Trust Disclosure · Document v1.1
Built for institutional review
Foresight is engineered to meet the security, privacy, and compliance standards your IT, procurement, and accreditation teams require. This document discloses exactly what we have today, what is in progress, and what is on our roadmap.
- Last updated
- June 29, 2026
Status at a glance
Where we stand on every framework that matters
We do not list a framework unless we have a position on it. Every row below reflects what is configured in our production environment today. We will not market a certification we do not hold.
FERPA (34 CFR Part 99)
Designed to operate under the FERPA “school official” exception (§ 99.31(a)(1)(i)(B)) once an institution designates Foresight in a signed Data Processing Agreement. DPA available on request.
In progressEncryption at rest
AES-256 at rest on Postgres and object storage, provided and key-managed by our infrastructure provider (Supabase on AWS).
AlignedEncryption in transit
TLS 1.2+ enforced on every endpoint. HSTS on the marketing surface.
AlignedRow-Level Security (multi-tenant isolation)
Postgres RLS policies on every table containing student records. Tenant boundary enforced at the database, not the application.
AlignedAudit logging
Structured, tamper-evident logging of publish, enrollment, and role-change events is on our near-term roadmap. Database-level activity logs are retained by our infrastructure provider in the interim.
On roadmapData Processing Agreement (DPA)
Standard template available on request. Customer paper also accepted.
AlignedAccessibility (Section 508 / WCAG 2.1 AA)
Working toward WCAG 2.1 AA conformance — the technical standard referenced by Section 508 for institutions receiving federal funds. Self-assessment underway; independent audit planned.
In progress
Data protection
What we do with student data — and what we don’t
The four controls below are non-negotiable. Every Foresight environment ships with all of them.
Encryption everywhere
Data encrypted at rest with AES-256 on Postgres and object storage. TLS 1.2+ in transit on every connection. Encryption keys managed by our infrastructure provider with rotation and audit.
Strict access controls
Row-Level Security policies on every table that contains student records. Tenant boundaries are enforced at the database layer, not just in the application. Service-role keys never reach the client.
Tamper-resistant grading
Answer keys are stored apart from question content and are never readable by a student session; scores can only be written by the server-side grader, never by a student. Single-attempt limits are enforced at the database layer, not just in the UI.
AI you can audit
Student exam responses are never sent to AI providers and never used to train models. AI is invoked only when an instructor clicks “Generate” — and only the instructor’s topic prompt is sent to OpenAI or Anthropic.
Subprocessors
Every third party that touches your data
No more, no less. We update this list within 30 days of any change and will notify institutions as provided in the Data Processing Agreement. All listed parties are United States entities with United States data residency.
| Provider | Purpose | Region | Data exchanged |
|---|---|---|---|
| Supabase | Database (Postgres), authentication, file storage | AWS us-east-1 (Virginia) | Student educational records, exam responses, instructor accounts |
| Vercel | Application hosting and edge network | United States edge regions | Application traffic; no persistent student records |
| Stripe | Subscription billing and invoicing | United States | Institutional billing contacts and payment instruments; no student data |
| Resend | Transactional email (account, security, and service notifications) | United States | Recipient email addresses and message content; no student educational records |
| OpenAI | AI question generation (instructor-initiated only) | United States | Instructor-supplied prompts and generated draft items; no student PII |
| Anthropic | AI question generation (alternate model option) | United States | Instructor-supplied prompts and generated draft items; no student PII |
| Google Analytics 4 | Marketing-site analytics (page views, traffic sources) | United States | Anonymized IP and browser metadata on marketing pages only; does not load on instructor or student app routes |
For your context
Three buyer contexts, three direct answers
Different institutions live under different regulatory regimes. Here is where Foresight fits each one today.
K–12 and under-18 students
Some EMT programs admit 16–17 year-old students through high-school CTE pipelines and fire-cadet programs. For minors, Foresight commits to no advertising, no behavioral profiling, and no commercial use of student data, and we work with the institution to meet the heightened obligations of state K-12 student-privacy laws — including SOPIPA and AB 1584 (CA), Education Law § 2-d (NY), and SOPPA (IL) — and to complete parental-consent steps where a state requires them.
Hospital-based programs
Foresight does not process Protected Health Information. Exam content uses fictional patient vignettes only; no clinical records, no PHI fields, no integration with patient-data systems. No HIPAA BAA is required for normal use. Your privacy office can route us through a standard FERPA-only review.
Federal and military programs
FERPA + signed Data Processing Agreement + United States data residency — sufficient for education-side training programs and Government Purchase Card purchases under the applicable federal micro-purchase threshold. For direct DoD contracts requiring FedRAMP authorization, contact us before issuing an RFP.
Accreditation & continuity
For the long arc, not just the demo
Accreditation evidence, ready when you need it
Foresight’s analytics are organized around the outcome measures CoAEMSP-accredited programs already report — retention, NREMT first-attempt pass rate, and positive placement — so the numbers for your annual report are a CSV or JSON export away.
Data portability if we cease operations
Your data is your data. In any wind-down or change-of-control scenario, we commit to (1) a 90-day data export window, (2) full CSV and JSON exports of all assessments, responses, and analytics, and (3) advance written notice. These commitments are included in our standard Data Processing Agreement template, executed before onboarding.
Frequently asked
Questions your IT team will ask
Documents & contact
Documents available on request
Email us and we will respond within one business day with whatever your procurement or IT team needs to complete its review.
- Data Processing Agreement (DPA)Standard template; customer paper also accepted
- Subprocessor listPublished below; updated within 30 days of any change
- Published
- Published
- Security implementation summaryControls, encryption posture, audit log scope — under NDA
- Certificate of InsuranceIn procurement
- Accessibility statementIn preparation
Report a security concern
security@foresight911.comCoordinated disclosure appreciated. Status update within five business days.
Foresight is a product of Ibis SaaS Holdings LLC. This document is provided for informational purposes and is not a substitute for the binding Data Processing Agreement. For general inquiries: info@foresight911.com.
