Pinnova is the only K-12 transportation platform where FERPA isolation is enforced at the database query layer, not by promise. TDE-at-rest, audit trail on every PII read, brute-force-blocked parent lookups. Your IT director and counsel can read the implementation in 15 minutes.
Most K-12 transportation tools answer "are you FERPA compliant?" with a brochure. We answer it with code paths.
DigitalOcean Managed Postgres in US East (NYC) with TDE on disk (AES-256, DO-managed keys) and TLS 1.2+ on every client connection. Daily automated backups with 7-day retention.
Every FERPA record carries a district_id FK. Every API endpoint filters by the caller's district. A caller in district A literally cannot read records from district B — verified by automated tests on every deploy.
Every parent lookup, driver manifest open, and student-record access writes a row to ferpa_audit_logs: who, what, when, from where. Retained 7 years separately from operational data — survives subscription cancellation.
Parent lookup requires student ID + DOB. Rate limit: 5/min per IP and 20/hour per (student, district). Both successful and failed attempts count. Every limit-trip is logged so admins can spot scrapers in real time.
The application logger redacts emails, phones, addresses, DOBs, and student IDs before anything is emitted. Operational logs keep request paths, status codes, and timing — never raw PII. Defense-in-depth on top of the audit table.
Admin / Dispatcher / Route Manager / Driver / Viewer — each has a tight scope. Drivers see only their own route manifest, not district-wide. Pinnova superadmin access is gated by a shared secret and every call is logged.
What your IT auditor will ask, and where in the implementation it lives.
| FERPA / privacy control | Implementation |
|---|---|
| Encryption at rest | DigitalOcean Managed Postgres TDE; AES-256, DO-managed KMS |
| Encryption in transit | TLS 1.2+ enforced on all client + intra-cluster connections |
| Per-tenant data isolation | district_id FK on every PII table; query-layer enforcement; integration test verifies zero cross-read across two seeded districts |
| Access logging (FERPA §99.32 record of access) | ferpa_audit_logs table — row per read, includes user, subject, action, IP, route, timestamp |
| Brute-force resistance | Sliding-window rate limit on parent lookup: 5/min/IP, 20/hr/student-district pair; 429 + audit log entry on trip |
| PII never in logs | Logging filter redacts emails / phones / DOBs / student IDs / addresses / names; keeps district_id + req_id for ops |
| Role-based access control | Admin / Dispatcher / Driver / Route Manager / Viewer — least-privilege per role; drivers see own route only |
| Retention after cancellation | 30 days for operational data, 7 years for FERPA audit trail (separate retention class) |
| Sub-processor disclosure | DigitalOcean (hosting + DB), Stripe (billing), Resend (transactional email), Mapbox/OSRM (map tiles only — no PII transmitted) |
| Breach notification | Documented privacy@pinnovatms.com + security@pinnovatms.com endpoints; commit to district notification within 72 hours of detection |
"Most vendors hand us a privacy policy that doesn't match what their software actually does. Pinnova hands us a policy and tells us which lines of code enforce each clause. That's the bar."
One page. Send it to your IT team and counsel. No signup.
Read the full policy