiries, security questionnaires, or procurement documentation, contact support@lonia.ai.