Why this matters
School-Core uses the following third-party service providers (sub-processors) to deliver our platform. Each provider is bound by data processing agreements and maintains industry-standard security certifications.
This page is the canonical, public version of the registry referenced by our Privacy Policy and Data Processing Agreement.
Notice of changes
Schools are notified 30 days in advance of any changes to this list, as specified in our Data Processing Agreement.
Current sub-processors
Primary database hosting
Data processed
All platform data (student records, staff records, academic data, communications)
Data location
Singapore (AWS ap-southeast-1)
Application hosting and edge delivery
Data processed
Application requests, server-side rendering, edge functions
Data location
Global (edge network)
File and document storage
Data processed
User-uploaded documents, attachments, profile images, certificates, report PDFs
Data location
Configurable (region hints available)
AI-powered educational features
Data processed
Prompts containing academic context (no PII stored by provider). See Privacy Policy §6 for details.
Data location
United States
Alternative AI processing for specific features
Data processed
Educational prompts (no PII stored by provider). See Privacy Policy §6 for details.
Data location
United States
Payment processing for subscriptions and billing
Data processed
Payment card details (handled directly by Stripe, never touches our servers), billing information
Data location
United States / Global
Transactional email delivery
Data processed
Email addresses, recipient names, email content (password resets, notifications, report card distribution)
Data location
United States
Error monitoring and performance tracking
Data processed
Error context, stack traces, performance metrics. Configured to exclude PII.
Data location
United States
Rate-limit counters and short-lived AI budget caches
Data processed
Rate-limit keys (IP, userId), AI token budgets, cached responses (no long-term PII).
Data location
Global (regional choice configurable)
Optional sign-in with Google Workspace and Google Drive personal-account connections
Data processed
Authentication tokens, basic profile (name, email). No customer data is shared with Google.
Data location
Global
Optional sign-in with Microsoft 365 / Entra and OneDrive personal-account connections
Data processed
Authentication tokens, basic profile (name, email). For OneDrive-connected users: file listing tokens scoped to the consenting user only.
Data location
Global
Our commitment
We only work with sub-processors that maintain SOC 2 Type II or equivalent certifications. All sub-processors are bound by data processing agreements that ensure your data is protected. Schools are notified 30 days in advance of any changes to this list, as specified in our DPA.
Questions?
Last updated: June 2026 · v1.0 — June 2026