SOPIPA COMPLIANCE AUDIT REPORT

Student Online Personal Information Protection Act

The Scribe Academy

Audit Date: December 2024 | Version 0.25.7

✅

AUDIT RESULT: COMPLIANT

The Scribe Academy has been audited for compliance with the Student Online Personal Information Protection Act (SOPIPA - California Business and Professions Code §§ 22584-22585). This audit confirms that the application does not contain advertising trackers, does not sell student data, and maintains appropriate data silos.

SOPIPA REQUIREMENTS CHECKLIST

Requirement	Status	Evidence
No targeted advertising to students	✓ PASS	No advertising scripts or ad networks detected in codebase
No advertising profiles created from student data	✓ PASS	No third-party analytics or profiling services integrated
No sale of student information	✓ PASS	Privacy policy explicitly prohibits data sales; no data broker integrations
No disclosure for non-educational purposes	✓ PASS	Data shared only with educational subprocessors (Firebase, Gemini AI)
Reasonable security procedures	✓ PASS	TLS encryption, Firebase Auth, role-based access controls
Delete data upon request	✓ PASS	"Full User Wipe" feature available to administrators
No use of data for non-K-12 purposes	✓ PASS	Application designed exclusively for K-12 educational use

THIRD-PARTY SCRIPT AUDIT

Student-Facing Pages Analyzed:

index.html (Landing page)
academy/index.html (Main application)
signup.html (Registration)

Scripts Found:

Script	Source	Purpose	Tracker?
app.js	Local (first-party)	Main application logic	No
landing.js	Local (first-party)	Landing page interactions	No
Firebase SDK	npm bundle (first-party)	Authentication, database	No

✓ No advertising or tracking scripts detected. All scripts are first-party or essential infrastructure (Firebase).

TRACKERS VERIFIED NOT PRESENT

✗ Google Analytics

✗ Google Tag Manager

✗ Facebook Pixel

✗ Google Ads / AdWords

✗ DoubleClick

✗ Google AdSense

✗ Hotjar

✗ Mixpanel

✗ Segment

✗ Amplitude

✗ Heap Analytics

✗ Intercom

✗ = Not present in codebase

DATA FLOW SUMMARY

┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
│   Student       │────▶│  The Scribe      │────▶│  Firebase       │
│   Browser       │     │  Academy App     │     │  (Google Cloud) │
└─────────────────┘     └──────────────────┘     └─────────────────┘
                               │
                               │ AI Feedback
                               ▼
                        ┌──────────────────┐
                        │  Google Gemini   │
                        │  (No retention)  │
                        └──────────────────┘

❌ NO DATA FLOWS TO:
   • Advertising networks
   • Data brokers
   • Third-party analytics
   • Social media platforms
   • Marketing automation

AUDIT METHODOLOGY

1. Static Code Analysis: Searched entire codebase for advertising/tracking keywords including: gtag, google-analytics, facebook, pixel, doubleclick, adsense, hotjar, mixpanel, segment, amplitude, heap.

2. Script Tag Audit: Reviewed all HTML files for external script includes, particularly in student-facing pages.

3. Third-Party Dependency Review: Verified npm dependencies do not include advertising or tracking libraries.

4. Privacy Policy Review: Confirmed privacy statement explicitly prohibits advertising and data sales.

RECOMMENDATIONS

✓

Maintain current practices: Continue avoiding third-party analytics and advertising integrations.

○

Periodic re-audit: Conduct SOPIPA compliance audit with each major version release.

○

Document subprocessors: Maintain updated list of all data subprocessors in DPA.

AUDIT CERTIFICATION

I certify that this SOPIPA compliance audit was conducted thoroughly and the findings are accurate to the best of my knowledge.

Auditor Signature:

Date:

Printed Name:

Title:

The Scribe Academy | AI-Powered Writing Education

thescribesacademy.com | support@thescribesacademy.com

Document Version: 1.0 | Audit Date: December 2024