← Back to app
SPED Funding Engine — Security & Privacy Guide
Audience: Special Education Administrators · Last Updated: June 2026
Overview
The SPED Funding Engine processes Individualized Education Program (IEP) documents containing highly sensitive student information protected under the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), and Texas state education privacy laws. This document describes the security controls, data handling practices, and privacy protections built into the system.
Data Classification
IEP documents processed by this system contain Protected Education Records including:
- Student names and identification numbers (Local ID, UID)
- Disability classifications and eligibility determinations
- Academic performance data and present levels
- Behavioral and health information
- Related service details and provider information
- Placement and instructional setting information
This data is classified as highly sensitive and is handled accordingly at every stage of the pipeline.
Authentication & Access Control
Who Can Access the System
Access is restricted exclusively to users with @nisd.net Google Workspace accounts. No other accounts — including personal Gmail, other school districts, or external parties — can authenticate.
How Access Is Enforced
Access control is enforced at two independent layers:
| Layer | Mechanism | Bypass Risk |
|---|
| Frontend | Google OAuth hd parameter restricts the account picker to @nisd.net | Low — UX hint only, not authoritative |
| Backend | Every API request verifies the Firebase ID token and confirms the email domain ends with @nisd.net | None — server rejects non-NISD tokens with HTTP 403 |
Even if a user were to manipulate the frontend OAuth flow, the backend will reject any request from a non-authorized domain. This is the authoritative security boundary.
Session Management
- Authentication tokens (Firebase ID tokens) expire after 1 hour and are automatically refreshed by the client.
- Signing out immediately invalidates the local session.
- No passwords are stored — authentication is delegated entirely to Google's identity infrastructure.
Data Flow & Lifecycle
Stage 1: Upload
- User uploads IEP PDFs via the web interface over HTTPS (TLS 1.2+).
- Files are stored temporarily in a dedicated Google Cloud Storage (GCS) bucket.
- Files are stored under a unique batch ID — no user can access another user's uploads.
Stage 2: Processing
- A processing worker downloads the PDFs, extracts structured data, and scores each record.
- PDFs are deleted from cloud storage immediately after extraction — they are not retained.
- Extracted data exists only in memory during processing.
Stage 3: Report Generation
- Scored records are compiled into CSV, Excel, and TEA export files.
- Reports are uploaded to a separate GCS bucket.
- Reports are accessible only via time-limited signed URLs — they cannot be accessed by guessing a URL or browsing the bucket directly.
Stage 4: Cleanup
| Data | Retention |
|---|
| Uploaded IEP PDFs | Deleted immediately after extraction (seconds) |
| Batch metadata (Firestore) | Retained for audit trail — contains batch ID, status, timestamps, and owner UID only; no student PII |
| Generated reports (GCS) | Available via signed URLs; bucket lifecycle policies apply |
| Application logs | Contain event metadata (batch IDs, file counts, error types) — no student PII is logged |
Data Isolation
Per-User Isolation
- Each batch is owned by the authenticated user (tracked via
owner_uid in Firestore).
- Firestore security rules enforce that only the batch owner can read or write their own batch records.
- No user can view, modify, or download another user's batches or reports.
Infrastructure Isolation
- The application runs on Google Cloud Run — a fully managed, serverless platform with automatic isolation between requests.
- No shared file systems or persistent disks exist between processing jobs.
- Each batch processes in its own execution context.
Encryption
| State | Protection |
|---|
| In transit | All data transmitted over HTTPS with TLS 1.2+ encryption. No unencrypted endpoints exist. |
| At rest (GCS) | Google Cloud Storage encrypts all objects at rest using AES-256 by default (Google-managed keys). |
| At rest (Firestore) | Firestore encrypts all data at rest automatically. |
AI/ML Processing (Gemini Recovery)
When enabled, the system may use Google's Gemini AI to recover data from PDFs that could not be fully parsed by the standard extractor. Important privacy considerations:
- Gemini processing occurs within the same Google Cloud project — data does not leave the GCP environment.
- Only the text content of PDFs with extraction gaps is sent to Gemini; successfully extracted records are never sent.
- Google's Gemini API for Cloud customers operates under Google Cloud's data processing terms — customer data is not used to train models.
- This feature can be disabled entirely via environment configuration if your district's data governance policies require it.
Compliance Considerations
FERPA
- Access is limited to authorized school officials with a legitimate educational interest (NISD staff only).
- No student education records are disclosed to third parties.
- Data minimization is practiced — PDFs are deleted immediately after processing; reports contain only the data necessary for funding determinations.
IDEA / OSEP
- The system processes IEP data solely for the purpose of determining funding tier classifications as required by TEA.
- No IEP content is altered, and the system does not make eligibility or placement decisions.
Texas Education Code / TEA
- The system aligns with TEA's New Intensity of Services Funding Model (May 2026).
- TEA export format is provided for direct PEIMS submission compatibility.
- Student UIDs (10-digit TSDS numbers) are handled as sensitive identifiers.
Texas HB 4218 / Student Data Privacy
- No student data is sold, shared with third parties, or used for non-educational purposes.
- The system does not create student profiles for advertising or commercial purposes.
Administrator Responsibilities
As a special education administrator, you should:
- Control who has @nisd.net accounts — access to the tool is only as secure as your Google Workspace directory. Ensure terminated employees are promptly deprovisioned.
- Train staff on proper use — users should understand that IEP data is sensitive and should not be processed on public/shared computers or over untrusted networks.
- Download and secure reports — once downloaded, reports are on the user's local device. Ensure staff follow district policies for storing files containing student PII (encrypted drives, secure network shares, etc.).
- Review extraction warnings — records flagged with warnings should be manually verified before PEIMS submission to ensure funding accuracy.
- Report security concerns — if you suspect unauthorized access or a data breach, follow your district's incident response procedures immediately.
- Periodic access review — regularly confirm that only current, authorized staff have access to the tool via their @nisd.net accounts.
Incident Response
If you suspect a security incident involving student data:
- Immediately notify your district's IT security team and data privacy officer.
- Document what was accessed, by whom, and when.
- Follow NISD's established breach notification procedures, which may include notification to affected families as required by FERPA (34 CFR § 99.33) and Texas Education Code § 32.004.
Summary of Key Protections
| Protection | Implementation |
|---|
| Authentication | Google SSO, @nisd.net only, server-enforced |
| Authorization | Per-user batch isolation via Firestore rules |
| Encryption in transit | TLS 1.2+ on all connections |
| Encryption at rest | AES-256 (Google-managed) |
| Data minimization | PDFs deleted immediately after extraction |
| Access logging | Structured logs with batch-level events (no PII) |
| Report access | Time-limited signed URLs only |
| AI processing | Within GCP project, no model training on customer data |
| Compliance | FERPA, IDEA, Texas Education Code aligned |
Questions
For security or privacy questions about this system, contact:
- NISD Technology Services — for technical security concerns
- NISD Student Data Privacy Office — for FERPA/compliance questions
- Special Education Campus Coordinator or Area Coordinator — for operational questions about the funding model