GiftMatch Compass is a career-discovery service that may be licensed by a school, school district, college, workforce program, or other educational institution (a “School”) for student use. This package explains how GiftMatch handles School-controlled student data and the standard terms we expect to include in a School agreement.
GiftMatch does not sell student data, does not use covered student information for targeted advertising, does not create advertising profiles from student data, and does not use student data for unrelated commercial purposes.
This page intentionally separates current product behavior from items that must be completed for a School launch. GiftMatch should not represent a deployment as fully school-approved or ZDR-enabled unless the applicable items below are complete.
| Area | Status | Before School Launch |
|---|---|---|
| FERPA school-official terms | Standard terms are drafted on this page for incorporation into a signed School agreement. | School agreement or DPA must be signed or otherwise accepted by the School. |
| COPPA under-13 use | Direct signup is 13+. Under-13 use is limited to School-authorized deployments. | School must provide or obtain required consent. OpenAI-based personal-data processing remains blocked until ZDR is approved and enabled unless a separate written arrangement permits it. |
| OpenAI ZDR/MAM | Pending. | Obtain OpenAI approval and configure the approved organization/project controls, or keep OpenAI-based personal-data processing out of the School deployment unless separately agreed. |
| Subprocessors | The complete subprocessor list (including hosting and TLS-CA) is published in Section 4 below. | Confirm the list matches the School’s acceptable-subprocessor policy and obtain any state-required subprocessor notice. |
| Accessibility | No WCAG conformance certification is claimed on this page. | Complete a WCAG 2.1 AA review/remediation plan or provide the accessibility documentation required by the School. |
| State privacy addenda | General no-sale/no-targeted-ad/no-non-educational-profile commitments are stated below. | Review and sign state-specific terms where required, such as California, Illinois, New York, Connecticut, Colorado, Texas, or district-specific DPAs. |
The following terms are intended to be incorporated into a signed School agreement or DPA when GiftMatch processes student data for a School. They are not a complete replacement for School counsel review or state-specific addenda.
GiftMatch will notify the School without unreasonable delay after confirming a security incident that affects School Data. The notice will describe, to the extent known, the nature of the incident, affected data categories, mitigation steps, and recommended School actions. Specific timelines may be set in the signed School agreement or required by applicable state law.
If there is a conflict between this public page and a signed School agreement, the signed School agreement controls for that School.
This list identifies known service providers and data recipients used by GiftMatch. Some optional providers are used only when the related feature is enabled.
| Provider | Purpose | Data Categories | School Notes |
|---|---|---|---|
| OpenAI, L.L.C. | AI text generation, document parsing, speech transcription or text-to-speech where enabled. | Relevant portions of trait profile, archetype profile, saved experience/education entries, uploaded-document text, typed answers, generated context, or audio recordings when voice features are used. | OpenAI states that API data is not used to train its models without explicit consent. By default, OpenAI abuse-monitoring logs may retain customer content for up to 30 days. Zero Data Retention / Modified Abuse Monitoring approval is pending for School deployments involving minors or Education Records. Under-13 School deployments remain blocked from OpenAI-based personal-data processing until Zero Data Retention is approved and enabled unless a separate written arrangement permits it. |
| Anthropic PBC | AI text generation and analysis where configured by the admin-selected model settings. | Relevant prompt context needed to generate or refine GiftMatch output, such as trait profile, career context, saved experience entries, and user-provided text. | Commercial/API data is not used for model training by default according to Anthropic’s published commercial-product guidance. School use remains subject to the School agreement and subprocessor approval. |
| Google LLC — OAuth (Sign in with Google) and Workspace / Gmail API | Sign-in via Google OAuth and outbound transactional email via a Google Workspace service account. | OAuth: name, email address, optional profile photo, ID token. Gmail send: recipient email, message subject and body of transactional messages we send. | If a School cannot approve Google sign-in, the deployment should document an email/password-only configuration before launch. The Workspace email path uses a service account whose credentials are stored outside the web root and are subject to the same rotation cadence as other secrets. |
| Paddle.com Market Limited | Payment processing and merchant-of-record services for paid plans. | Billing contact information, transaction identifiers, subscription status, payment metadata, country, and limited card metadata such as last four digits. | Not used for student assessment responses, transcripts, career reports, or School Data unless a School uses Paddle for billing contact/payment administration. |
| Adzuna Limited | Optional Coach job-search results and job-application links. | Career title, search terms, location or remote preference, and job-search filters when the user searches for jobs. | Optional feature. Should be disabled or omitted for School/minor deployments unless approved in the School agreement. Displayed job results include Adzuna attribution. |
| USAJOBS / U.S. Office of Personnel Management API | Optional federal job-search results and application links. | Career title, search terms, location or remote preference, and job-search filters when the user searches for federal jobs. | Optional feature. Should be disabled or omitted for School/minor deployments unless approved in the School agreement. USAJOBS is a public U.S. government job-search API. |
| DigitalOcean, LLC | Underlying VPS that runs the entire service. | All data stored or processed by the deployed service environment. | Production deployment is a single Droplet in the NYC2 datacenter. All Student Data is stored in the United States. Subject to DigitalOcean’s Data Processing Agreement. |
| SSLMate | TLS certificate authority & renewal automation. | Domain-validation metadata only. SSLMate does not receive any Student Data. | Listed for completeness; SSLMate’s scope is the public TLS certificate. |
| Google LLC — Google Analytics (gtag.js) | Page-view analytics on public marketing pages. | IP address, user-agent, page URL, referrer. | Suppressed for users in active site-license org sessions; only emitted on the public marketing pages where the visitor is governed by the public Privacy Policy. Schools may approve analytics for their org users by configuring the per-org override; default for site licenses is off. |
| Google LLC — Google CDN (ajax.googleapis.com) | Hosts the jQuery library loaded by every page. | IP address and user-agent only (the inherent metadata of any browser fetch). No app data. | Listed for completeness. Self-hosted-jQuery alternative is on the GiftMatch internal roadmap. |
Public career-data sources such as BLS and O*NET are used as content sources. GiftMatch does not need to send student personal information to BLS or O*NET to display source-linked career information.
| Control Area | Current Commitment or Launch Requirement |
|---|---|
| Data minimization | GiftMatch asks users not to submit government identifiers, precise geolocation, biometrics, health records, or financial account numbers. Resume/transcript uploads are used to extract text and are not kept as original uploaded files after processing. |
| Transmission security | HTTPS is enforced on all production traffic, with HTTP requests 301-redirected at the Apache vhost. Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy (microphone allowed only for the optional voice-practice feature, all other sensitive APIs denied), and Cross-Origin-Opener-Policy same-origin headers are set on every response. |
| Password handling | Email/password accounts use password hashing rather than storing raw passwords. Google OAuth tokens are stored in the user session for sign-in continuity and are not stored in the application database. |
| Access control | Account data is tied to authenticated users. Administrative access is restricted to authorized GiftMatch staff. School administrative visibility is limited to the scope authorized by the School agreement and role configuration. |
| Secrets management | Operational secrets and credential JSON files must be kept outside the web root/repo path in the deployed environment and must not be committed to source control. |
| Logging | GiftMatch logs operational events needed for security, debugging, billing, and audit. Logs are not used to build advertising profiles. |
| Deletion | GiftMatch removes account-linked profile, assessment, generated report, saved Coach, and experience data from active systems within a commercially reasonable period after account or School deletion, subject to legal, billing, security, compliance, audit, dispute, and backup-rotation exceptions. |
| Backups | A daily Postgres dump is produced by an internal backup script with a 14-day rotation, and a documented quarterly restore-test cadence verifies the dumps are usable. Backups are stored on the production server with restrictive filesystem permissions; immediate deletion from rotation-eligible backups is performed on the standard schedule. Immediate deletion from immutable or disaster-recovery backups may not be technically possible. |
| Incident response | GiftMatch will investigate suspected unauthorized access, take containment/remediation steps, and notify affected Schools as required by agreement and law. |
| Cybersecurity framework | GiftMatch self-attests alignment with the NIST Cybersecurity Framework (CSF) 2.0 at Tier 2 (Risk Informed). An internal Organizational Profile mapping the 6 CSF Functions to current and target state is maintained and is available to a School under NDA per NDPA §5.2 on written request. GiftMatch is also happy to complete additional security questionnaires sent by a School during procurement. |
| Certifications | GiftMatch does not claim SOC 2, ISO 27001, HIPAA, or FedRAMP certification unless that status is separately stated in a signed agreement or current security questionnaire. |
GiftMatch uses AI to generate narrative content, career matches, career deep-dives, experience reflections, document parsing, Coach responses, interview practice support, and optional speech features. AI processing can involve sending relevant user content to OpenAI or Anthropic depending on the admin-selected model settings and feature configuration.
Where technically and contractually supported, a School agreement can restrict or disable AI features, transcript upload, resume upload, Coach tools, job search, voice practice, or specific AI providers. Those controls should be documented before launch.
School privacy, procurement, security questionnaire, or DPA requests can be sent to support@giftmatchcompass.com. GiftMatch may update this page as the service, subprocessors, legal requirements, or AI data-retention controls change. Material changes for a School deployment will be handled under the signed School agreement.
