Skip to main content
← Back to Drivia

Trust & Compliance

Security, privacy, and accessibility at every layer.

Drivia is built for organizations that take compliance seriously. From FERPA-protected student records to WCAG 2.1 AA accessibility, every feature is designed to meet the standards your institution requires. Below is a complete overview of our security architecture, compliance certifications, and data handling practices.

Compliance Certifications

WCAG 2.1 AA

Compliant

Web Content Accessibility Guidelines Level AA

Section 508

Compliant

US Federal Accessibility Standard

ADA Title II

Compliant

Americans with Disabilities Act — DOJ 2026 Rule

FERPA

Compliant

Family Educational Rights and Privacy Act

GDPR

Compliant

EU General Data Protection Regulation

CCPA / CPRA

Compliant

California Consumer Privacy Act

SOC 2 Type II

In Progress

Service Organization Control — Security & Availability

ISO 27001

Planned

Information Security Management System

COPPA

Compliant

Children's Online Privacy Protection (13+ platform)

VPAT (Voluntary Product Accessibility Template) and HECVAT (Higher Education Community Vendor Assessment Toolkit) documents available on request. Contact support@drivia.consulting.

Security Architecture

Row-Level Security

Every database table uses Postgres RLS policies. Tenant data is cryptographically isolated — no user can access another organization's data.

V-RIM Data Partitioning

Virtual Resource Integrity Model partitions data across 5 layers: Organization, Course, Student, AI Context, and Assessment. Each layer has independent access controls.

SSO / SAML 2.0

Enterprise single sign-on via SAML 2.0, OpenID Connect, Azure AD, Okta, and Google Workspace. Enforce authentication through your identity provider.

Audit Logging

40+ event types tracked with timestamps, actor identification, IP addresses, and before/after states. Searchable audit trail with CSV export.

Encryption

TLS 1.3 encryption in transit. AES-256 encryption at rest. Database connections use SSL. No plaintext secrets in codebase.

Role-Based Access Control

16 granular permissions across 5 categories. Custom roles for instructors, department leads, and administrators. Principle of least privilege enforced.

Webhook Security

All webhook deliveries are signed with HMAC-SHA256. Exponential backoff retry with dead letter queue. Webhook secrets never logged or exposed.

Student Privacy

AI conversation history is private to each student — never visible to instructors or administrators. Learning analytics use k-anonymity with minimum group size of 5.

FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. Drivia is designed to comply with FERPA requirements for educational institutions and their technology partners.

  • Student education records are never disclosed without consent
  • Organization administrators cannot access individual AI conversations
  • Parents/guardians can request access to minor student records
  • Data export available in standard formats (CSV, JSON) for portability
  • Right to request amendment of inaccurate education records
  • Annual notification of FERPA rights provided to enrolled students
  • Directory information opt-out mechanism available
  • Audit trail tracks all access to student records

Data Processing Agreement: Drivia will sign a FERPA-compliant Data Processing Agreement (DPA) with any educational institution. This agreement designates Drivia as a “school official” with legitimate educational interest under 34 CFR 99.31(a)(1). Contact us to request a DPA template.

Accessibility (WCAG 2.1 AA)

Drivia meets WCAG 2.1 Level AA standards and complies with Section 508 of the Rehabilitation Act and ADA Title II. The DOJ's April 2026 rule requires state and local government web content to meet WCAG 2.1 AA — Drivia is already there.

WCAG 2.1 AA color contrast ratios (4.5:1 text, 3:1 UI components)
Keyboard navigation across all interactive elements
Screen reader support with ARIA labels, roles, and live regions
Skip-to-content navigation link
Minimum 44x44px touch targets for all interactive controls
prefers-reduced-motion media query — all animations respect system settings
Dyslexia-friendly font mode (OpenDyslexic)
Adjustable font sizes (14px–20px)
High contrast mode toggle
Focus-visible indicators on all focusable elements
Semantic HTML with proper heading hierarchy
Form inputs with associated labels

VPAT / Accessibility Conformance Report: A completed VPAT document mapping Drivia's features against Section 508 / WCAG 2.1 AA criteria is available on request. Contact support@drivia.consulting.

GDPR & CCPA / CPRA

Drivia provides full compliance controls for both the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

GDPR Controls

  • Enterprise GDPR mode toggle — enables enhanced consent tracking and right-to-erasure workflow
  • Cookie consent banner with granular category controls
  • 72-hour breach notification capability per Article 33
  • Data Processing Agreement (DPA) available with Standard Contractual Clauses
  • Data portability — full export in CSV and JSON formats

CCPA / CPRA Controls

  • We do not sell personal information to third parties
  • Right to know what data is collected and how it is used
  • Right to delete personal data on request
  • Right to opt out of data sharing for cross-context behavioral advertising
  • Non-discrimination — users who exercise privacy rights receive the same service

SOC 2 Type II

Certification In Progress

Drivia is actively pursuing SOC 2 Type II certification for Security and Availability trust service criteria. Our infrastructure provider (Supabase) is SOC 2 Type II certified. Drivia's application-layer controls — including row-level security, audit logging, encryption, and access controls — are designed to meet SOC 2 requirements. A SOC 2 readiness assessment has been completed and a formal audit is scheduled.

For organizations requiring SOC 2 documentation before purchase, contact us for our current security questionnaire responses and infrastructure documentation.

Data Handling & Residency

Data LocationUnited States (AWS us-east-1 via Supabase)
Data RetentionConfigurable per organization (30–unlimited days)
Backup FrequencyContinuous with point-in-time recovery
Data PortabilityFull CSV/JSON export via API and admin panel
Right to ErasureAccount deletion within 30 days of request
SubprocessorsSupabase (database), Stripe (payments), Resend (email)
Incident Response72-hour breach notification per GDPR Article 33
DPA AvailableData Processing Agreement available on request

Interoperability Standards

Drivia is designed to integrate with your existing technology ecosystem.

LTI 1.3

Learning Tools Interoperability support enables Drivia to embed within Canvas, Blackboard, Moodle, and other LTI-compatible systems. Launch Drivia courses directly from your existing LMS.

Coming Soon

xAPI (Tin Can)

Experience API support allows learning activity data to flow into your Learning Record Store (LRS) for enterprise analytics and compliance reporting across platforms.

Coming Soon

REST API & Webhooks

Full REST API with HMAC-SHA256 signed webhooks for real-time event streaming. Integrate enrollment, completion, and assessment data with your HRIS, CRM, or analytics platform.

Available

CSV / JSON Data Export

Export any dataset — members, enrollments, progress, quiz results, audit logs — in CSV or JSON. Scheduled exports and API-driven exports available for enterprise clients.

Available

HECVAT & Vendor Assessment

Drivia provides completed HECVAT (Higher Education Community Vendor Assessment Toolkit) responses for university procurement processes. The HECVAT covers security, privacy, accessibility, data handling, business continuity, and incident response. If your institution uses HECVAT Lite or Full, we have pre-completed responses ready.

Request HECVAT documentation at support@drivia.consulting.

Ready to evaluate Drivia for your organization?

We will provide any compliance documentation your procurement team requires — DPA, VPAT, HECVAT, security questionnaires, or a live security review call.

Enterprise PlansRequest Documentation
Trust & Compliance — Security, Privacy, Accessibility | Drivia | Drivia