XCIV.aiLegal

Legal · Trust & Compliance

Trust & Compliance

How XCIV.ai handles student data, supports school district compliance, and protects the information entrusted to our platform.

94 Feet. Every inch, covered.

Last updated: April 15, 2026

01

Our Position

XCIV.ai is a software platform for high school and AAU basketball coaches. When school districts use our platform, we operate as a data processor — never as a data collector. All student information in XCIV.ai is entered by district employees acting in their official roles. Under the Family Educational Rights and Privacy Act (FERPA), we are designated as a “school official” under the exception at 34 C.F.R. § 99.31(a)(1), with a legitimate educational interest limited strictly to the services we provide.

What this means for your district

  • Your district owns all student data. We are custodians, not owners.
  • We use student data only to deliver the services your district has licensed.
  • We sign a Data Processing Agreement with every district we serve.
02

How We Handle Student Data

In place

No AI training on student data

We do not allow our AI subprocessors to train, fine-tune, or improve general-purpose models on any student data we process.

In progress

Encryption everywhere

Student data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.

In progress

Least-privilege access

Access to student data is restricted to personnel who require it to deliver services, with multi-factor authentication required for administrative access.

In progress

Comprehensive audit logging

We maintain audit logs of access to student data and retain them for no less than twelve months.

In place

72-hour breach notification

We commit to notifying affected districts within 72 hours of confirming any security incident affecting student data.

In place

Return or destroy at termination

When a district contract ends, we return or securely destroy all student data within 30 days, with written certification.

In place

Strong authentication required

All accounts require a unique email address and strong password. Multi-factor authentication is required for administrative access.

03

Certifications & Frameworks

We track the standards that matter most to district technology leaders.

  • NIST 800-53 and SOC framework alignment — our security program is structured around these recognized control frameworks as we build toward formal SOC 2 Type II certification.
    In progress
  • FERPA — School Official designation under 34 C.F.R. § 99.31(a)(1)
    In place
  • iKeepSafe FERPA + COPPA certification
    In progress
  • SDPC / A4L vendor membership
    In progress
  • SOC 2 Type II
    Planned
04

Where Your Data Lives

XCIV.ai operates on cloud infrastructure within the United States. We disclose the geographic location at which student data is stored and processed to district customers upon request, and we comply with state-level data localization requirements where applicable, including those of Kansas and Oklahoma.

05

State Law Coverage

We meet or exceed the student data privacy requirements of the states we serve.

  • Kansas — Student Data Privacy Act (K.S.A. § 72-6213 et seq.)
  • Nebraska — Student Data Privacy and Security Act (LB 890)
  • Colorado — Student Data Transparency and Security Act (HB 16-1423)
  • Oklahoma — Student Data Accessibility, Transparency, and Accountability Act
06

For District Technology Directors

We provide our standard Data Processing Agreement, security questionnaire responses, and compliance documentation directly to district technology and privacy teams as part of the contracting process. To request these materials, contact us below.

Once our membership is active, executed DPAs with school districts will also be filed in the public Student Data Privacy Consortium (SDPC) registry at sdpc.a4l.org, alongside other major education-technology vendors. SDPC and A4L provide the National Data Privacy Agreement framework that many school districts standardize on.

Request our DPA
Request our security questionnaire response →

We typically respond within two business days.

07

Insurance

XCIV LLC maintains cyber liability and privacy insurance, technology errors and omissions insurance, and commercial general liability insurance. Certificates of insurance are available to district customers upon request as part of the contracting process.

08

For Parents and Student Athletes

If you are a parent or student athlete with questions about how XCIV.ai handles information about you or your child, please contact your school district directly. Under FERPA, your school district controls all education records and is the proper recipient of requests to inspect, correct, or restrict the use of student information. Your district will coordinate with us as needed to fulfill your request.

XCIV LLC · Colby, Kansas · zack@xciv.aiPrivacy PolicyTerms of Service