By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information, or manage your preferences.
You're probably here because a vendor has burned you before — a missing BAA, a redacted SOC 2, a sub-processor change you found out about from a news headline. We've built this page so that doesn't happen with us.
Operations
Production telemetry and historical uptime are published continuously at our status page. The compliance program itself is managed through Scrut, our GRC platform — every control, every audit, every piece of evidence lives there and is independently verifiable.
Live verification
Most trust pages are static. Ours is connected directly to Scrut, the GRC platform that runs our compliance program. Every control, every piece of evidence, every audit artifact you'd want to verify — is verifiable in real time, not on a quarterly refresh.
Powered by Scrut Trust Vault
Behind every trust claim is an actual control with a status, an owner, an evidence file, and a last-tested date. The Trust Vault publishes that machine state directly — sourced from Scrut, the platform we use to run our compliance program day to day.
Procurement teams can verify the status of any framework, request access to evidence under NDA, and subscribe to alerts on changes. Your security team won't need to email us. The receipts are right there.
What's verifiable, live
Compliance
Pencil Spaces is audited or certified against eight regulatory and industry frameworks: FERPA, COPPA, SOC 2 Type II, GDPR, HIPAA, CCPA, ISO 27001, and SDPC NDPA. Each row below maps to a specific federal regulation, attestation, or industry standard. Reports are available on request, generally under mutual NDA.
For procurement teams
One request, one signed NDA, one bundle. The complete package your security and procurement teams need to evaluate Pencil Spaces — sent within one business day, refreshed quarterly.
CAP · v2026.05
Most vendors make you email six different addresses to assemble a security review packet. We bundle the documents you'd otherwise spend a week chasing into a single mutual-NDA delivery. If your team's questionnaire asks for it, it's in the pack.
Request the package →What's inside
Contracts
Standard contracts your legal team would otherwise spend six weeks drafting — BAA, DPA, NDPA, SOC 2 report, Certificate of Insurance, Security Controls Summary — pre-signed and ready. Most can be returned countersigned within one business day.
For HIPAA-covered entities handling Protected Health Information. We pre-sign on receipt of your countersignature.
GDPR-compliant DPA with current Standard Contractual Clauses for EU and UK transfers. Auto-incorporated into the MSA on request.
The Student Data Privacy Consortium's standard K-12 NDPA. We are a signatory in thirty-two state alliances; check by your state.
The most recent report (March 2026), shared under mutual NDA. A bridge letter is available between annual reports.
Cyber liability, errors and omissions, and commercial general liability. Districts named as additional insured on request.
A standardized control mapping (CAIQ-Lite plus Trust Services Criteria) that drops cleanly into most vendor-questionnaire processes.
Infrastructure
Pencil Spaces runs on a multi-cloud, multi-region production footprint. The summary below describes the controls; the SOC 2 report describes how they are tested.
Production workloads run primarily on Amazon Web Services across us-east-1, us-west-2, and eu-central-1, with active-passive failover into Google Cloud Platform for critical paths. EU customer data is pinned to eu-central-1 on request and never replicated outside the region. Customers on the Enterprise tier may request a single-region or single-cloud deployment.
All customer data is encrypted at rest using AES-256-GCM. All traffic is encrypted in transit using TLS 1.3; older versions are explicitly disabled at the load balancer. Cryptographic operations are performed in FIPS 140-2 validated modules. Customer-managed encryption keys (CMEK) are available on the Enterprise tier.
Single sign-on is supported via SAML 2.0 for Enterprise customers. User provisioning and deprovisioning is supported via SCIM. Multi-factor authentication is required for all administrative accounts internally; customers may enforce MFA for all of their users from the admin console. All administrative actions are logged and forwarded to a central SIEM with one-year retention.
Production runs active in two regions with hot replicas. Recovery time objective on regional failure is under sixty seconds; recovery point objective is under five minutes. Disaster recovery is tested monthly against a runbook published internally and reviewed quarterly. Customers may request a copy of the latest DR test summary under NDA.
Application performance and logs flow into Datadog. Alerts page a 24/7 on-call rotation through PagerDuty. Errors flow through Sentry. Customer-facing system health is published at status.pencilspaces.com with no manual editing — the page reflects production telemetry directly.
The application and infrastructure are tested annually by an independent third-party security firm. The most recent report is dated February 2026; an executive summary is available under NDA. Findings, including those rated low and informational, are tracked to closure with a published remediation timeline.
Data lifecycle
The most important questions a privacy-conscious district counsel can ask are not about what we do, but about what happens to data over time. The five stages below describe the full journey, from collection to deletion.
Only what's required for the service to function. Minimization is the default; no data category is collected without a documented purpose.
AES-256-GCM at rest, TLS 1.3 in transit, the moment data leaves the client. Keys are managed in FIPS 140-2 modules.
Region-pinned by customer choice. Access is role-based, audit-logged, and reviewed quarterly. No bulk data ever leaves your tenant.
Per the schedule below. Retention is enforced automatically; expired data is purged in nightly jobs with verification logs.
On termination or request. Cryptographic erasure where supported; verified deletion certificates available within 30 days.
Three paths, your choice. Each is defined contractually in the MSA and executed within 30 days of termination unless otherwise specified.
For data subject access, deletion, or portability requests under GDPR, CCPA, or comparable laws, write to privacy@pencilspaces.com. Verified requests are processed within 30 days.
Supply chain
Every third party that processes customer data on our behalf, what they do, where they do it, and what data class they touch. Updated quarterly. Customers receive thirty days' notice before any new sub-processor is added.
To subscribe to sub-processor change notifications, email trust@pencilspaces.com.
AI systems & automation
Procurement teams in 2026 are right to ask this question. We answer it directly: no AI system, internal or external, is in the path of customer session data.
No customer data trains any AI model. We do not feed your students' video, audio, whiteboard, or chat content into any AI model — ours or any third-party model. We do not use customer data to train, fine-tune, or evaluate AI of any kind. This is contractual and survives termination.
No third-party AI agents are embedded in the customer experience without explicit opt-in. Where AI features exist, they are clearly labeled, configurable at the account level, and disabled by default for K-12 customers.
The full inventory is published. A complete list of any AI systems with access to production — including scope, controls, and audit-log paths — is included in the Customer Assurance Package and reviewed during our SOC 2 audit cycle. Material changes are published in the compliance changelog with thirty days' notice.
Operational history
When something breaks in production, we publish a full post-mortem within five business days. Root cause, customer impact, remediation, and what we changed to prevent recurrence. No exceptions, no marketing edits.
No reportable incidents to date. When one occurs, the post-mortem will be published here within five business days. Root cause, customer impact, remediation, and what we changed. We won't hide it.
Operational ledger
Every audit, every certification renewal, every sub-processor change, every meaningful operational event. We publish them all, in one chronological feed.
Audit fieldwork complete. Representation letter and final report under review by our external CPA firm. Available under mutual NDA upon attestation.
Password complexity requirements rolled out across our internal authentication system. Users with weak passwords required to update on next sign-in. Maps to SOC 2 CC6.6 (logical access controls).
Migrated all internal communication channels to private-by-default with role-based access. Provides verifiable audit-trail evidence that only personnel with legitimate need-to-know access have visibility into specific information classes. Maps to SOC 2 CC6.1.
External GDPR audit findings — including DPO designation documentation and consent-flow remediation on signup — were closed in collaboration with our compliance partner.
Internal audit findings reviewed and closed. Opening and closing meetings documented. Surveillance audit work continues with our certification body.
Independent internal audit conducted across our control framework. All identified findings tracked to closure within Scrut, our GRC platform.
Third-party penetration test report completed and uploaded to our control-evidence vault. Executive summary available under NDA.
Scrut platform actively monitoring control posture across SOC 2, ISO 27001, GDPR, HIPAA, and CCPA framework requirements.
Showing the most recent operational events. Full audit history and live control state are available via Trust Vault.
Commitments
Most trust pages list what a vendor will do. The harder list — and the more useful one — is what a vendor commits not to. These commitments are contractual.
We do not and will not hide an incident. Every reportable production incident gets a public post-mortem within five business days — with root cause, customer impact, and what we changed. No marketing edits.
We do not and will not use customer data to train AI models. Not ours, not anyone else's. This is written into our DPA and survives termination.
We do not and will not sell, share, or monetize student data. Ever, under any condition. There is no advertising layer, no data brokerage, no analytics partnership that touches student records.
We do not and will not change sub-processors silently. You get thirty days' notice before any new vendor touches your data. The full sub-processor list is published and refreshed quarterly.
We do not and will not delay a deletion. When you terminate, your data is cryptographically erased within 30 days. A signed deletion certificate follows. Backups age out within an additional 60.
We do not and will not bury bad news in a footer. If something material changes — a sub-processor we removed under pressure, a finding we couldn't close, a customer we lost over compliance — it goes in the changelog where everyone can see it.
Accountability
When something goes wrong — a question, a concern, a vulnerability, an outage — these are the people who pick up.
Swati owns Pencil Spaces' compliance, security, and operational posture. Privacy reviews, audit response, customer security questionnaires, and vendor risk assessments all route through her.
swati.khandelwal@pencilspaces.comAmogh owns the engineering systems behind every trust claim on this page — production access, encryption, infrastructure controls, and the technical evidence that backs every audit.
amogh.asgekar@pencilspaces.comFor board-level escalations, category-defining concerns, or anything that needs to bypass the standard intake. He responds to direct email personally.
ayush.agrawal@pencilspaces.comFor general security inquiries, write to security@pencilspaces.com. For legal or contractual matters, write to legal@pencilspaces.com.
Frequently asked
Procurement, IT, and parents tend to arrive with the same questions. The answers are below — short, sourced, and quotable. For anything not covered, the Trust team responds at trust@pencilspaces.com.
Coordinated disclosure
If you have found a vulnerability, write to security@pencilspaces.com. We acknowledge new reports within one business day, triage within five, and treat coordinated disclosure as a partnership — not a legal threat. Researchers acting in good faith have our full safe-harbor commitment.
Self-serve through the Trust Vault, or write to a real human.
