How we protect student and school data.
Questions? Email hello@hallwise.com
Student data is used only to provide the hall pass service. It is never sold, licensed, or monetised in any way.
We do not show ads to students or teachers. Student data is never used for advertising targeting or profiling — not by us, and not by any third-party service we use on authenticated pages.
Student names, rosters, and pass records are used solely to run the hall pass service. We do not analyse student data for any other purpose.
When a school ends its subscription, all student data is permanently deleted within 30 days. Backup copies are purged within 90 days. Deletion on request is completed within 5 business days.
We support the National Data Privacy Agreement (NDPA) framework and will sign a Data Processing Agreement with any school or district that requires one.
Hallwise uses the following third-party services. Each is a certified provider with its own compliance programme, and none receive student data except as necessary to operate the service.
All application data — student names, pass records, course rosters — is stored in Supabase PostgreSQL, hosted on AWS US East. Supabase holds SOC 2 Type II and ISO 27001:2022 certifications. Data is encrypted at rest and in transit.
Security documentation ↗The application is deployed on Vercel's edge network. Vercel holds SOC 2 Type II and ISO 27001:2022 certifications. All traffic is encrypted via TLS. Student data passes through Vercel in transit only — it is not stored at the CDN layer.
Security documentation ↗Teacher sign-in uses Google OAuth. Class roster sync uses the Google Classroom API with read-only access to courses and rosters only (no access to grades, assignments, or announcements). Google Workspace for Education is FERPA-aligned and ISO 27001 certified.
Security documentation ↗Billing is handled entirely by Stripe. No student data is ever sent to Stripe — only the school admin's email and payment information. Credit card numbers are processed and stored exclusively by Stripe, never by us.
Security documentation ↗Used only for contact form auto-replies. No student data is transmitted via email. Resend holds SOC 2 Type II certification.
Security documentation ↗FERPA applies to schools, not vendors. Hallwise acts as a school official under FERPA's school official exception: the school contracts with us to provide the hall pass service, and we access student records only on the school's behalf and only for that purpose. We do not disclose student records to third parties without the school's authorization.
Hallwise may be used by students under 13. We rely on the COPPA school consent exception, which permits schools to provide consent on behalf of students for services used for a narrow educational purpose. Schools using Hallwise agree (via the Terms of Service) to provide this school-consent authorization. We limit data collection to what is reasonably necessary for hall pass management and do not use student data for any commercial purpose.
Our data practices are designed to comply with major state student privacy laws including SOPIPA (CA), SOPPA (IL), New York Ed Law 2-d, and similar laws. We do not sell student data, use it for advertising, or share it with unauthorized parties — consistent with the requirements of these laws.
Many districts require a signed Data Processing Agreement (DPA) before approving a vendor. We support the National Data Privacy Agreement (NDPA) — the standard DPA template maintained by the Student Data Privacy Consortium (SDPC), used by over 275,000 schools and 6,600+ vendors across the US.
For districts using state alliance DPAs, we can execute those directly as well. Contact us with your state and district name.
If you discover a security vulnerability in Hallwise, please disclose it responsibly by emailing hello@hallwise.com. We will acknowledge receipt within 24 hours and work to resolve confirmed issues promptly.