NorthShore CTE is a classroom platform for Career & Technical Education media-arts courses. This page explains exactly what we collect, who can see it, where it lives, and the rights students and families have — in plain language, no dark patterns.
Only what the class needs to function. No advertising identifiers, no behavioral tracking, no data sold or shared for marketing — ever.
Name and school Google account (email), supplied by your district's roster. Used only to sign in and attribute work.
Answers, uploads, self-assessments, and the grades a teacher assigns. This is the student's academic record for the class.
Which lessons are open, submitted, or graded — so dashboards and "what's due" work.
IEP/504 accommodations and plan notes a teacher or case manager records, to deliver required services. Confidential (see §2).
A device label and "last active" time per sign-in, so we can warn about and stop unauthorized account access.
No location, no contacts, no microphone/camera access beyond a file you choose to upload, no third-party trackers or ad cookies.
Access is enforced at the database row level (Row Level Security), not just hidden in the interface. A person only ever receives the rows they're entitled to.
The platform talks to exactly two vendors, both under the district's existing agreements. There are no other endpoints, analytics SDKs, or trackers.
No data is sold, rented, or used to build advertising or commercial profiles. There are no social-media pixels, no session-replay tools, and no fingerprinting.
Data is encrypted in transit (HTTPS/TLS) and at rest by the hosting provider. The hosting region is fixed to the value above; moving regions is an explicit administrative action, not automatic.
The platform is a thin application layer over two independently audited subprocessors. It inherits their infrastructure certifications and adds its own row-level access controls on top.
NorthShore CTE is operated for a single district and is not, by itself, independently SOC 2 audited. Its security guarantees rest on (a) the SOC 2 / ISO certifications of the subprocessors above, which physically hold the student data, and (b) the row-level security policies in this repository (supabase-*.sql), which are version-controlled and available for the District's review and independent re-execution. Current third-party attestation letters (Supabase SOC 2 Type II; Google Cloud / Workspace SOC 2/3 & ISO 27001) are provided to the District on request for procurement review.
Student data is kept only as long as the class needs it, then removed.
On a verified request from the district or an eligible parent/student, an individual record is exported or deleted promptly, subject to the district's records-retention obligations.
This platform operates as a "school official" under FERPA, processing data on the district's behalf and under its direction. It is built for COPPA-covered ages with no advertising or unrelated use.
Questions or requests go to your district's Data Privacy Officer: contact.
A ready-to-fill DPA the district can adapt and execute. Print it to PDF, complete the bracketed fields, and route for signature.
This Data Protection Agreement ("Agreement") is entered into by and between [District Name] ("District") and NorthShore CTE ("Provider"), effective [Date], governing the Provider's processing of Student Data in connection with the NorthShore CTE Media Arts Platform ("Service").
Provider processes Student Data solely to deliver the Service to District — coursework, grading, progress, accessibility services, and roster/session management — and for no other purpose. Provider acts as a School Official with a legitimate educational interest under FERPA (34 CFR §99.31(a)(1)).
All Student Data remains the property of and under the control of the District. Provider obtains no rights to Student Data except the limited license to process it to provide the Service.
Provider shall not sell Student Data, nor use or disclose it for advertising, targeted marketing, or any commercial purpose, nor build a profile of a student except in furtherance of the Service's educational purpose.
Provider uses the following subprocessors: Supabase (database, authentication, storage) and Google Workspace for Education (authentication and optional Classroom/Drive integration). Provider will notify District of any change to this list.
Student Data is hosted in [Hosting Region]. Data Residency Statement: all Student Data is stored and processed exclusively within the stated region and is not transferred to or replicated in another jurisdiction without the District's prior written authorization. Provider maintains administrative, physical, and technical safeguards including encryption in transit and at rest, row-level access controls, and least-privilege access. Provider's access-control policies are version-controlled and available for the District's review.
Student Data is held by subprocessors that maintain current third-party security attestations: Supabase (SOC 2 Type II) and Google Workspace for Education / Google Cloud (SOC 2 Type II, SOC 3, ISO/IEC 27001, 27017, and 27018). Upon the District's request, Provider will furnish the then-current attestation letters or audit summaries for these subprocessors. Provider's own application-layer access controls (row-level security) are open to the District for inspection and independent verification.
Provider shall notify District without unreasonable delay, and no later than [N] hours, upon discovery of any unauthorized acquisition of or access to Student Data, and shall cooperate with the District's response.
Provider shall retain Student Data only as long as necessary to provide the Service and shall delete or return it upon District request or upon termination of this Agreement, subject to the District's records-retention requirements.
Provider shall support the District in fulfilling access, correction, and deletion requests from parents and eligible students as required by FERPA and applicable state law.
This Agreement remains in effect for the term of the District's use of the Service. Upon termination, Section 8 governs the disposition of Student Data.
This Agreement is executed in counterparts. The District signs first; the Provider then countersigns and returns a fully-executed copy. The Agreement takes effect on the date of the later of the two signatures (the “Effective Date”), entered at the top of this document. An electronic or digital signature has the same effect as an original.
Routing: complete the bracketed fields above, the District authorized official signs (Step 1), then send the PDF to Provider to countersign (Step 2). The fully-executed Agreement — not this template — is the governing record; file the countersigned copy with the District's Data Privacy Officer.