What is live, and what remains gated
Designed for more ways of learning
We target WCAG 2.1 Level AA in new and materially revised public and assessment experiences. Current supports include keyboard navigation, visible focus, responsive zoom, readable structure, reduced-motion handling, text-to-speech controls, large-text and contrast options, dyslexia-friendly typography, and language-support tools. This is a design target, not a third-party conformance certification.
To request an accommodation or report a barrier, email info@thescholarsascent.org with the page, device/browser, and task you were trying to complete. Do not include a diagnosis or other unnecessary sensitive information.
Minimize first. Authorize every boundary.
- HTTPS in transit and Google provider-managed encryption at rest for hosted application data.
- Tenant-scoped company SaaS records and verified identity/role/context claims.
- Server-mediated authoritative writes in the Clever SaaS integration path.
- Scholar aliases in ordinary assessment records and displays. Aliases reduce exposure but are not described as anonymous when a school can reconnect them to a student.
- No sale of personal information and no targeted student advertising.
- Google generative AI is disabled in student-facing, student-triggered, and other minor-accessible company Assessment Center workflows; supported scoring is deterministic and final decisions remain with authorized educators.
Some private founder-teacher workflows use the established NAS runtime and separate local roster safeguards. Those controls are not represented as the hosted SaaS architecture. The hosted teacher dashboard must pass tenant isolation, entitlement, onboarding, and feature-parity gates before external release.
Current providers and exact purposes
| Provider | Enabled Purpose | Relevant Information |
|---|---|---|
| Google Cloud / Firebase, including App Check and reCAPTCHA Enterprise | Hosting, authentication, databases, storage, functions, application attestation, abuse prevention, and service diagnostics | Account, classroom, educational-service, upload, request, browser/device, interaction, network, and security-risk information needed for the enabled feature. App Check risk signals are not used for advertising, grading, discipline, or student profiling. |
| Google AI services | Not enabled as a runtime subprocessor for Clever data, student data, teacher classroom data, or minor-accessible Assessment Center workflows | Limited internal assistance may be used to develop static content that is reviewed before publication. A separate adult-only, content-only authoring service is not active and requires written provider and counsel approval before activation. |
| Clever | Optional Library identity, account linking, and classroom provisioning | Role and raw provider identifiers are received transiently; the current integration persists keyed opaque mappings, selected-section label/subject/grade, roster count and membership links, and sync state—not raw Clever IDs, OAuth tokens, names, emails, photos, or demographics. Certification remains pending. |
| Stripe | Checkout, billing, subscriptions, invoices, and customer portal | Billing identity, customer and transaction references; card entry occurs on Stripe-hosted surfaces |
| Resend | Transactional, support, consent, receipt, and opted-in communication delivery | Recipient address, message content, and delivery metadata |
| Google Analytics for Firebase | Optional public-site analytics after opt-in | Pseudonymous device and usage events; excluded from authenticated dashboards and student assessment routes |
| Google Fonts | Public-page font delivery | Ordinary web request metadata, including IP address and browser information |
Cloudflare currently provides DNS management for the branded domain. DNS is configured without proxying application traffic, so we do not claim that Cloudflare supplies a WAF, bot-management, or application-request processing control for this site.
Material provider changes that affect school-authorized student information require the notice and approval process in the applicable agreement; a provider-list update does not expand the authorized educational purpose. Before a provider receives children's personal information, we require the confidentiality, security, and integrity assurances required by applicable law.
Agreements and record control
The current provider-completion packet uses the official TX-NDPA v1r6 standard form. It is an attorney-review and provider-completion packet, not an executed district agreement. Clever's platform terms or Universal DSA do not replace a district DPA or the direct-control terms a school may require under FERPA.
A school remains the controller of its education records. Parents and eligible students should normally submit access, amendment, deletion, and AI/integrity challenges to the school. We support verified school instructions and do not use a consumer request flow to bypass the school's identity verification or record-control obligations.
To request the privacy packet, current data map, retention schedule, or a DPA conversation, email info@thescholarsascent.org.
Report privately, notify through the controlling relationship
Report a suspected security issue to info@thescholarsascent.org. Include the affected service, approximate time, device/browser, and what appeared on screen. Do not email student records, passwords, PINs, cookies, tokens, API keys, or full rosters.
If we confirm unauthorized access to school-controlled student information, we notify the affected school without unreasonable delay and within the timing required by applicable law and the controlling agreement. We do not publish a universal numeric notification promise until the executed agreement and incident contacts establish it. Direct-account users receive notice when applicable law requires it.
Get the right issue to the right place
Educator and pilot support
Email info@thescholarsascent.org. Include the school, affected role, approximate time, browser/device, and the task that failed.
Privacy, deletion, and Texas appeals
Use the instructions in the Privacy Center. School-account requests begin with the school. Direct-account and Texas requests may be sent by email with the listed subject line.
Clever launch issues
Before certification, Clever access is limited to approved sandbox and pilot testing. After approval, teachers should confirm that the intended sections were authorized and that the district has not blocked the Library application.