ClearedFor

Trust & complianceFor schools, districts& large nonprofits

Built to clear IT and legal review.

ClearedFor holds the least data it can: a youth’s medical and emergency details stay in the parent’s own encrypted profile and are destroyed on a retention clock after the activity. This page lays out our data-minimization posture, encryption, the contracts we can put in place, our accessibility approach, and an honest roadmap — so your review has the facts, stated plainly.

Data minimization · By designLEAST DATA

The system is designed so sensitive information about a minor never accumulates in an institution’s records. Each piece is held by the party that should hold it, for only as long as it is needed.

Parent-owned PII
A youth's medical conditions, allergies, medications, insurance, and emergency contacts live in the signing parent or guardian's own encrypted profile — not in the school's or organization's database.
Thin institutional roster
The organization holds only a deliberately thin reference — a youth's display name and group, optionally age or grade. No medical information is stored at the organization level.
Frozen at signing
A signed slip is a snapshot frozen at the moment of signing; later edits to a saved profile never change a signature already given. The legal record reflects exactly what was reviewed.
Destroyed on a retention clock
Each slip's sensitive payload is permanently destroyed a limited period after the activity ends, by crypto-shredding (below). Sensitive data is short-lived by default, not retained indefinitely.
Collected documents & surveys, too
When an activity also collects a document signed offline (like a provider physical) or asks a short survey, those are encrypted and destroyed on the same retention clock as a slip. ClearedFor collects a document; it does not verify the provider or the document's contents, and a survey is planning data, not a medical record.
The organization keeps names and a signature record — not a youth's medical file.
Encryption & access · Two layersENCRYPTED

Every sensitive payload sits behind two independent layers: an access control on the record, and encryption on the content. A leaked session that slipped past the first still cannot read the data without the second.

Per-slip encryption
Each slip's sensitive payload is encrypted under its own unique key. The key material is held in a hardware-backed key-management service and never enters our application memory. An uploaded document is encrypted under its own per-document key, and survey answers under a per-survey key — same key management, same crypto-shred.
Access limited to the activity's leaders
Database-enforced access controls restrict an activity's emergency data to the leaders assigned to that specific activity — not an organization-wide role.
Audit-logged emergency reads
When a leader views an emergency payload or exports a packet, we log who acted, the action, the target, IP, and time — so it can be shown who accessed what.
Crypto-shred = unrecoverable
When a slip's retention window closes, we destroy its key so the payload can no longer be read. Erasure is the absence of a key, not a best-effort delete.
Encrypted in transit, processed in the US
Data is encrypted in transit, and ClearedFor and its service providers process and store information in the United States.
Key material is held in a hardware-backed service and never enters our application memory.
Compliance & contractsON REQUEST

ClearedFor is built to support an institution’s own legal obligations rather than to claim a status on your behalf. We state our posture plainly and put the binding terms in a contract.

DPA available on request
A data-processing agreement / student-data-privacy addendum is available on request. We process information on the institution's instructions, as its service provider, under that contract.
FERPA: you stay the controller
For schools, ClearedFor is designed to operate as a service provider under your direction — the school remains the controller of the education record. The specific contractual terms are set in the DPA.
COPPA: parent-provided, not child-directed
ClearedFor is for adults. Information about a youth is provided by their parent or guardian, who reviews it and consents on the child's behalf — we collect nothing directly from children.
State privacy laws
We honor access, correction, and deletion rights (CCPA/CPRA, UCPA, and comparable state laws) regardless of where a resident lives, to the extent they apply.
No data monetization
We never sell or share personal information for advertising, and we use no third-party advertising or analytics trackers. There is no incentive to monetize a youth's data.

The full list of sub-processors and retention periods is in our privacy policy.

A DPA / student-data-privacy addendum is available on request — contact us to start your review.
AccessibilityWCAG 2.1 AA TARGET

Accessibility is a requirement, not an afterthought.

We build the signing flow and the leader dashboard to WCAG 2.1 AA as a design requirement — keyboard reachability, screen-reader semantics, contrast, and target sizes are part of our review gate, because a parent who can’t complete the signing path can’t give informed consent.

We do not claim a certification we don’t hold. A formal accessibility conformance statement (a VPAT) is on our roadmap; if your review needs our current status, contact us and we’ll share where we are honestly.

We build to WCAG 2.1 AA. A formal conformance statement (VPAT) is on our roadmap — contact us for our current status.
On the roadmap · Talk to usNOT YET

Some capabilities institutional buyers ask for aren’t built yet. We list them here rather than let a review surface them as a surprise. If one of these is a hard requirement, talk to us about your timeline.

Single sign-on (SSO)
Sign-in is a one-time email code or “Continue with Google,” on both login and the parent signing flow. District SSO via Clever or ClassLink is not available yet and is on the roadmap.
SIS / roster import
Rosters are entered or invited today. Bulk import from a student-information system is not available yet and is on the roadmap.
SMS reminders
Signing links and reminders go by email today. A text-message channel is not available yet; we're evaluating it.
Translation / language access
The parent signing flow — including the consent and Terms a parent agrees to — is available in English and Spanish. A leader can also include a translated release PDF in an activity's required set; further languages and a translated leader dashboard are on the roadmap.
We'd rather name a gap than let you discover it — tell us your hard requirements.

Start your review — we’ll send what your team needs.

Talk to us →