Data Privacy & Security Policy

Last Updated: July 8, 2025

Overview

Athena for IECs was built for Independent Educational Consultants (IECs) who trust us with sensitive student essays and feedback. This policy explains in clear language how we protect that data and keep it private.

Key Commitments

  1. Your data stays yours. You and your students retain full ownership of all uploaded materials.

  2. No AI training. Student essays you upload are permanently excluded from any current or future machine-learning training.

  3. No data sales or ads. We never sell data or share it for advertising or profiling.

  4. World‑class security. We host data only with providers that meet independent security and privacy standards.

Data Ownership & Access

  • Uploaded files remain visible only to the users and teams you explicitly authorize.

  • Athena staff can access files only when you invite us to assist (e.g. support tickets).

Data Lifecycle & Deletion

  • Retention: Active data persists until you delete it or your contract ends. After contract termination we retain data for 30 days after which it is automatically purged from storage. This window gives you time to export records or reinstate service.

  • Backups: Backups are kept for 7 days, then automatically purged.

  • Right to erasure: You may request permanent deletion at any time; we complete it within 72 hours.

Sub-processors & Partner Certifications (last reviewed: July 2025)

Provider

Purpose

Key Certifications

Provider

Google Cloud Platform (GCP)

Purpose

Google APIs (Docs, OAuth) and email delivery

Key Certifications

  • SOC 2 Type II

  • SOC 3 Type II

  • ISO 27001

  • CSA STAR Level 2

Provider

OpenAI

Purpose

Large language model (LLM) processing

Key Certifications

  • SOC 2 Type II

Provider

Anthropic

Purpose

Large language model (LLM) processing

Key Certifications

  • SOC 2 Type II

Provider

DigitalOcean

Purpose

File storage and encrypted backups

Key Certifications

  • SOC 2 Type II

  • SOC 3 Type II

  • ISO 27001

  • CSA STAR Level 2

DigitalOcean

File storage and encrypted backups

  • SOC 2 Type II

  • SOC 3 Type II

  • ISO 27001

  • CSA STAR Level 1

Google Cloud Platform (GCP)

Google APIs (Docs, OAuth) and email delivery

  • SOC 2 Type II

  • SOC 3 Type II

  • ISO 27001

  • CSA STAR Level 2

OpenAI

Large language model (LLM) processing

  • SOC 2 Type II

Anthropic

Large language model (LLM) processing

  • SOC 2 Type II

What these certifications mean

  • SOC 2 Type II: Independent attestation that a provider’s controls meet the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

  • SOC 3 Type II (public summary of SOC 2 Type II): A general‑use report that condenses the results of a SOC 2 Type II audit into a high‑level overview you can share without an NDA.

  • ISO 27001: International standard for establishing and operating an information‑security management system (ISMS).

  • CSA STAR Level 1: Cloud Security Alliance self‑assessment where the provider publicly answers the CAIQ security questionnaire, offering baseline transparency.

  • CSA STAR Level 2: Builds on Level 1 by adding an independent certification or attestation (e.g. SOC 2) for deeper assurance.