Sleep well.You are on ground.solid

You're probably here because a vendor has burned you before — a missing BAA, a redacted SOC 2, a sub-processor change you found out about from a news headline. We've built this page so that doesn't happen with us.

Operations

System status.

Production telemetry and historical uptime are published continuously at our status page. The compliance program itself is managed through Scrut, our GRC platform — every control, every audit, every piece of evidence lives there and is independently verifiable.

Uptime · 90 days

100.00%

No reportable downtime

Current state

Operational

All services nominal

Compliance platform

Scrut

Continuously monitored

Last verified

Sep 2025

Pen test · independent third party

Real-time uptime & latency: see status.pencilspaces.comLive control evidence: see Trust Vault

Live verification

The Trust Vault.

Most trust pages are static. Ours is connected directly to Scrut, the GRC platform that runs our compliance program. Every control, every piece of evidence, every audit artifact you'd want to verify — is verifiable in real time, not on a quarterly refresh.

Don't take our word. Take the receipts.

Live · synced continuously

Open Trust Vault →No login required for public controls

Behind every trust claim is an actual control with a status, an owner, an evidence file, and a last-tested date. The Trust Vault publishes that machine state directly — sourced from Scrut, the platform we use to run our compliance program day to day.

Procurement teams can verify the status of any framework, request access to evidence under NDA, and subscribe to alerts on changes. Your security team won't need to email us. The receipts are right there.

What's verifiable, live

Control framework status✓ Live

Evidence files & audit artifacts✓ Live

Sub-processor list✓ Live

Policy library✓ Live

Document request workflow✓ Live

Risk & remediation status✓ Live

Compliance

Frameworks & certifications.

Pencil Spaces is audited or certified against eight regulatory and industry frameworks: FERPA, COPPA, SOC 2 Type II, GDPR, HIPAA, CCPA, ISO 27001, and SDPC NDPA. Each row below maps to a specific federal regulation, attestation, or industry standard. Reports are available on request, generally under mutual NDA.

Framework

Scope

Authority

Status

FERPA

We operate as a school official under the school-official exception. No advertising and no student profiling under any condition.

20 U.S.C. § 1232g

Active

COPPA

Verifiable parental consent flows. No third-party tracking on accounts identified as belonging to a minor. K-12 safe by default.

16 CFR Part 312

Active

SOC 2

Type II report covering Trust Services Criteria, attested annually by an independent CPA firm. Available under mutual NDA on completion.

AICPA TSP 100

Type II in attestation

GDPR

EU data residency available on request. Pre-signed Data Processing Agreement with current Standard Contractual Clauses.

Reg. (EU) 2016/679

Active

HIPAA

Business Associate Agreement available on request. Protected Health Information encrypted at rest and in transit. Audit logs retained six years.

45 CFR §§ 160, 162, 164

BAA available

CCPA

All California consumer rights honored end-to-end. Verified-request portal staffed within five business days.

Cal. Civ. § 1798.100

Active

ISO 27001

Information Security Management System aligned to ISO 27001 controls; surveillance work in progress with our certification body.

ISO/IEC 27001:2022

In progress

SDPC

Signatory to the National Data Privacy Agreement (NDPA) through the Student Data Privacy Consortium. Active in multiple state alliances.

NDPA v1.0

Signatory

Frequently asked

Common questions, direct answers.

Procurement, IT, and parents tend to arrive with the same questions. The answers are below — short, sourced, and quotable. For anything not covered, the Trust team responds at trust@pencilspaces.com.

Coordinated disclosure

Vulnerability reporting.

If you have found a vulnerability, write to security@pencilspaces.com. We acknowledge new reports within one business day, triage within five, and treat coordinated disclosure as a partnership — not a legal threat. Researchers acting in good faith have our full safe-harbor commitment.