For schools and ieps

How COTIS works inside schools, special-education programs, related services, and clinical-educational settings — written for district administrators, special-education directors, IT, IEP teams, and the parents who sit at the table with them.

Effective May 21, 2026
Last updated May 21, 2026
Audience LEAs, schools, IEP teams
Reading time ~16 min
Plain-language summary

When a school, district, or related-services provider deploys COTIS for a student, the educational agency owns the student data and COTIS is a "school official" under FERPA performing a service the agency would otherwise perform itself. We follow the IEP/504 team's instructions, give the district audit and deletion rights, and never sell student data, train AI models on student data, or use it for advertising. This page describes how that works and provides our standard Data Processing Addendum at the bottom.

01Overview & purpose

COTIS.AI is a wearable AI companion device designed to support communication, regulation, and connection for neurodivergent users, including students with autism, ADHD, anxiety, speech & language differences, learning disabilities, and co-occurring conditions. When deployed in an educational setting — public or private K–12, post-secondary disability services, special-education classrooms, related-services therapy, or hospital/homebound programs — additional legal protections apply, and this addendum governs.

This page is part of, and incorporated by reference into, our Privacy Policy and Terms of Service. Where this addendum conflicts with the general Privacy Policy or Terms in a school deployment, this addendum controls.

02Who this applies to

This addendum applies whenever a COTIS device or COTIS service is provided to a student through any of the following channels:

  • A school district, public charter, or local educational agency ("LEA") purchasing COTIS for a student.
  • A private school, day school, or therapeutic school deploying COTIS as part of programming.
  • A related-services provider (SLP, OT, BCBA, school psychologist, counselor) integrating COTIS into a student's plan.
  • A post-secondary disability services office providing COTIS as an accommodation.
  • A grant, Medicaid HCBS waiver, or state-administered assistive-technology loan program that places COTIS with a student.
  • A parent who chooses to make a personally-owned COTIS available to a student's IEP/504 team through our shared-access tools.

In the first five cases, the educational agency is the "Customer" and a separate signed Data Processing Addendum (see Section 14) governs. In the sixth case (parent-owned device, school-shared access), the parent remains the account holder and the school is a designated recipient under parent-granted permission — FERPA may not apply to the device data itself, but we still follow the same operational protections described below.

03FERPA & our role

"School official" designation

When an LEA contracts with COTIS, COTIS acts as a school official with a legitimate educational interest under the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. § 1232g and 34 CFR Part 99, performing an institutional service that the school would otherwise use employees to perform. We comply with each of the four conditions:

  1. The service is one the LEA would otherwise use its own employees to perform.
  2. The LEA maintains direct control over our use and maintenance of education records.
  3. We use the records only for the authorized educational purpose.
  4. We do not re-disclose education records except as permitted by the LEA in writing or as required by law.

Education records ownership

All personally identifiable information from education records that we receive, generate, or transmit in connection with a school deployment remains the property of the LEA. We process this information only on documented instructions from the LEA. We do not assert ownership of, license to, or any independent right to use, sell, share, or train models on education records.

2025–2026 FERPA notes

We have updated our practices in light of recent U.S. Department of Education guidance on artificial intelligence in schools, including the Office of Educational Technology's 2024 recommendations on protecting students when using AI tools and the Department's reminders that "directory information" carve-outs do not apply to biometric or AI-generated behavioral data. COTIS treats voiceprints, behavioral patterns, and AI-generated insights as education records, never as directory information, and never makes them available for opt-out-style public release.

04School Mode features

Every COTIS device deployed through a school deployment runs in School Mode by default. School Mode changes device behavior in the following ways compared to a personal-use device:

Scope & hours

  • Scheduled active hours. The IEP/504 team or school admin sets the days, hours, and locations where the device is active for school purposes. Outside those windows, the device defaults to off, low-stim, or family-only mode at the parent's choice.
  • Geofenced collection. Where supported, collection of behavioral and contextual data can be restricted to the school campus.
  • Quiet zones. Bathrooms, locker rooms, counseling offices, and any room designated by the LEA can be flagged so audio capture is automatically disabled in those locations.

Content & interaction

  • Curriculum-aligned vocabulary. The device can be tuned to the student's communication goals and curriculum.
  • Behavioral and academic prompts set by the IEP/504 team — e.g., transition warnings, regulation cues, scripts for self-advocacy, communication supports.
  • No social, news, or open-internet content during active school hours.
  • No third-party app or skill store available in School Mode.

Team access

  • Multi-seat access for the IEP/504 team: special-education teacher, general-education teacher, related-services providers, paraprofessional, school counselor, school psychologist, administrator.
  • Per-role permissions controlled by the LEA's designated COTIS admin.
  • Every team member's access is logged, time-bounded, and revocable by the admin or the parent (where required by state law or by IEP agreement).
Visible & audible

The COTIS device's recording indicator is always visible to the wearer and others nearby during active capture and cannot be disabled by software in School Mode. This is a hardware-enforced safeguard.

05IEPs, 504 plans & team access

Integration with the IEP/504 process

COTIS is intended to support — never replace — the IEP/504 team's professional judgment. When COTIS is named in an IEP or 504 plan, the team decides:

  • The goals COTIS is supporting (communication, regulation, transitions, social, academic, safety).
  • What data the team wants to see (daily summaries, weekly trends, regulation events, communication attempts, none).
  • How long the device is used and where (full day, designated periods, specific environments).
  • How data is reviewed (team meetings, parent dashboards, progress reports).
  • When data is deleted (end of year, end of placement, on parent request, on student exit).

Parent participation

Parents (and eligible students 18+, or younger if the LEA's policy permits) retain full FERPA rights with respect to records COTIS holds on behalf of the LEA. This includes the right to inspect and review, request amendment, and consent to disclosures beyond those FERPA permits without consent. We will route any such request received by us directly to the LEA's designated contact within 5 business days, and we will support the LEA in responding.

Continuity across school year, placement, and provider changes

Where a student transfers schools, leaves a placement, or exits a related service, the LEA's contract instructs us how to handle the data: transfer (where lawful), return, or delete. We default to delete after 90 days following separation unless instructed otherwise in writing.

06What we collect at school

In a school deployment, the categories of information we may process on behalf of the LEA include:

Category What it includes Used for
Identifiers Student name (or LEA-issued pseudonym), grade, school, classroom, IEP/504 ID, team member roles. Routing, dashboards, audit logs.
Audio (TALK & ASK / CALM / CONNECT) Voice interactions while device is active; processed on-device when possible; raw audio purged within 24 hours of cloud processing. Real-time support for communication, regulation, and connection.
Voiceprint Mathematical model of the student's voice characteristics, used only to identify the student to the device. Wake-word and speaker-identification only. Never used to train third-party models.
Transcripts & summaries Text of interactions, IEP/504-aligned summaries, regulation events, communication attempts. Team dashboards, progress reporting, parent visibility.
Health & physiological signals Heart-rate variability and related signals if the student's plan calls for regulation monitoring, with separate written parental consent. Regulation pattern insight only — not a medical device.
Location On-campus geofenced location during active hours; off-campus only if the IEP/504 team and parent request it (e.g., transit, field trips). Safety, classroom routing, SOS only.
Device & diagnostic Battery, connectivity, firmware version, fault logs. Support and operations.

07What we don't do in schools

Bright-line commitments for school deployments
  • We do not sell student personal information. Ever.
  • We do not use student personal information to train AI models — ours or anyone else's.
  • We do not use student information for advertising, marketing, profiling, or behavioral targeting.
  • We do not build commercial profiles of students.
  • We do not provide student information to third parties for their own use, except subprocessors under written contract performing services for the LEA.
  • We do not use student information beyond the authorized educational purpose set out in the LEA contract.
  • We do not retain student information beyond the period the LEA instructs.
  • We do not provide voluntary access to student information to law enforcement absent a lawful order, and we notify the LEA before disclosure where the law permits.

08Sharing & subprocessors

We share school deployment data only with subprocessors performing services for us in support of the LEA contract (cloud hosting, speech and language processing, payment, support tooling, security operations). Each subprocessor is bound by written terms at least as protective as our own and is listed publicly on our Data Practices page. We notify the LEA admin of material subprocessor changes with at least 30 days' notice and provide the LEA the right to object.

09Retention & deletion

Data type Default in School Mode Adjustable by LEA?
Raw audio (cloud-processed) Purged within 24 hours; many flows never leave the device. No (floor).
Transcripts 30 days, then deletion or de-identification per LEA instruction. Yes — LEA may shorten.
IEP-aligned summaries School year + 1 year, or per LEA records-retention schedule. Yes.
Voiceprint Active for duration of deployment; deleted within 30 days of separation; in any event no longer than 3 years (BIPA cap). Yes — LEA may shorten.
Health signals 13 months rolling. Yes.
Location 7 days rolling for geofenced data; immediate purge off-campus where the school plan does not authorize. Yes.
Account & audit logs 7 years post-separation for audit and dispute purposes. Yes (LEA may extend).

On LEA written request, we issue a Deletion Certificate documenting the categories of data deleted, the date of deletion, the systems affected, and the responsible engineer.

10Security & audit rights

Our security program is described in detail on our Data Practices page. For school deployments specifically, we additionally commit to:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Annual SOC 2 Type II audit; report shared with LEA under NDA on request.
  • Annual third-party penetration test; executive summary available to LEA.
  • Documented incident response with notification to the LEA admin within 72 hours of a confirmed security incident affecting that LEA's data, sooner where state law requires.
  • Right to audit: the LEA may, with reasonable notice and not more than once per year (or as otherwise required by law or following a security incident), audit our compliance with the DPA at the LEA's expense, subject to confidentiality.

11Parent & eligible-student rights

Under FERPA and applicable state laws, parents (or eligible students 18+) have the right to:

  • Inspect and review their child's education records held by COTIS on behalf of the LEA.
  • Request amendment of records they believe are inaccurate, misleading, or in violation of privacy rights.
  • Consent in writing to disclosures beyond those FERPA permits without consent.
  • File a complaint with the U.S. Department of Education, Student Privacy Policy Office.

Requests received directly by COTIS are routed to the LEA within 5 business days. Where a state law (e.g., CCPA/CPRA, Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Tennessee, Montana) provides additional rights that apply to the family rather than the LEA, we support those rights directly.

12State student-privacy laws

We additionally comply with state student-privacy laws where applicable, including:

  • California — Student Online Personal Information Protection Act (SOPIPA), Cal. Bus. & Prof. Code § 22584; AB 1584 contract requirements.
  • New York — Education Law § 2-d and Part 121 regulations, including the Parents' Bill of Rights for Data Privacy and Security.
  • Connecticut — Public Act 16-189 and 22-47.
  • Colorado — Student Data Transparency and Security Act.
  • Illinois — Student Online Personal Protection Act (SOPPA).
  • Texas — Education Code Chapter 32 and TEC § 32.151.
  • And the other 40+ state student-privacy laws as applicable to a given deployment.

Where required, COTIS will sign LEA-specific addenda (e.g., New York Parents' Bill of Rights supplemental information, California AB 1584 schedules) as part of contracting.

13International schools

For schools in the EU, UK, EEA, Switzerland, and other jurisdictions with comprehensive data-protection laws, COTIS acts as a data processor under GDPR Article 28 and equivalent regimes. We enter into a separate Article 28 DPA, transfer data outside the EU/UK only under approved mechanisms (Standard Contractual Clauses, UK IDTA, adequacy decisions), and support data-residency in the EU on request. The EU AI Act's high-risk classification for AI in education applies; we maintain technical documentation, logging, and human-oversight measures consistent with Articles 9–15.

14Data Processing Addendum (DPA)

Below is our standard Data Processing Addendum for school deployments. It is incorporated into every LEA Master Services Agreement and signed alongside the order form. LEAs may propose redlines through schools@cotis.ai; we maintain a tracked variance log for legal review.

DPA — Article 1: Definitions

"LEA" means the local educational agency, school district, school, or other educational institution executing the Order Form. "Student Data" means personally identifiable information from education records as defined by FERPA, plus any additional categories of information about students that the LEA provides to COTIS or that COTIS generates on the LEA's behalf. "Authorized Purpose" means the specific educational purposes set out in the Order Form. "Subprocessor" means a third party engaged by COTIS to process Student Data on behalf of the LEA.

DPA — Article 2: Roles & instructions

The LEA is the controller of Student Data. COTIS is a school official under FERPA and, where applicable, a data processor under GDPR Article 28 and a service provider under CCPA/CPRA. COTIS will process Student Data only on the LEA's documented instructions, including with respect to transfers, and will not process Student Data for any other purpose, including its own commercial purposes.

DPA — Article 3: Confidentiality

COTIS ensures that personnel authorized to process Student Data have committed to confidentiality, have completed annual student-privacy training, and access Student Data only on a least-privilege basis.

DPA — Article 4: Security

COTIS implements appropriate technical and organizational measures as described on the Data Practices page, including encryption in transit and at rest, access controls, network segmentation, monitoring, incident response, vulnerability management, and personnel security. COTIS undergoes an annual SOC 2 Type II audit.

DPA — Article 5: Subprocessors

The LEA grants COTIS general authorization to engage subprocessors. COTIS maintains a current public list of subprocessors and will notify the LEA admin at least 30 days before any new or replacement subprocessor begins processing Student Data. The LEA may object on reasonable grounds; COTIS will work in good faith to resolve the objection or, failing that, allow the LEA to terminate the affected service.

DPA — Article 6: Data subject requests

COTIS will assist the LEA in responding to requests from parents, eligible students, and (where applicable) data subjects under GDPR, CCPA/CPRA, and state student-privacy laws. Requests received directly by COTIS will be routed to the LEA within 5 business days.

DPA — Article 7: Incident notification

COTIS will notify the LEA admin of a confirmed security incident affecting that LEA's Student Data within 72 hours of confirmation, with a written follow-up including known facts, scope, actions taken, and recommended LEA response. COTIS will cooperate in good faith with the LEA's incident response.

DPA — Article 8: Audits

COTIS provides the LEA with information necessary to demonstrate compliance with this DPA and allows for audits by the LEA or a mutually agreed third-party auditor, no more than once per year except following a security incident, on reasonable notice, at the LEA's expense, and subject to confidentiality.

DPA — Article 9: Return or deletion

On termination of the Order Form, or on LEA written request, COTIS will return or delete Student Data on the schedule the LEA specifies, with a default of return-or-delete within 90 days of separation and issuance of a Deletion Certificate. COTIS may retain audit logs and minimal account metadata for up to 7 years for legal and audit purposes.

DPA — Article 10: AI & model use

COTIS will not use Student Data to train, retrain, fine-tune, or evaluate any artificial-intelligence model — its own or any third party's — without separate written authorization from the LEA. Inference-time use of Student Data to operate the COTIS service for that LEA's students is permitted within the Authorized Purpose.

DPA — Article 11: Prohibited uses

COTIS will not sell, share, rent, lease, or otherwise commercialize Student Data; will not use Student Data for advertising or marketing; will not build commercial profiles of students; and will not use Student Data outside the Authorized Purpose.

DPA — Article 12: Order of precedence

In the event of a conflict among the documents governing COTIS's processing of Student Data, the order of precedence is: (1) signed LEA-specific addenda, (2) this DPA, (3) the For Schools & IEPs page, (4) the Privacy Policy, (5) the Terms of Service.

15Contracting & contact

For school and district contracting, RFPs, custom DPA review, and IEP-team onboarding, please reach our schools team. We staff a dedicated educator and a privacy attorney on this channel.

Talk to our schools team

Procurement, DPAs, IEP onboarding, related-services integration.

Schools team
Privacy & DPA review
IEP & clinical questions
Mail
COTIS.AI, Inc.
Schools & Privacy
Los Angeles, CA

This addendum reflects FERPA, IDEA, Section 504, the ADA, the FTC Health Breach Notification Rule, GDPR Article 28, CCPA/CPRA, BIPA (740 ILCS 14), the EU AI Act, and applicable state student-privacy laws as of May 21, 2026. It does not constitute legal advice. For tailored guidance for your district, consult your general counsel and a qualified student-privacy attorney.