Built for university DPT programs from day one. Here is how we protect your students' records and what that means for your institution.
This page is currently under legal review. Final published date: TBD.
We act as a "school official" under FERPA when we process student records on behalf of your DPT program. Your institution remains the data controller. We operate under your direction and use student data solely to deliver the curriculum services you have contracted for.
This means we are bound by the same obligations as your own faculty and staff when handling education records. We do not sell, share, or use student data for any purpose outside of providing the platform to your program.
We store only the minimum information required to run the curriculum:
We do not store Social Security numbers, dates of birth, health or medical records, financial records, or any other sensitive identifiers beyond what is listed above.
The following vendors process data on our behalf. All are US-based or restrict student data to US infrastructure unless otherwise noted.
| Subprocessor | Purpose | Region | Stores Student Data |
|---|---|---|---|
| Vercel | Application hosting and CDN | US | Yes (transit + cache) |
| Turso | Primary database | US | Yes (encrypted at rest) |
| Resend | Transactional email delivery | US | Email address + name only |
| Cloudflare | DNS and CDN | Global | No |
| Anthropic | AI features (career prep module only) | US | No student PII |
| Stripe | Payment processing | US | No student data |
We commit to notifying your institution's primary contact within 72 hours of confirming any breach involving student data. This SLA matches the GDPR standard and the expectation of university procurement and IT security offices.
Notification will include: nature of the incident, categories of data affected, estimated number of student records involved, steps taken to contain the breach, and recommended actions for your institution.
On contract termination, all student records are deleted from production systems within 30 days of your written request. Database backups containing student data age out within 90 days of creation.
We do not retain student data beyond the minimum required to fulfill our contractual obligations and comply with applicable law.
Your institution may request an audit of our data handling practices once per contract year with 30 days notice. Audits may be conducted via questionnaire, documentation review, or third-party assessment at your election and your cost.
For FERPA inquiries, data processing agreements, or student record deletion requests, contact our privacy team at privacy@thehomehealthpro.com.
Last updated: April 7, 2026