Security & Vulnerability Disclosure

Last Updated: June 8, 2026

The Advocate Ally processes sensitive education records, so security reports and privacy questions should use monitored, role-based channels.

Report a Vulnerability

Send suspected vulnerabilities to security@theadvocateally.com. Include the affected URL or feature, steps to reproduce, impact, and any screenshots or logs that help us investigate. Please avoid accessing, downloading, modifying, or sharing another person's data.

We aim to acknowledge security reports within 3 business days and provide status updates for validated issues as remediation progresses.

Student Data Protection

  • Uploaded IEP, 504, evaluation, extracted text, generated report, and action-plan data is treated as restricted student data.
  • Raw uploads are stored in access-controlled Firebase Storage paths and processed server-side after authorization checks.
  • Generated audit details are encrypted before being stored and are decrypted only for the authenticated audit owner or an authorized admin.
  • SMS notifications must stay generic and direct users back to authenticated pages for report details.

Retention and Deletion

Raw uploaded documents are designed to be used for document review and then removed after successful processing. Stale, failed, or orphaned upload objects are subject to scheduled cleanup. Generated reports, action plans, access logs, billing records, consent records, support records, backups, and institutional records may have different retention periods depending on the user workflow, legal requirements, security needs, and any written school or district agreement.

Authenticated users can request audit export or deletion through the application where available. Parents, guardians, educators, and institutions may request access, deletion, or export help at privacy@theadvocateally.com. School or district deployments may have separate written retention and deletion terms.

Subprocessors

The service may use Google Firebase/Google Cloud for hosting, authentication, storage, functions, database services, and task processing; AI processing providers for document review; Stripe for payments; Twilio for SMS; SendGrid or SMTP providers for email; PostHog and privacy-reviewed analytics tooling for operational analytics; and support tooling for privacy, security, and customer requests.

We do not sell student data. We also design SMS, email, analytics, and conversion tracking so student names, disability labels, report findings, raw IEP text, raw upload links, and report content stay out of those channels. Contact privacy@theadvocateally.com for the current subprocessor list for an institutional review.