Policies

Privacy, security, data processing, and accessibility for Trellis LLC.

Privacy Policy (SOPIPA)

Effective as of [EFFECTIVE_DATE]. This Privacy Policy describes how Trellis LLC ("Trellis", "we", "us") collects, uses, discloses, and safeguards information in connection with our educator observation and evaluation platform (the "Service"). This policy is aligned with California's Student Online Personal Information Protection Act (SOPIPA) for K–12 contexts. If you are a Local Education Agency (LEA), district, or school, this policy should be read together with any Data Processing Agreement (DPA) in place.

Scope and Roles

  • We operate as an "operator" under SOPIPA for LEAs using the Service.
  • We do not build profiles for targeted advertising and do not sell personal information.
  • We provide product functionality to staff users (e.g., evaluators, administrators, teachers). The Service is not directed to students.

Data We Process

We use Supabase for authentication and Postgres (via Prisma) for application storage. The Service may process the following information provided by staff users:

  • Account and school data: user email, name, role, school affiliation.
  • Observation and evaluation content: free-text notes, summaries, recommendations, and structured rubric data.
  • RAG and chat content: conversation messages used to assist staff workflows; embeddings derived from text via OpenAI Embeddings.

Important: We do not intentionally collect student personal information. However, free-text fields (e.g., observation notes) could incidentally include student references if entered by staff. We provide guidance to avoid including student PII in free text.

How We Use Information

  • To provide and improve the Service, including text enhancement and evaluation generation with Anthropic (primary), OpenAI (fallback), and, in some paths, Groq.
  • To support RAG features: we compute embeddings with OpenAI and store them with related text to improve retrieval for staff.
  • For security, troubleshooting, and required service communications.

SOPIPA Commitments

  • No targeted advertising based on information acquired through the Service.
  • No sale of covered information.
  • No building of profiles for purposes other than K–12 school purposes requested by the LEA.
  • Use limitation: we process information solely to provide the Service and as permitted by law or contract.

Third-Party Service Providers

  • Supabase (authentication and managed Postgres).
  • Anthropic (Claude) for AI text generation (primary).
  • OpenAI for AI text generation (fallback) and embeddings for RAG.
  • Groq (OpenAI-compatible) for certain generation paths.

We share information with these providers only to the extent necessary to deliver the Service features. Prompts to AI providers may include free-text content submitted by staff. Generated outputs (e.g., enhanced notes) may be stored in our database.

Security Measures

  • Encryption in transit via TLS for all network communications.
  • At-rest encryption via managed Postgres (per provider defaults).
  • Access control by user role; httpOnly session cookies managed via Supabase SSR.
  • Content Security Policy (CSP) restricting connections to Supabase, Anthropic, OpenAI, and Groq; clickjacking protections and strict referrer policy.
  • Environment-based secret management; least-privilege operational access.

Retention and Deletion

We retain information for the term of the LEA relationship or as required by law. Upon verified request from the LEA, we will delete or return covered information within a commercially reasonable timeframe, subject to legal holds and provider backups.

Deidentified and Aggregated Data

We may use deidentified and aggregated information for service improvement and analytics. We will not attempt to reidentify deidentified data.

Incident Response

We maintain procedures for detecting, investigating, and notifying the LEA of security incidents consistent with applicable law and contractual timelines.

Student and Parent Rights

Requests to access, correct, or delete student information should be initiated through the LEA. We will support the LEA in fulfilling such verified requests.

Changes to This Policy

We may update this policy to reflect changes to the Service or applicable law. We will provide notice of material changes via the Service or to the LEA.

Contact

For privacy inquiries, please contact Trellis LLC at:

Email: [CONTACT_EMAIL]

Address: [CONTACT_ADDRESS]

For DPAs, use the contact information in the agreement.