Trust Disclosure · Document v1.1

Built for institutional review

Foresight is engineered to meet the security, privacy, and compliance standards your IT, procurement, and accreditation teams require. This document discloses exactly what we have today, what is in progress, and what is on our roadmap.

Last updated
June 29, 2026

Status at a glance

Where we stand on every framework that matters

We do not list a framework unless we have a position on it. Every row below reflects what is configured in our production environment today. We will not market a certification we do not hold.

  • FERPA (34 CFR Part 99)

    Designed to operate under the FERPA “school official” exception (§ 99.31(a)(1)(i)(B)) once an institution designates Foresight in a signed Data Processing Agreement. DPA available on request.

    In progress
  • Encryption at rest

    AES-256 at rest on Postgres and object storage, provided and key-managed by our infrastructure provider (Supabase on AWS).

    Aligned
  • Encryption in transit

    TLS 1.2+ enforced on every endpoint. HSTS on the marketing surface.

    Aligned
  • Row-Level Security (multi-tenant isolation)

    Postgres RLS policies on every table containing student records. Tenant boundary enforced at the database, not the application.

    Aligned
  • Audit logging

    Structured, tamper-evident logging of publish, enrollment, and role-change events is on our near-term roadmap. Database-level activity logs are retained by our infrastructure provider in the interim.

    On roadmap
  • Data Processing Agreement (DPA)

    Standard template available on request. Customer paper also accepted.

    Aligned
  • Accessibility (Section 508 / WCAG 2.1 AA)

    Working toward WCAG 2.1 AA conformance — the technical standard referenced by Section 508 for institutions receiving federal funds. Self-assessment underway; independent audit planned.

    In progress

Data protection

What we do with student data — and what we don’t

The four controls below are non-negotiable. Every Foresight environment ships with all of them.

Encryption everywhere

Data encrypted at rest with AES-256 on Postgres and object storage. TLS 1.2+ in transit on every connection. Encryption keys managed by our infrastructure provider with rotation and audit.

Strict access controls

Row-Level Security policies on every table that contains student records. Tenant boundaries are enforced at the database layer, not just in the application. Service-role keys never reach the client.

Tamper-resistant grading

Answer keys are stored apart from question content and are never readable by a student session; scores can only be written by the server-side grader, never by a student. Single-attempt limits are enforced at the database layer, not just in the UI.

AI you can audit

Student exam responses are never sent to AI providers and never used to train models. AI is invoked only when an instructor clicks “Generate” — and only the instructor’s topic prompt is sent to OpenAI or Anthropic.

Subprocessors

Every third party that touches your data

No more, no less. We update this list within 30 days of any change and will notify institutions as provided in the Data Processing Agreement. All listed parties are United States entities with United States data residency.

ProviderPurposeRegionData exchanged
SupabaseDatabase (Postgres), authentication, file storageAWS us-east-1 (Virginia)Student educational records, exam responses, instructor accounts
VercelApplication hosting and edge networkUnited States edge regionsApplication traffic; no persistent student records
StripeSubscription billing and invoicingUnited StatesInstitutional billing contacts and payment instruments; no student data
ResendTransactional email (account, security, and service notifications)United StatesRecipient email addresses and message content; no student educational records
OpenAIAI question generation (instructor-initiated only)United StatesInstructor-supplied prompts and generated draft items; no student PII
AnthropicAI question generation (alternate model option)United StatesInstructor-supplied prompts and generated draft items; no student PII
Google Analytics 4Marketing-site analytics (page views, traffic sources)United StatesAnonymized IP and browser metadata on marketing pages only; does not load on instructor or student app routes

For your context

Three buyer contexts, three direct answers

Different institutions live under different regulatory regimes. Here is where Foresight fits each one today.

K–12 and under-18 students

Some EMT programs admit 16–17 year-old students through high-school CTE pipelines and fire-cadet programs. For minors, Foresight commits to no advertising, no behavioral profiling, and no commercial use of student data, and we work with the institution to meet the heightened obligations of state K-12 student-privacy laws — including SOPIPA and AB 1584 (CA), Education Law § 2-d (NY), and SOPPA (IL) — and to complete parental-consent steps where a state requires them.

Hospital-based programs

Foresight does not process Protected Health Information. Exam content uses fictional patient vignettes only; no clinical records, no PHI fields, no integration with patient-data systems. No HIPAA BAA is required for normal use. Your privacy office can route us through a standard FERPA-only review.

Federal and military programs

FERPA + signed Data Processing Agreement + United States data residency — sufficient for education-side training programs and Government Purchase Card purchases under the applicable federal micro-purchase threshold. For direct DoD contracts requiring FedRAMP authorization, contact us before issuing an RFP.

Accreditation & continuity

For the long arc, not just the demo

Accreditation evidence, ready when you need it

Foresight’s analytics are organized around the outcome measures CoAEMSP-accredited programs already report — retention, NREMT first-attempt pass rate, and positive placement — so the numbers for your annual report are a CSV or JSON export away.

Data portability if we cease operations

Your data is your data. In any wind-down or change-of-control scenario, we commit to (1) a 90-day data export window, (2) full CSV and JSON exports of all assessments, responses, and analytics, and (3) advance written notice. These commitments are included in our standard Data Processing Agreement template, executed before onboarding.

Frequently asked

Questions your IT team will ask

Documents & contact

Documents available on request

Email us and we will respond within one business day with whatever your procurement or IT team needs to complete its review.

  • Data Processing Agreement (DPA)
    Standard template; customer paper also accepted
  • Subprocessor list
    Published below; updated within 30 days of any change
  • Published
  • Published
  • Security implementation summary
    Controls, encryption posture, audit log scope — under NDA
  • Certificate of Insurance
    In procurement
  • Accessibility statement
    In preparation

Procurement & compliance docs

compliance@foresight911.com

Acknowledged within one business day.

Report a security concern

security@foresight911.com

Coordinated disclosure appreciated. Status update within five business days.

Foresight is a product of Ibis SaaS Holdings LLC. This document is provided for informational purposes and is not a substitute for the binding Data Processing Agreement. For general inquiries: info@foresight911.com.