Trust & Security

Privacy & security documentation for institutional review

This page provides documentation commonly requested by school districts, colleges, and universities when reviewing software vendors for student data privacy and security.

FERPA-alignedSOPIPA-alignedUS-based infrastructureRole-based access controls

Documents

Review documents

Commonly requested documents for district, school, college, and university privacy and security review. Click any to download the PDF.

Also see planning resources →

Privacy

Student data privacy

APEX processes student data at the direction of schools, districts, and educational institutions using the platform.

  • Student data is not sold.

    APEX does not sell student data or use it for advertising purposes under any circumstances.

  • Schools remain in control.

    Schools and institutions control student records within the contracted service relationship.

  • Not a medical system.

    APEX is a coach workflow platform. It does not provide medical advice, diagnosis, or treatment.

Governance

Responsible use in athletics

APEX is a coach workflow and accountability platform. Institutions remain in control of how it is applied.

  • APEX supports training operations and team visibility — it does not make medical decisions.
  • Institutions control which data is collected, who can access it, and how platform workflows are applied.
  • APEX does not replace sports medicine judgment, institutional policy, or athlete notice and consent processes managed by the school.
  • Schools should maintain written policies, stakeholder education, and periodic review practices when adopting performance technologies.

Security

Technical security

Infrastructure and access controls designed for institutional athletics environments.

  • Supabase Auth for authentication and session management.
  • Role-based access controls and tenancy scoping across school, team, coach, and athlete access paths.
  • Data transmitted over HTTPS transport security.
  • Operational logging supports reliability and auditability.
  • Administrative write paths use controlled server-side service-role access.

Infrastructure

Subprocessors

All subprocessors are US-based. Vercel analytics is covered under the Vercel entry.

Full subprocessor list →
VendorPurposeLocation
SupabaseDatabase & AuthenticationUnited States
VercelHosting, Deployment & AnalyticsUnited States
OpenAIAI ProcessingUnited States
AnthropicAI ProcessingUnited States
ResendEmail DeliveryUnited States

Compliance

Regulatory alignment

Designed to support privacy reviews under FERPA and state student data privacy laws. Schools implement these requirements through vendor data privacy agreements.

  • FERPAFamily Educational Rights and Privacy Act
  • NY §2-dNew York Education Law §2-d
  • SOPIPACalifornia Student Online Personal Information Protection Act
  • MAMassachusetts Student Data Privacy Regulations
  • TXTexas Student Privacy Protections (Education Code)

Planning Resources

Institutional guidance resources

Article-style resources to support athletics, sports medicine, IT, and compliance stakeholders as institutions define their own internal policies and implementation practices.

Governance

Responsible Use of Athlete Performance Data

Practical principles for transparency, governance, role-based access, and multidisciplinary oversight.

Read article

Data

Data Categories Collected

Plain-language summary of data categories, operational purpose, and typical access context.

Read article

Policy

Sample Institutional Policy Template

Adaptable policy framework institutions can use for planning stakeholder roles and oversight boundaries.

Read article

FAQ

Institutional FAQ

Quick answers for coaches, sports medicine, IT, and compliance reviewers evaluating platform use.

Read article

Privacy & Security Contact

Questions from your IT or compliance team?

For district, school, college, or university privacy and security reviews.

hello@apexcoachai.com
Trust & Security | APEX Coach AI