transparency

sub-processors.

the third-party infrastructure providers that process thinccc data, the role each plays, and the data protection posture in place for each.

last updated May 7, 2026

a sub-processor is a third-party service provider that processes personal data on our behalf so we can deliver the thinccc platform. we publish this list so schools, districts, workforce partners, banks, and parents can see exactly who touches what, where the data lives, and how we protect it.

thinccc operates as a “School Official” under FERPA’s School Official Exception (20 U.S.C. § 1232g(b)(1)(F)) when serving K-12 students under a Data Processing Agreement with each district. The sub-processors below operate as our service providers. They are subject to the same data-use restrictions that apply to thinccc through flow-down obligations in our agreements with each.

all student data sits in the United States. AI inference operates with zero data retention. every sub-processor below has documented data protection commitments on file, designed to support our obligations under FERPA, COPPA, NY Education Law 2-d, IL SOPPA, and CA SOPIPA. detailed agreements are available on request to school administrators and district counsel.

Amazon Web Services, Inc.

cloud infrastructure: compute, database, and object storage

data residency

us-east-2 (Ohio) for compute and database. us-east-1 (Virginia) for object storage.

certifications

  • SOC 1, SOC 2, SOC 3
  • ISO 27001 / 27017 / 27018 / 27701
  • FedRAMP Moderate and High
  • PCI DSS Level 1
  • HIPAA-eligible

data protection commitments

  • AWS does not access or share customer data without our agreement, except as required by law.
  • AWS does not move customer data out of the US regions we select.
  • AWS does not use customer data for marketing, advertising, or AI model training.
  • thinccc retains all rights to customer data; AWS holds no rights to it.
  • 12-month notice before any material service discontinuation.
  • Security incident notification provided through the AWS Health Dashboard and security bulletins. thinccc's notification timing to school partners is documented in our Data Processing Agreement with each district, calibrated to applicable state law (NY Ed Law 2-d: 7 days; IL SOPPA: 30 days).
AWS Customer Agreement

Groq, Inc.

LLM inference for NLP scoring of student-generated text (used by the Keyshawn coaching layer and our reflection / task scoring pipelines)

data residency

Google Cloud Platform buckets located in the United States.

certifications

  • SOC 2 Type II

data protection commitments

  • Zero Data Retention enabled organization-wide. Groq does not retain inputs or outputs even for system reliability or abuse monitoring.
  • Groq is contractually prohibited from training on customer inputs or outputs unless we explicitly grant permission. We have not, and will not.
  • 72-hour breach notification under the Groq Data Processing Addendum.
  • 15-day advance notice for any new sub-processor.
  • 180-day maximum data deletion timeline on termination.
Groq Services Agreement + DPA

Cloudflare, Inc.

DNS management and edge proxy / CDN / WAF for proxied subdomains (api, dashboard, 3cq). WebSocket coaching traffic on chat.thinccc.org bypasses Cloudflare and routes directly to the origin server.

data residency

primarily United States edge nodes. Some EEA nodes for international traffic per Cloudflare's Privacy Policy.

certifications

  • ISO/IEC 27001 (annual audit)
  • EU-U.S. Data Privacy Framework
  • Global CBPR System certified

data protection commitments

  • Cloudflare processes data only per our written instructions per the Cloudflare DPA.
  • Cloudflare will not sell or rent personal information.
  • Standing public commitment: Cloudflare has never provided encryption keys, law enforcement software, customer content feeds, or weakened encryption to any government.
  • 30-day advance notice for any new sub-processor.
  • Breach notification without undue delay per Cloudflare DPA §3.
  • Semiannual public Transparency Report on government data requests.
Cloudflare Data Processing Addendum (v6.4)

changes to this list.

we publish updates to this page whenever a sub-processor is added, removed, or materially changed. school administrators and district counsel may request advance notice of changes by emailing privacy@thinccc.org.

each sub-processor we use also publishes its own change-notice policy: AWS provides at least 12 months notice before discontinuing material functionality. Groq provides 15 days notice for new sub-processors. Cloudflare provides 30 days notice for new sub-processors.

questions?

for compliance, DPA, or data-handling questions, reach out directly. we respond within two business days.

privacy@thinccc.org