Compliance & Data Stewardship

Last updated: February 17, 2026

The Inquiry Institute holds learner and student data in trust. This page describes how we think about compliance, which frameworks we aim to align with, and our current practices. It complements our Privacy Policy and Terms of Service.

Purpose

We design our systems and policies so that student and learner data is protected, access is limited to those with a need to know, and we can meet the expectations of families, institutional partners, and applicable laws. We do not sell education records or personally identifiable information. This page discusses our approach to FERPA, SOC 2, and related frameworks.

FERPA

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records and applies to educational agencies and institutions that receive federal funding. The Inquiry Institute does not currently receive federal funds and is not a "covered institution" under FERPA. We nevertheless treat homeschool and course data—including pupil profiles, learning journals, progress, and credentials—as sensitive and operate in a FERPA-aligned manner.

  • We limit access to education-related data to authorized caregivers, the learner, and personnel who need it to operate the service.
  • We do not sell or share education records for marketing or other non-essential purposes.
  • We use access controls and role-based policies (including database-level row security) so that only appropriate parties can view or modify learner data.

SOC 2

We are working toward SOC 2 (Service Organization Control 2) as a trust and security framework. SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy. We aim to demonstrate these through documented controls and, when completed, a formal audit report.

  • Access control: Authentication, role-based access, and principle of least privilege.
  • Encryption: Data in transit (TLS) and at rest where supported by our infrastructure.
  • Logging and monitoring: Operational and security-relevant events to support incident response and audit.
  • Vendor assessment: We evaluate service providers for privacy and security practices before handling our data.

We do not currently hold a SOC 2 report. When a report is available, we will link to it or describe how to request it from this page.

Other Frameworks

  • COPPA: Where we serve users under 13 (e.g., homeschool pupils), we design for the Children's Online Privacy Protection Act: age gates, parental consent, and minimal collection as described in our Privacy Policy.
  • GDPR: For individuals in the European Economic Area, we respect rights of access, rectification, erasure, and portability where applicable. See our Privacy Policy for data residency and international transfers.
  • State student-privacy laws: We monitor applicable state laws (e.g., student data privacy statutes) and align our practices as we expand offerings.

Current Practices

Today we rely on encryption in transit and at rest, access-controlled accounts, and database policies that restrict access to learner data (e.g., so caregivers see only their linked students). We evaluate infrastructure and third-party partners for privacy and security before onboarding. Detailed data practices are in our Privacy Policy and participation terms in our Terms of Service.

Contact

Questions about compliance, data stewardship, or requests related to learner data can be sent to privacy@inquiry.institute. We will respond to legitimate requests in line with our policies and applicable law.