Security and compliance built for K-12.
Manage1to1 is a Student Privacy Pledge signatory, compliant with FERPA, COPPA, and PPRA, and hosted on infrastructure that carries SOC 2+, PCI Merchant, CSA Star Level 1, and ISO/IEC 27001:2022 certifications. Encryption everywhere. MFA on every admin path. We sign your district's DPA. No targeted advertising, no selling student data — ever.
Compliance at a glance
Student Privacy Pledge
Public signatory. Never sell student data, never use it for ads.
FERPA · COPPA · PPRA
Federal student-privacy laws — verified compliant.
SOC 2+ · PCI · CSA Star · ISO 27001:2022
Hosting infrastructure carries all four certifications.
Employee-owned (ESOP)
No VC pressure, no exit incentive — long-term data stewardship.
72-hour breach notification
Written notice within 72 hours of confirmed or suspected breach.
Compliance
Student privacy laws are non-negotiable.
Every K-12 SaaS product claims compliance. Here's what Manage1to1's compliance actually looks like in practice.
Student Privacy Pledge
Public signatory. We have pledged to safeguard student data, never sell student personal information, never use it for targeted advertising, and only collect what schools authorize.
FERPA
The Family Educational Rights and Privacy Act. Manage1to1 handles education records as a School Official under the FERPA School Official exception.
COPPA
The Children's Online Privacy Protection Act. Manage1to1 collects information about children under 13 only as directed by the School, and never directly from students.
PPRA
The Protection of Pupil Rights Amendment. Manage1to1 supports districts in complying with PPRA requirements around surveys and protected information.
Hosting
Hosted on certified infrastructure.
Manage1to1 runs on infrastructure that holds the certifications your district's security review will look for. We don't run our own data center, and we don't need to — we host where the third-party audits already exist.
- SOC 2+ (HIPAA)
- SOC 2 Type II with HIPAA controls — covers the security, availability, processing integrity, confidentiality, and privacy of customer data.
- PCI (Merchant)
- PCI DSS Merchant certification. Required for handling card transactions through the platform.
- CSA Star Level 1
- Cloud Security Alliance STAR registry — third-party verified cloud-security posture.
- ISO/IEC 27001:2022
- The international standard for information security management systems. The 2022 revision is the current iteration.
Controls
How we protect your data day to day.
Encryption
Every byte, in transit and at rest.
- All data in transit is encrypted using TLS 1.3 — every connection to manage1to1.com, the parent portal, the staff app, and every integration endpoint. TLS 1.3 only; older versions are blocked.
- All data at rest is encrypted using full-disk and database-level encryption.
- No fallback to TLS 1.2 or older. Modern cipher suites only — your district security review will pass without exceptions.
Access controls
Multi-factor authentication and role-based access.
- Multi-factor authentication for administrative access to systems containing district data.
- Role-based access controls (RBAC) limit access to authorized Manage1to1 personnel on a strict need-to-know basis.
- SSO via Google Workspace, Microsoft 365, or ClassLink for district sign-in. No password reuse, no shared accounts.
Infrastructure monitoring
Automated scanning. Third-party uptime monitoring.
- Automated vulnerability scanning runs continuously against the platform and its infrastructure.
- Third-party uptime and availability monitoring — we hold ourselves accountable with an independent observer.
- Off-site replication so a single-site failure doesn't mean a single-day outage.
Personnel
Background-checked staff. Physical security.
- All Manage1to1 employees undergo an initial background check, with subsequent checks performed regularly.
- Physical access to data equipment, backup equipment, and servers is limited to those with an expressed need to access — engineers and hardware personnel only.
Privacy posture
Your data is yours. We don't sell it. Ever.
As an employee-owned (ESOP) company, the people who handle your district's data are the same people who own the company — and who used to be Tech Directors. Long-term stewardship is structural, not aspirational.
You own your data.
All data entered into Manage1to1 by a district or on its behalf remains the district's sole and exclusive property. We will not sell, share, license, or commercially exploit your data for any purpose.
We never sell student data.
Period. No targeted advertising. No profiling. No data mining. No third-party advertising networks are ever allowed to collect information about users of our Services.
Districts control all student data.
Manage1to1 receives student data only from the School and never interacts with students directly. Access requests from parents and students go through the district — not us — per FERPA.
Clean termination, with proof.
On termination, district data is available for export for 30 days. After the export window, all district data — including student-identifying data — is securely deleted from servers, backups, and databases. Written confirmation of deletion provided on request.
Breach notification
72 hours, in writing, with full cooperation.
In the event of a confirmed or suspected unauthorized access to, acquisition of, use of, or disclosure of district or student data that compromises the security, confidentiality, or integrity of that data, Manage1to1 will notify the affected School or District without unreasonable delay — and in no event later than seventy-two (72) hours after discovery.
We'll cooperate fully with the district in investigating and remediating any such incident. Districts with a separate SaaS Agreement should refer to that agreement for specific breach notification terms.
Security FAQ
Questions district security reviews always ask.
DPAs, hosting, encryption, data deletion, breach notification — straight answers for the procurement checklist.
Will Manage1to1 sign our district's SaaS Agreement or DPA?
Yes. We sign customer-side SaaS Agreements and Data Processing Agreements as a matter of course. We also sign state-specific student-privacy agreements for districts under New York Ed Law 2-d, California SOPIPA, Connecticut PA 16-189, Florida-specific compliance requirements, and others. Send your district's paperwork through info@manage1to1.com and we'll route it to legal.
Where is district data hosted, and who has physical access?
District data is hosted on cloud infrastructure that holds SOC 2+ (with HIPAA controls), PCI Merchant, CSA Star Level 1, and ISO/IEC 27001:2022 certifications. Physical access to data equipment, backups, and servers is restricted to engineers and hardware personnel with an expressed, documented need to access.
How is district and student data encrypted?
Every byte. Data in transit is encrypted using TLS 1.3 for every connection to manage1to1.com, the Parent Portal, the staff app, and every integration endpoint — TLS 1.3 only, with no fallback to TLS 1.2 or older. Data at rest is encrypted using full-disk and database-level encryption.
Will Manage1to1 sell or share student data?
Never. We are a Student Privacy Pledge signatory. We do not sell, share, license, or commercially exploit district or student data. No targeted advertising. No third-party advertising networks. No data mining. No profiling. Period.
What happens to district data if we terminate?
For 30 days after termination, district data is available for full export to CSV. After the export window, all district data — including student-identifying data — is securely deleted from servers, backups, and databases. Written confirmation of deletion is provided on request.
Why does Manage1to1 being employee-owned matter for security?
Two reasons. First, no outside investor pressure to flip the company to a strategic buyer who might deprecate the product or change data-handling practices. Second, every employee owns a share of the company AND every employee is a former K-12 school district staff member — so the people handling your district's data have personal financial stake AND a career background that understands what's at risk. Long-term data stewardship is structural, not just a policy claim.
Need a custom agreement?
We sign SaaS Agreements and DPAs.
If your district's legal team needs a Software-as-a-Service Agreement, Data Processing Agreement, or specific addenda for your state's student privacy laws (e.g., NY Ed Law 2-d, California SOPIPA, Connecticut PA 16-189, etc.), reach out — we sign these regularly and have language ready to go.
Have your security team look at us.
Read the full Privacy Policy, request our SaaS Agreement, or schedule a security review with our team.