Security
Family data deserves
a careful home.
How Pearsight protects what you bring in — at the database, at the network, in our business model, and in how we work with security researchers.
Student-privacy laws
Student-privacy laws (FERPA / COPPA).
Pearsight today is a family-purchased product, not a school-contracted one. A parent or caregiver subscribes on behalf of their own kids and brings their parent-side Canvas connection into Pearsight. That's the deployment model the product runs on today — it doesn't foreclose Pearsight working under a school contract in the future, but it shapes how student-privacy laws apply to what's happening right now.
For COPPA, the verifiable-parental-consent step is built into the signup flow. The paying parent (18 or older) creates the family account, and that account creation is itself the parent's consent for any child under 13 that the parent then enrolls. Kids do not sign up to Pearsight on their own — there is no direct kid signup path. A kid only reaches Pearsight through a parent-issued pair code, and that pairing is something the parent controls and can revoke at any time.
Regardless of whether Pearsight ever enters a school-contract relationship, the data-handling controls Pearsight applies are aligned with FERPA's spirit: Postgres row-level security so a family's records never leak to another family, AES-256-GCM encryption of Canvas tokens at rest, a subscription-only business model with no ad targeting and no data resale, and scoped caregiver invites that grant only the access the inviting parent chose. The controls are the same whether you're a family using Pearsight on your own or, someday, a family whose school district has signed an agreement to use it.
Your data, your row
Postgres row-level security on every query.
Pearsight runs on Postgres with row-level security policies that scope every read and every write to a single family. There is no "admin path" that lets an engineer browse customer dashboards — the database itself refuses to return another family's rows, even if a query goes wrong.
Every caregiver invite, every co-parent join, every kid pairing creates a row in a junction table that grants exactly the access intended — and nothing more. Removing a caregiver removes the row; the next query the database runs for that caregiver returns nothing.
Canvas tokens are encrypted
AES-256-GCM at rest. Never written to logs.
Your Canvas access token is the most sensitive piece of data Pearsight stores. It's encrypted at rest with AES-256-GCM using a per-row data encryption key, with the master key held outside the database. The plain token only appears inside a server function long enough to issue a single Canvas request, then it leaves memory.
Pearsight cannot submit assignments, message teachers, or change grades — the Canvas API token Pearsight asks for is scoped to read-only operations. If Canvas ever rotates token formats, Pearsight rotates with them; tokens never linger past their 120-day refresh window.
We don't sell ads
Subscription is the only revenue source.
Pearsight has one business model: families pay a subscription. That's it. No ad targeting, no data brokers, no analytics resold to third parties, no "anonymous insights" piped to a marketing partner. The data your family puts into Pearsight stays inside Pearsight's database boundary.
Operational telemetry — error reports, performance metrics, deployment health — is collected through tooling that doesn't see your data: Vercel Speed Insights, Sentry-style error scrubbing, and aggregate query timings. None of it carries assignment text, student names, or grade values.
Coordinated disclosure
Found something? Tell us at security@pearsight.com.
Pearsight runs a coordinated-disclosure program for security researchers. Email security@pearsight.com with a reproducer and we'll acknowledge inside one business day, triage the issue, and credit you in our acknowledgments unless you'd rather stay anonymous.
Default disclosure window is 90 days from acknowledgment, extendable for genuinely complex issues. We don't litigate good-faith research; we welcome it.
FERPA stance
Where Pearsight sits relative to school records.
In Pearsight's current deployment model, the Canvas data flowing into your family dashboard comes from the parent side of the equation: you, as a parent, hold the Canvas connection and you decide what enters Pearsight. That puts today's product on the family side of the line FERPA draws, rather than inside the school's chain of contracted vendors.
FERPA governs how schools and their contracted vendors handle education records. A parent-purchased Pearsight subscription is closer in nature to a personal financial dashboard that connects to your bank than to a vendor sitting inside the school's data flow. If a school district later wanted Pearsight to operate under a formal agreement, the data-handling controls described above wouldn't need to change — the legal framing around them would. If your district's policies require explicit handling of parent-side tools today, ask us and we'll share whatever you need.