Foresight
Login

Trust Disclosure · Document v1.0

Built for institutional review

Foresight is engineered to meet the security, privacy, and compliance standards your IT, procurement, and accreditation teams require. This document discloses exactly what we have today, what is in progress, and what is on our roadmap.

Last updated
May 12, 2026

§ 1 · Status at a glance

Where we stand on every framework that matters

We do not list a framework unless we have a position on it. Every row below reflects what is configured in our production environment today. We will not market a certification we do not hold.

  • FERPA (34 CFR Part 99)

    Operating as a “school official” under § 99.31(a)(1)(i)(B). Data Processing Agreement available on request.

    Aligned

  • Encryption at rest

    AES-256 on Postgres and object storage. Keys rotated and audited by infrastructure provider.

    Aligned

  • Encryption in transit

    TLS 1.2+ enforced on every endpoint. HSTS on the marketing surface.

    Aligned

  • Row-Level Security (multi-tenant isolation)

    Postgres RLS policies on every table containing student records. Tenant boundary enforced at the database, not the application.

    Aligned

  • Audit logging

    Every instructor publish, enrollment change, role grant, and admin action written to an immutable audit log.

    Aligned

  • Data Processing Agreement (DPA)

    Standard template available on request. Customer paper also accepted.

    Aligned

  • Accessibility (Section 508 / WCAG 2.1 AA)

    Conformance to WCAG 2.1 AA — the technical standard referenced by Section 508 for institutions receiving federal funds.

    Aligned

§ 2 · Data protection

What we do with student data — and what we don’t

The four controls below are non-negotiable. Every Foresight environment ships with all of them.

Encryption everywhere

Data encrypted at rest with AES-256 on Postgres and object storage. TLS 1.2+ in transit on every connection. Encryption keys managed by our infrastructure provider with rotation and audit.

Strict access controls

Row-Level Security policies on every table that contains student records. Tenant boundaries are enforced at the database layer, not just in the application. Service-role keys never reach the client.

Audit logging

Every instructor publish, enrollment change, role grant, and admin action writes to an immutable audit log. Retained for the life of your contract and available on accreditation request.

AI you can audit

Student exam responses are never sent to AI providers and never used to train models. AI is invoked only when an instructor clicks “Generate” — and only the instructor’s topic prompt is sent to OpenAI or Anthropic.

§ 3 · Subprocessors

Every third party that touches your data

No more, no less. We update this list within 30 days of any change and notify customers under the Data Processing Agreement. All listed parties are United States entities with United States data residency.

ProviderPurposeRegionData exchanged
SupabaseDatabase (Postgres), authentication, file storageAWS us-east-1 (Virginia)Student educational records, exam responses, instructor accounts
VercelApplication hosting and edge networkUnited States edge regionsApplication traffic; no persistent student records
StripeSubscription billing and invoicingUnited StatesInstitutional billing contacts and payment instruments; no student data
OpenAIAI question generation (instructor-initiated only)United StatesInstructor-supplied prompts and generated draft items; no student PII
AnthropicAI question generation (alternate model option)United StatesInstructor-supplied prompts and generated draft items; no student PII

§ 4 · For your context

Three buyer contexts, three direct answers

Different institutions live under different regulatory regimes. Here is where Foresight fits each one today.

K–12 and under-18 students

Some EMT programs admit 16–17 year-old students through high-school CTE pipelines and fire-cadet programs. For minors, Foresight applies heightened controls: no advertising, no behavioral profiling, no commercial use of student data, and parental-consent workflows where state law requires them. We align with SOPIPA (CA), AB 1584 (CA), Education Law § 2-d (NY), and SOPPA (IL).

Hospital-based programs

Foresight does not process Protected Health Information. Exam content uses fictional patient vignettes only; no clinical records, no PHI fields, no integration with patient-data systems. No HIPAA BAA is required for normal use. Your privacy office can route us through a standard FERPA-only review.

Federal and military programs

FERPA + signed Data Processing Agreement + United States data residency. Sufficient for education-side training programs and Government Purchase Card purchases under the $15,000 micro-purchase threshold raised October 2025. For direct DoD contracts requiring FedRAMP authorization, contact us before issuing an RFP.

§ 5 · Accreditation & continuity

For the long arc, not just the demo

Accreditation evidence, ready when you need it

Foresight’s analytics map directly to the CoAEMSP outcome thresholds — Retention, NREMT first-attempt pass rate, and Positive Placement — each tracked against the 70% threshold required for paramedic-program reaccreditation. Raw data exports in CSV and JSON. Audit log retained for the life of your contract. We will write a letter to your site visitors on request.

Data portability if we cease operations

Customer data is your data. In any wind-down or change-of-control scenario, we commit to (1) a 90-day data export window, (2) full CSV and JSON exports of all assessments, responses, and analytics, and (3) advance written notice. This commitment is in the standard Data Processing Agreement.

§ 6 · Frequently asked

Questions your IT team will ask

§ 7 · Documents & contact

Documents available on request

Email us and we will respond within one business day with whatever your procurement or IT team needs to complete its review.

  • Data Processing Agreement (DPA)
    Standard template; customer paper also accepted
  • Subprocessor list
    Published below; updated within 30 days of any change
  • Privacy Policy and Terms of Service
    Published documents
  • Security implementation summary
    Controls, encryption posture, audit log scope — under NDA
  • Certificate of Insurance
    Available on request
  • Accessibility statement
    Available on request

Procurement & compliance docs

compliance@foresight.edu

Acknowledged within one business day.

Report a security concern

security@foresight.edu

Coordinated disclosure appreciated. Status update within five business days.

Foresight is a product of Ibis SaaS Holdings LLC. This document is provided for informational purposes and is not a substitute for the binding Data Processing Agreement. For general inquiries: hello@foresight.edu.