For administrators and IT teams
If a director at your school wants to use Downbeat, here's everything your district needs to know — data practices, sub-processors, security, and how to get a signed DPA.
FERPA compliance
When your district signs a Data Privacy Agreement with Downbeat, we act as a school official under FERPA — performing a service the school would otherwise handle internally. Your data remains yours. We never use it for anything except running the app for your program.
This isn't just policy language. It's how the app is actually built — no advertising, no analytics sold to third parties, no profiling of students.
Read our full Privacy Policy →Student data used only to deliver the service
Records entered by your director are used to run their program. Nothing else.
Your district owns its data
Cancel anytime and leave with a full export of everything. No lock-in.
No advertising. No selling data. Ever.
Downbeat does not sell or share student records with third parties.
Data deleted 30 days after cancellation
After your export window, all records are permanently deleted.
72-hour breach notification
We notify your district within 72 hours of any confirmed data incident.
Sub-processors
Every company that touches your data is listed here. No surprises, no hidden vendors.
| Company | What they do | Data processed | Location |
|---|---|---|---|
Supabase, Inc. | Primary database, file storage, and authentication | All student and program records | United States (AWS us-east-1) |
Vercel, Inc. | Application hosting and delivery | Request logs (IP, path) — no student records | United States |
Stripe, Inc. | Subscription billing | Billing contact info only — no student records | United States |
Resend, Inc. | Transactional email | Email address and message content | United States |
We will notify you before adding any sub-processor that processes student data.
The DPA process
Our Data Privacy Agreement is based on the NDPA v2.2 from the Student Data Privacy Consortium. Getting it signed takes less than a week.
Step 01
Director sends you the link
The director enters your email in their Downbeat account. You receive a direct link to the pre-filled DPA — no hunting for documents.
Step 02
You review and sign
Read the document, add your title, and sign electronically. It takes about five minutes. The DPA is based on the NDPA v2.2 which your district may already recognize.
Step 03
Both parties get a copy
You and the director each receive a signed copy by email immediately. Your district's records are complete.
Security
AES-256 encryption at rest
All data encrypted via Supabase on AWS infrastructure, the same platform used by Fortune 500 companies.
TLS encryption in transit
All connections are encrypted end-to-end. Data is never transmitted in plaintext.
Row-level security
Multi-tenant isolation enforced at the database layer. One organization's data cannot be accessed by another.
SOC 2 Type II infrastructure
Supabase, our primary data processor, is SOC 2 Type II certified and undergoes regular third-party audits.
Role-based access controls
Access within the app is limited to authorized personnel based on their role.
NIST Cybersecurity Framework alignment
Downbeat's security program is aligned with the NIST CSF core functions: Identify, Protect, Detect, Respond, and Recover. An internal security review is conducted annually against this framework.
Annual security review
We conduct a security audit or assessment no less than once per year. Upon written request with 10 days notice, we will provide a summary of the audit report to any LEA that has executed a DPA with us.
Contact us about security →Questions that aren't answered here? Email mason@downbeatapp.com directly. I reply the same day.