Leap LogSign In
Platform Security

Security

How Leap Log IEP protects Special Education student records

Last updated: March 11, 2026

Leap Log IEP LLC · Kansas City, Missouri

Security at a Glance

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Row-level security on every database table
  • 72-hour breach notification to schools
  • US-only data centers (Supabase + Vercel, both SOC 2 Type II)
  • 30-minute session timeout with 2-minute warning
  • Full audit trail on every record — 5-year retention

Leap Log IEP handles Special Education student records — among the most sensitive data in K-12 education. IEP files contain disability classifications, behavioral histories, and personally identifiable information about children, much of it protected by FERPA and IDEA. We built our security architecture around that reality from day one.

This page describes our technical and organizational security controls. For data use practices, see our Privacy Policy. For contractual security obligations, see our Data Processing Agreement.

Security questions or vulnerability reports: support@leaplogiep.com

Encryption — Data at Rest and In Transit

At Rest

All student data stored in our database is encrypted using AES-256 encryption — the same standard used by financial institutions and federal agencies. This applies to every record in the system: IEP goals, progress entries, service logs, behavioral data, messages, and audit logs.

In Transit

All data transmitted between your browser and our servers uses TLS 1.2 or higher (HTTPS). The platform does not accept unencrypted HTTP connections. Sensitive data — including student PII — is never transmitted over unencrypted channels.

Access Controls — Who Can See What

Role-Based Access

Every account is assigned one of five roles: Department Head, Administrator, Teacher, Paraprofessional, or Parent. Each role has precisely scoped permissions enforced at both the application layer and the database layer:

  • A paraprofessional can log data but cannot edit IEP goals
  • A parent can view only their own child's progress — never another student's
  • A teacher sees only the students assigned to their caseload
  • A general education provider sees only the specific goal areas they've been granted access to

Row-Level Security (Database Layer)

Our database enforces access controls at the row level, independent of the application. A request that bypasses application logic — including URL manipulation, direct API calls, or session token abuse — cannot retrieve data the requesting user is not authorized to see. Authorization is enforced at the data layer, not just the UI.

No Student PII in URLs

All student references in URLs use UUIDs (randomly generated identifiers). Student names, IDs, and other identifiable information never appear in URLs, browser history, or server logs.

Authentication Security

  • Passwords are hashed using bcrypt (minimum 12 rounds) — never stored in plaintext
  • Cloudflare Turnstile CAPTCHA protects all login forms against automated credential-stuffing attacks
  • Account lockout after repeated failed login attempts
  • Password reset handled via a time-limited, single-use email token — no security questions

Session Management

Staff accounts automatically expire after 30 minutes of inactivity, with a 2-minute warning before logout. This is a FERPA-aligned control designed for shared school devices where a staff member may walk away from an active session.

All sessions use signed, server-validated tokens. Sessions cannot be replayed, transferred between devices, or extended without re-authentication.

Audit Logging — Complete Tamper-Resistant Trail

Every access to and modification of student records is logged with:

  • User ID and role of the person who took the action
  • Timestamp (UTC)
  • Action type: view, create, update, or delete
  • Record affected: which student, goal, service log, or message
  • Change diff: for updates, what changed (old value → new value)

Audit logs are tamper-resistant and retained for 5 years to support IDEA compliance timelines and dispute resolution. School administrators and Department Heads can view the full audit log in real time through the platform's Settings screen. Read-access logs (who viewed which student's record and when) are also available for FERPA compliance review.

Infrastructure Security

Hosting and Database

The platform runs on Vercel (application hosting) and Supabase (managed PostgreSQL). Both providers:

  • Maintain SOC 2 Type II certifications (available on request)
  • Operate exclusively within US data centers
  • Enforce physical security, logical access controls, and network segmentation

DDoS and Bot Protection

Cloudflare sits in front of the platform providing DDoS mitigation, rate limiting, and automated bot filtering. All traffic is inspected before reaching our application servers.

No Student PII in Email Notifications

Transactional email notifications (new messages, IEP reminders, progress updates) are designed to contain no student personally identifiable information. Emails contain only the recipient's first name and a link to log in to the platform. This is a deliberate FERPA safeguard — student data is viewable only after authenticated login, never in an email inbox.

Vulnerability Management

  • Security patches are reviewed and applied continuously
  • Critical vulnerabilities are addressed within 72 hours of identification
  • An independent security review or penetration test is conducted at least annually
  • Material findings are remediated within 60 days
  • We are committed to responsible disclosure — report vulnerabilities to security@leaplogiep.com and we will acknowledge within 24 hours

Breach Response — 72-Hour Notification

In the event of a security breach affecting student data:

  1. 1We notify the affected school within 72 hours of discovery
  2. 2We provide: nature of the breach, categories of data affected, steps taken to contain it, and recommended school actions
  3. 3We cooperate fully with the school's investigation
  4. 4We assist the school in fulfilling required notifications to parents and regulatory authorities under FERPA, state law, and the terms of our DPA

Our full breach notification obligations are defined in our Data Processing Agreement.

FERPA Security Safeguards — Built In by Design

These controls are implemented specifically to support FERPA's requirement that vendors protect student education records:

FERPA RequirementOur Implementation
Access limited to legitimate educational interestRole-based permissions enforced at both API and database layer
Audit trail of record access and modificationEvery read and write to student records is logged with user, timestamp, and action
No PII in email notificationsNotifications contain first name + authenticated login link only
No PII in URLsAll record references use UUIDs — never names or student IDs
Session controls for shared devices30-minute auto-logout on all staff accounts
Data use limited to educational purposeStudent data processed only to deliver the contracted service
Data return and deletionCSV/PDF export available on demand; deletion confirmed in writing
Breach notificationSchool notified within 72 hours; support for parent and regulatory notification

Compliance Registrations and Certifications

Registration / CertificationStatus
SDPC — Student Data Privacy ConsortiumRegistered at privacy.a4l.org
Student Privacy PledgeSignatory
COPPA 2024 RuleCompliant (full compliance deadline April 22, 2026)
FERPA School Official ExceptionFormalized in our DPA with each school
Supabase SOC 2 Type IIAvailable on request
Vercel SOC 2 Type IIAvailable on request

Frequently Asked Questions

Contact

Security: security@leaplogiep.com
Privacy: privacy@leaplogiep.com
Legal / DPA: support@leaplogiep.com

Leap Log IEP LLC
Kansas City, Missouri

Privacy PolicyTerms of ServiceData Processing Agreement