These are not aspirations. Every one is enforced in the running code today, or it is labelled here as a known gap with a target date.
The single most-cited finding in K-12 breach reports is the unenrolled admin account.
Enforced in the middleware on every request. No opt-out toggle, no remember-this-device backdoor. New staff are redirected to enroll a TOTP authenticator before they can do anything else.
Postgres Row-Level Security policies block UPDATE and DELETE on AccessLog, AIUsageLog, and GradeChangeLog. The application's database role does not have BYPASSRLS. Even an attacker with full application credentials cannot edit a row.
IEP details, intervention notes, discipline narratives, and nurse-visit logs are AES-256-GCM encrypted with a key not stored in the database. A stolen database dump shows ciphertext for the most sensitive records.
No competing LMS has yet committed to this in writing.
The AIUsageLog records actor, feature, model, SHA-256 hash of prompt and response, plus the student IDs referenced. Parents can ask what the AI has seen about their child — we can answer in under a minute, without retaining content.
Nightly pg_dump backups are age-encrypted to a public key whose private counterpart never lives on the production host. A total host compromise cannot decrypt backups. Quarterly restore drills with the key holder.
Every record we hold on a child, the disclosure log under §99.32, the AI usage trail. Visible to the linked parent immediately. Downloadable as JSON. Right-of-correction routed through the school administrator with an audited workflow.
Most schools we talk to are already running one of these. Here is what is different about Nova next to each — stated plainly, with no anonymous swipes.
Canvas was built before FERPA had audit teeth. Its audit log can be edited by admins. The LTI plug-in marketplace is a 1,500-vendor data egress surface no school's CISO has actually audited end to end. Useful as a courseware host; not designed as the trust boundary.
One Workspace user compromise away from being everyone's email. Student work is co-mingled with the rest of Google's data graph. Nova is a separate trust boundary around student data, with a separate and smaller blast radius.
Both owned by private equity rolling up the K-12 software market. Roadmaps optimised for sellable feature counts, not for what one charter high school needs first or what is auditable when a parent asks. We are deliberately the opposite shape of company.
Half the schools we talk to are stitching together Google Sheets, FileMaker, paper notebooks, and email. Nova replaces all of that with one auditable system. Measured migration time at the pilot: roughly four hours per 100 students.
Listed plainly so your IT review is faster, and so the parts we do claim are trusted by contrast.
Not yet.
On the roadmap, targeted within twelve months of the first paid customer. Compensating controls are documented in the threat model in the interim, and shared on request.
Not yet.
Not on the immediate roadmap. After SOC 2. We will not over-promise.
Not yet.
Scheduled before any pilot with real student data. Quotes from two firms in hand; we will share the firm's scope and scoring rubric before signing.
Not yet.
The pattern library is being rebuilt for AA compliance. The VPAT will be published when the third-party audit completes; interim conformance notes are available on request.
Not yet.
The encryption key currently lives in the host environment variable. A determined root-on-host attacker could read it. HSM storage is planned at the second paying-customer scale.
Not yet.
Not yet — only password and TOTP credentials. A high-priority roadmap item once a customer requires it. We will not implement it badly to tick a box.
Nova is a one-founder company. Every line of code that touches your student data was written by hand, reviewed against the threat model, and tested before deploy. We have not, and will not, outsource security work — the founder is the security engineer, the application engineer, and the operations engineer.
This is a deliberate trade-off. The cost is feature velocity measured against bigger vendors. The benefit is that no part of your child's data passes through a contractor pool, a BPO, or a layoff round.
Infrastructure: one OVHcloud host in France, Cloudflare in front, Anthropic Claude for AI features (with a zero-retention contract before any real student data lands). The subprocessor list is on request and lists those three vendors and no others.
For your IT review. Each is a real, finished document — not a sales asset.
The full threat model
Eleven attacker profiles, each with the mitigation enforced in code.
Postgres schema with security annotations
Every encrypted column, every RLS policy, explained for non-DBAs.
Draft Data Processing Agreement
Drafted by K-12 EdTech counsel; we redline with your district's lawyer.
Subprocessor list
Cloudflare, Anthropic, OVHcloud. That is the entire list.
Browser-readable security page
Every shipped control and every named gap, scannable in five minutes.
We sell to schools one at a time, because that is what our trust model lets us scale. Write to [email protected] with the questions your IT review needs answered — we will send back a real document the same day, not a sales sequence.