Compliance

Is Clema SOC 2 and FERPA compliant?

Yes. Clema is built for higher education and the compliance standards that govern it. Here is the short answer, then the detail your security team will want.

The short answer

Clema holds a SOC 2 Type II certification, independently audited every year, and is FERPA-ready by design. We act as a school official with a legitimate educational interest, sign BAAs with every customer, enforce role-based access, and never train on your data.

SOC 2 Type IISOC 2 Type II
FERPA CompliantFERPA

SOC 2 Type II

Certified

Independently audited every year for security, availability, and confidentiality.

FERPA

Ready by design

School-official framework, role-based access, BAAs, full audit trail.

How Clema handles your data

Read-only, governed connections

Clema reads from your sources. It does not copy data outbound or write back without explicit permission. Every query carries source attribution and a complete audit trail for compliance review.

No AI training on your data

Your institutional data is never used to train Clema's models. It is never sold, shared, or disclosed to third parties. You retain complete ownership and can export or delete it at any time.

Encryption everywhere

Data is encrypted at rest with AES-256 and in transit with TLS 1.3. Access is gated by role-based controls, multi-factor authentication, and session timeout policies.

Data stored in the United States

Your data is stored in secure, SOC 2 certified data centers located in the United States, with geo-redundancy and point-in-time recovery for high availability.

What your security team can request

Most institutions ask for these during vendor review. We turn them around in one business day.

SOC 2 Type II report (under NDA)
Business Associate Agreement (BAA)
Encryption and key management overview
Incident response summary

Compliance
FAQs

Yes. Clema holds a SOC 2 Type II certification. Our infrastructure and processes are independently audited every year against the trust service criteria for security, availability, and confidentiality. We share the full report under NDA on request to [email protected].

Yes. Clema is built for FERPA from the ground up. We act as a school official with a legitimate educational interest, enforce role-based access controls, encrypt data at rest and in transit, and sign BAAs with every customer. Every answer includes source attribution and a full query audit trail.

No. Clema never uses your institutional data to train its models. Your data is never sold, shared, or disclosed to third parties. You retain complete ownership and can export or delete your data at any time.

Email [email protected] and our security team will share the SOC 2 Type II report and BAA under NDA, usually within one business day. We can also schedule a call with your CISO or security review team.

Need the compliance pack?

Our security team will share the SOC 2 Type II report and BAA under NDA, usually within one business day.

Email security teamRead the security overview