Every compliance claim on this page has a technical basis. We've documented what we've built, what it supports, and what's on the roadmap — because you should be able to verify it.
These regulations are addressed at the platform architecture level — not through policy documents or configuration options. Each entry includes the specific technical controls that satisfy the requirement.
FERPA governs the privacy of student education records at institutions receiving federal funding. Compliance requires that student data be accessible only to authorized school officials with a legitimate educational interest, and that students retain rights to inspect and correct their records.
GLBA's Safeguards Rule requires financial institutions and their service providers to implement a comprehensive information security program protecting non-public personal financial information (NPI). Higher education institutions handling financial aid data are covered. So are insurance, financial services, and lending verticals.
CCPA and CPRA give California residents rights to know what personal data is collected, rights to deletion, rights to opt out of sale, and rights to correct inaccurate data. As a service provider, QuadHub must support the data subject rights of client organizations' users.
HIPAA governs the use and disclosure of Protected Health Information (PHI) by covered entities and their business associates. QuadHub's platform architecture satisfies the technical and physical safeguard requirements of the HIPAA Security Rule. We provide Business Associate Agreements (BAAs) for healthcare clients.
COPPA applies to online services directed at children under 13, or services with actual knowledge they are collecting data from children under 13. For K-12 clients and trade school clients with minors, QuadHub provides the controls needed to operate a COPPA-compliant deployment.
PIPEDA governs how private organizations in Canada collect, use, and disclose personal information. QuadHub is US-hosted; Canadian organizations using the platform must obtain meaningful consent for cross-border transfer. We support Canadian clients with the necessary disclosures and data handling agreements.
Every compliance claim above traces back to one of six architectural layers. These layers were designed before any regulatory requirement was written down. Compliance is a consequence of good architecture.
We build compliance in phases. Active means it's supported today with technical controls in production. In Progress means the controls exist but documentation or attestation is pending. Planned means it's on the build calendar.
| Framework | Status | Notes |
|---|---|---|
| FERPA | Active | Full architectural support. Used in all higher education deployments. |
| GLBA Safeguards Rule | Active | Controls implemented. Applies to financial services, insurance, and higher ed financial aid workflows. |
| CCPA / CPRA | Active | US data residency, no data sale, deletion support, DPA available. |
| HIPAA (BAA available) | Ready | Technical and physical safeguards implemented. BAA available. Healthcare vertical requires BAA execution before PHI handling. |
| COPPA (K-12) | Ready | No third-party data monetization. FERPA safe harbor covers most K-12 school-directed use. |
| PIPEDA (Canada) | Ready | Cross-border transfer disclosure and agreements available for Canadian clients. |
| GDPR (EU/UK) | Active | Data subject rights implemented: GET /api/v1/users/export (Art. 20 portability) and DELETE /api/v1/users/me (Art. 17 erasure). DPA template available for EU clients. |
| ADA / Section 508 | In Progress | WCAG 2.1 AA accessibility audit scheduled. Required for government and higher education verticals receiving federal funding. |
| SOC 2 Type I | Planned | Controls exist and are operating. Third-party CPA attestation planned for post-revenue milestone. |
| NIST SP 800-171 | Planned | Controls map well to existing architecture. Documentation sprint planned for government vertical launch. |
| ISO 27001 | Planned | ISMS documentation and formal certification planned for enterprise sales cycle. |
| FedRAMP | Deferred | Authorization requires formal partnership with a 3PAO and significant process investment. Deferred until government vertical reaches sufficient scale. |
| StateRAMP | In Progress | State-level cloud security authorization program. Architecture alignment in progress. Target for government and public education verticals requiring state procurement compliance. |
We provide Business Associate Agreements (HIPAA), Data Processing Agreements (GDPR/CCPA), and detailed compliance documentation packages for enterprise procurement and legal review.
Request Compliance Documentation