Who We Are
EdCertly is a certification tracking and workforce analytics platform for K-12 charter schools and CMOs, built and operated by A12 Labs LLC, a Delaware limited liability company authorized to do business in New York.
Under FERPA, EdCertly operates as a "school official" of any School Partner that authorizes us to process education records. Under NY Education Law §2-d, EdCertly is a "third-party contractor." In all cases, we are bound by the same data privacy obligations that apply to the schools we serve.
Data Ownership and Our Role
2.1Schools and CMOs Own Their Data
EdCertly does not own — and does not claim ownership of — any data uploaded to or processed through the Platform by a School Partner or by any individual acting on behalf of a School Partner. This includes teacher names, certification status, expiration dates, uploaded documents, performance data, and any reports or analytics derived from that data.
All such data remains the sole property of the School Partner. CMOs that upload data on behalf of their affiliated schools own that data on those schools' behalf, consistent with their internal arrangements. Each School Partner is at all times the data controller — the party that determines what data is processed, why it is processed, and with whom it may be shared.
2.2EdCertly Is a Data Processor
EdCertly serves only as a data processor. We process School Partner data only on the instructions of the School Partner and only as necessary to deliver the contracted services. We do not exercise independent judgment over what data should be processed or shared, except as needed to maintain the security, integrity, and operation of the Platform.
2.3We Do Not Pull Data from State Certification Systems
EdCertly does not independently access, query, or extract data from any state teacher certification system — including the New York State Education Department's TEACH system or any equivalent system in other states. All certification data within the Platform comes from one of three authorized sources: (a) the School Partner uploading the data; (b) the individual teacher entering it through the Teacher Portal; or (c) an integration the School Partner has explicitly authorized in writing and that operates under the School Partner's credentials and consent.
2.4Schools Manage Their Own Data
EdCertly provides the tools — but the School Partner is responsible for what the data contains, who can access it, when it is updated, and how it is used. Specifically, each School Partner is responsible for:
- Determining what data is uploaded
- Verifying data accuracy and currency
- Managing user access and permissions for their staff and teachers
- Deciding when and how data is shared with their HRIS or other systems
- Responding to record access, correction, or deletion requests from teachers or other individuals
- Ensuring their use of the Platform complies with applicable law
What Data We Process
3.1School Administrator and HR Staff Data
When an institution registers, we collect information about the authorized administrator:
- Name, job title, and contact information
- School or organization name and address
- Login credentials (passwords stored in hashed, non-reversible form)
- Subscription and billing information (processed through a PCI-compliant third-party processor; we do not store full payment card details)
- Platform usage data (login timestamps, features accessed)
3.2Teacher Data
Teacher data processed on the Platform may include:
- Name, employee ID, contact information, and date of hire
- Certification type, status, and expiration dates
- Pathway progress and gap analysis data
- Documents uploaded for certification (transcripts, scores, verification forms)
- Subject area, grade level, and assignment information as provided by the school
- Performance review data, to the extent provided by the school and required by NY Ed Law §2-d
3.3Student Data
EdCertly is primarily a teacher workforce platform. We do not directly collect, solicit, or process student data as part of our core service. To the extent any student PII is incidentally included in documents uploaded by a School Partner, we treat it under the protections of FERPA and Ed Law §2-d, and notify the School Partner immediately.
3.4Technical Data
- IP address and general location (not street-level)
- Browser type, operating system, device type
- Pages visited and navigation paths
- Error logs and performance data
How We Use Data
| Purpose | Description |
|---|---|
| Service Delivery | Processing and displaying certification data, generating pathways, producing analytics, document workflows, and authorized HRIS integrations. |
| Account Management | Creating and managing user accounts, billing, subscription management. |
| Notifications | Automated certification renewal alerts, compliance notifications, service updates. |
| Support | Investigating and resolving technical issues, responding to support requests. |
| Security | Maintaining platform security, preventing unauthorized access, fraud prevention. |
| Legal Compliance | Complying with applicable law and lawful legal process. |
| Platform Improvement | Using only aggregated, irreversibly de-identified data — no PII is used. |
Data Security
EdCertly implements a comprehensive security program consistent with the NIST Cybersecurity Framework and NY Ed Law §2-d Part 121:
| Layer | Controls |
|---|---|
| Encryption | AES-256 at rest; TLS 1.3 in transit. Credentials hashed with industry-standard algorithms. |
| Access Control | Role-based access; multi-factor authentication for admin accounts; least-privilege principle. |
| Infrastructure | SOC 2-compliant cloud hosting; regular vulnerability scanning and penetration testing. |
| Monitoring | Continuous monitoring; anomaly detection; 72-hour breach notification capability. |
| Personnel | Mandatory privacy and security training; background checks for staff with data access. |
| Vendor Management | All subcontractors security-assessed before data access. |
Data Retention and Deletion
Because School Partners own their data, retention is determined primarily by the School Partner's instructions and the duration of their subscription:
- Active subscription data is retained for the duration of the subscription, plus thirty (30) days following termination to allow for export
- After thirty (30) days, all data is securely deleted or destroyed using industry-standard methods
- Technical logs (de-identified) may be retained up to twelve (12) months for security purposes
- Billing records may be retained up to seven (7) years for financial and tax compliance
School Partners may request deletion at any time at datarequests@edcertly.com. Requests are processed within thirty (30) days. Written confirmation is provided on request, consistent with NY Ed Law §2-d.
Your Rights
9.1School Partner Rights
- Access — request a copy of data we hold about your school
- Correction — request correction of inaccurate information
- Deletion — request deletion subject to legal retention requirements
- Portability — export your data in a standard format anytime during your subscription
- Restriction — request limitation of processing in certain circumstances
9.2Individual Teacher Rights
Teachers may access and export their own certification records through the Teacher Portal. Requests regarding data held under a School Partner's account should first be directed to the School Partner, as the School Partner is the data controller. EdCertly will cooperate in responding.
9.3FERPA Rights
Parents and eligible students retain all rights under FERPA. The School Partner is responsible for fulfilling FERPA rights requests; EdCertly will cooperate.
COPPA
EdCertly is designed for adult users (school administrators and teachers) and does not knowingly collect personal information directly from children under 13. The Teacher Portal is intended for adult teachers. To the extent EdCertly processes any student data on behalf of a School Partner, the School Partner serves as the operator under applicable K-12 COPPA exceptions, with EdCertly acting as the school's agent.
State-Specific Provisions
11.1New York (Primary Jurisdiction)
EdCertly fully complies with NY Education Law §2-d and 8 NYCRR Part 121. School Partners receive the full protections of Ed Law §2-d, including the Parents' Bill of Rights, breach notification within seven calendar days, and the prohibition on selling protected data.
11.2Expansion States
As EdCertly expands to other states, our New York-level protections serve as the baseline. Additional state-specific provisions will be added as required by the laws of each state we operate in.
Changes to This Policy
EdCertly will notify School Partners of material changes at least thirty (30) days before they take effect, via email and in-Platform notification. The current Policy is at edcertly.com/privacy.
Contact
| Purpose | Contact |
|---|---|
| Privacy questions | privacy@edcertly.com |
| Data access / deletion | datarequests@edcertly.com |
| Security incidents | security@edcertly.com (24-hour response) |
| Legal | legal@edcertly.com |
A12 Labs LLC (d/b/a EdCertly) — Delaware · Authorized in New York. edcertly.com
These documents were prepared specifically for EdCertly (a product of A12 Labs LLC) based on FERPA, COPPA, NY Education Law §2-d, Part 121, and industry best practices for K-12 EdTech vendors as of 2026. They do not constitute legal advice. EdCertly strongly recommends review by qualified legal counsel licensed in the applicable jurisdiction before publication.
