Plio Academy
Compliance Matrix
Effective: May 2026 · Full documentation: plio.academy/trust/compliance
This matrix is designed for district IT officers, procurement teams, and district counsel. It summarises Plio Academy's compliance position across federal and state student-privacy laws. It is not a substitute for a signed Data Processing Agreement. Contact compliance@plio.academy to request a DPA or state-specific addendum.
Federal Laws & Programs
| Law / Program | Key Requirement | Status | Notes |
|---|---|---|---|
| FERPA | School official status, no sale of education records, RBAC, audit logs. | Compliant | DPA available. Role-based access enforced at DB layer. Privileged access fully audit-logged. |
| COPPA | Operator status. Verifiable parental consent for under-13. No behavioral tracking. | Compliant | Guardian account creation = verifiable consent. School consent exception supported. No ad trackers. |
| CIPA | Schools must deploy internet content filter as E-Rate condition. | N/A | Plio is not a content filter. Allowlist plio.academy in your existing filter. No unfiltered internet exposure. |
| E-Rate Cat. 1 | Telecom / connectivity services. | Not Applicable | Plio is a cloud-hosted educational app, not a telecom. Category 1 ineligible by design. |
| E-Rate Cat. 2 | Internal connections, managed Wi-Fi, qualifying managed services. | Potentially Eligible | May qualify under certain district procurement structures. Consult your E-Rate coordinator. |
State Student Privacy Laws
| State | Law | Key Requirement | Status | Notes |
|---|---|---|---|---|
| IL | SOPPA (105 ILCS 85) | Operators must sign a Data Privacy Agreement, prohibit behavioral advertising, and delete data on request. | Compliant | DPAs signed on request. No behavioral advertising on student-facing pages. Data deleted within 30 days. |
| CA | AB 1584 (Ed. Code §49073.1) | Data ownership stays with district/student. Sale of student data prohibited. Data deletion required. | Compliant | Student data owned by student/guardian. No data sales. DPA clauses available for district contracts. |
| NY | Education Law 2-d | Contractors must sign Parents' Bill of Rights appendix, restrict data use to contracted purposes, report breaches within 7 days. | Compliant | Parents' Bill of Rights appendix available. Breach notification within 72 hours (exceeds 7-day requirement). |
| TX | SB 820 (Ed. Code §32.151) | No sale of student data, no targeted advertising, no profiling unrelated to K-12 purposes. | Compliant | No data sales, no advertising, no third-party profiling. Data used only for in-app educational features. |
| WA | OSPI Student Privacy / RCW 28A.604 | SDPC agreement or equivalent required. Data restricted to K-12 purposes. Re-identification prohibited. | Compliant | SDPC-compatible DPA language available. No re-identification. District agreements executed on request. |
Contact
Compliance and procurement questions:
compliance@plio.academy · We respond within 2 business days.
Full compliance documentation: plio.academy/trust/compliance
Trust Center: plio.academy/trust
For Districts: plio.academy/for-districts
Plio Academy · 501(c)(3) nonprofit · plio.academy · compliance@plio.academy
This document was last updated May 2026. Check plio.academy/trust/compliance for the most current version. This is not legal advice.