Illinois SOPPA Compliance
Student Online Personal Protection Act (105 ILCS 85/)
Our Commitment to Student Privacy
Roster Access is fully committed to complying with the Illinois Student Online Personal Protection Act (SOPPA). We understand that protecting student data is not just a legal requirement but a fundamental responsibility to the students, families, and schools we serve.
This page provides Illinois schools with the information required under SOPPA, including our data practices, security measures, and Data Privacy Agreement template.
Covered Information We Collect
Under SOPPA, "covered information" means personally identifiable information about students. Roster Access may collect and process the following student data elements:
SOPPA Compliance Checklist
No Targeted Advertising
We do NOT use any student data for targeted advertising or marketing purposes.
No Data Sales
We do NOT sell, rent, lease, or trade student personally identifiable information.
No Unauthorized Profiling
We do NOT create student profiles for purposes other than K-12 school purposes.
Data Minimization
We only collect data necessary for the educational purpose of sharing rosters.
Automatic Data Deletion
Rosters automatically expire and are deleted after 160 days.
On-Request Deletion
We delete school data within 160 days of receiving a deletion request.
Breach Notification
We notify affected schools within 30 days of confirming any data breach.
Security Measures
We implement encryption, access controls, and secure authentication.
Subcontractors and Service Providers
Under SOPPA, we are required to disclose any subcontractors who may have access to student data:
| Provider | Purpose | Data Access |
|---|---|---|
| Vercel Inc. | Hosting & Infrastructure | File storage, application hosting |
| Supabase Inc. | Authentication & Database | User accounts, school data |
All subcontractors are contractually bound to maintain the same level of data protection required under SOPPA.
Data Privacy Agreement (DPA)
Illinois schools are required to have a signed Data Privacy Agreement before sharing student data with operators like Roster Access. We provide a standard DPA template that meets SOPPA requirements.
What Schools Must Do Under SOPPA
If your school uses Roster Access, SOPPA requires you to:
- Have a signed Data Privacy Agreement with Roster Access
- Post publicly that Roster Access is an approved operator
- Disclose what data elements are being collected
- Make a copy of the signed DPA available to parents upon request
- Notify parents of data breaches within 30 days
Security Procedures and Practices
We maintain reasonable security procedures appropriate to the nature of the student data:
Encryption in Transit
All data transmitted via HTTPS/TLS
Encryption at Rest
Secure encrypted file storage
Access Controls
Role-based authentication required
Row-Level Security
Database access restrictions
Password Security
Industry-standard password hashing
Auto-Expiration
160-day automatic data deletion
Questions or Concerns
For questions about SOPPA compliance, data deletion requests, or to request a signed Data Privacy Agreement, please contact us through your school administrator or athletic director.