Compliance & Security

Built for the standards schools require

Detailed compliance and security documentation for procurement teams and school administrators.

FERPA

BrailleBuddy is designed to comply with the Family Educational Rights and Privacy Act (FERPA). Student education records uploaded to BrailleBuddy are protected through multiple layers of security.

  • All student data is encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access controls restrict data visibility by user role (teacher, admin, student)
  • Tenant isolation ensures each school or district's data is logically separated
  • Audit logs record every action — uploads, conversions, downloads, and assignments — with timestamps and user identity
  • Configurable data retention policies allow administrators to set automatic deletion schedules
  • No student data is shared with third parties for advertising or profiling

SOC 2 Alignment

BrailleBuddy's infrastructure and practices align with SOC 2 Trust Service Criteria across five principles:

  • Security: Access controls, encryption, and vulnerability management
  • Availability: Cloud infrastructure with uptime monitoring and incident response
  • Confidentiality: Data classification, access restrictions, and secure disposal
  • Privacy: Data collection limited to service delivery, user consent respected
  • Processing Integrity: Braille translation accuracy validated against reference implementations

WCAG 2.2 AA & Section 508

BrailleBuddy meets WCAG 2.2 Level AA success criteria and Section 508 requirements for federal accessibility standards. As a product built for blind and low-vision students, accessibility is foundational — not an afterthought.

  • Screen reader tested with NVDA, JAWS, and VoiceOver
  • Full keyboard navigation — every feature accessible without a mouse
  • 7:1 contrast ratio for critical content, exceeding AA requirements
  • Semantic HTML and ARIA labels throughout
  • No time-dependent interactions that could exclude users
  • Focus indicators visible on every interactive element
  • Color is never the sole means of conveying information

GDPR / UK GDPR

For schools operating under GDPR or UK GDPR, BrailleBuddy supports:

  • Right to access — users can request a copy of their data
  • Right to erasure — users can request deletion of their data
  • Right to portability — data can be exported in standard formats
  • Regional data residency options (planned for future release)

Data Architecture

BrailleBuddy's technical architecture is designed for security and compliance from the ground up.

  • Authentication: OAuth SSO only — no passwords are stored in BrailleBuddy
  • Database: Supabase PostgreSQL with row-level security (RLS) policies enforcing tenant isolation
  • File Storage: Encrypted file storage with signed URLs and configurable expiry
  • Auto-delete: Administrators can enable automatic deletion of uploaded files after a configurable retention period
  • Infrastructure: Hosted on SOC 2 Type II certified cloud infrastructure

Questions about compliance?

For institutional compliance inquiries, security questionnaires, or procurement documentation, contact support@lonia.ai.