Talk and Comment — Data Security and Privacy Plan

Pursuant to New York Education Law § 2-d and 8 NYCRR Part 121

Table of Contents

1. Introduction
2. Product Overview
3. Section 1 — Implementation of Data Security and Privacy Requirements
4. Section 2 — Administrative, Operational, and Technical Safeguards
5. Section 3 — Employee and Subcontractor Training
6. Section 4 — Contracting Processes for Employees and Subcontractors
7. Section 5 — Data Security and Privacy Incident Management
8. Section 6 — Data Transition
9. Section 7 — Secure Destruction of Data
10. Section 8 — Alignment with Educational Agency Policies
11. Section 9 — Alignment with NIST Cybersecurity Framework v1.1
12. Parents' Bill of Rights — Supplement
13. Sub-Processor List
14. Transcription — Self-Hosted Infrastructure

1. Introduction

Talk and Comment LLC ("Talk and Comment," "we," "us") provides this Data Security and Privacy Plan ("Plan") in accordance with New York Education Law § 2-d and the regulations set forth in 8 NYCRR Part 121. This Plan is incorporated by reference into each New York Data Privacy Agreement ("NDPA") executed between Talk and Comment and a New York Educational Agency ("EA"), and is intended to satisfy the requirements of Exhibit K thereto.

This Plan describes how Talk and Comment protects the personally identifiable information ("PII") of students and certain related data received from or on behalf of New York Educational Agencies. It is reviewed and updated at least annually, or whenever there is a material change to our data practices.

The safeguards described in this Plan are proportionate to the data we collect, the nature of our product, and the scope of our operations.

2. Product Overview

Talk and Comment is a Chrome extension and web application that enables voice-based feedback in education. Teachers record short voice comments and share them with students via a link. Students click the link to listen.

Data Collected by Tier

Under-13 / COPPA Compliance

Students under 13 operate in read-only mode by default, enforced at the API level. In this mode, they do not create accounts, do not record audio, and do not provide any PII — they access voice comments via shared links only.

With verifiable guardian consent, under-13 students may be upgraded to recording-enabled accounts. This requires a guardian to provide their name, relationship, and email address. The guardian consent is logged with a timestamp. Without this consent, under-13 students remain in read-only mode.

What We Do NOT Do

• We do not sell student data — to anyone, for any purpose.
• We do not use ad networks or serve targeted advertising.
• We do not use student data for marketing.
• We do not build student profiles for non-educational purposes.
• We do not retain data beyond the period needed to provide the service.

3. Section 1 — Implementation of Data Security and Privacy Requirements

How applicable data security and privacy contract requirements are implemented over the life of the contract.

3.1 Contract Lifecycle Management

Talk and Comment implements data security and privacy requirements throughout the full lifecycle of each contract with a New York Educational Agency:

Onboarding / Contract Execution: - Prior to or concurrent with the start of service, Talk and Comment executes a New York Data Privacy Agreement (NDPA) with the EA, incorporating the Parents' Bill of Rights and this Data Security and Privacy Plan. - The scope of data to be received or created is defined in the contract and corresponding Exhibit D (Scope of Services). - Talk and Comment confirms that its data handling practices meet the requirements of Education Law § 2-d before accepting student data.

During the Contract Term: - This Plan is reviewed at least annually and updated as needed. - Any material changes to sub-processors, infrastructure, or data practices that affect the handling of student PII are communicated to the EA. - Talk and Comment responds to EA inquiries regarding data handling practices within a reasonable timeframe. - Executive leadership maintains ongoing responsibility for privacy compliance and serves as the primary point of contact for data security and privacy matters.

Contract Renewal: - At renewal, Talk and Comment reviews this Plan and confirms continued compliance with all applicable requirements. - Any changes since the last review are documented and communicated to the EA.

Contract Termination: - Upon termination or expiration of the contract, Talk and Comment follows the data transition and destruction procedures described in Sections 6 and 7 of this Plan. - A certification of data destruction is provided to the EA upon request.

3.2 Ongoing Compliance Monitoring

Talk and Comment's compliance monitoring is hands-on and continuous:

• Data handling practices, access controls, and sub-processor agreements are reviewed on a regular basis.
• Infrastructure security configurations (database access, encryption settings, API keys) are reviewed periodically.
• Application logs are monitored for anomalous access patterns.

4. Section 2 — Administrative, Operational, and Technical Safeguards

Administrative, operational, and technical safeguards and practices to protect PII.

4.1 Administrative Safeguards

4.2 Operational Safeguards

4.3 Technical Safeguards

5. Section 3 — Employee and Subcontractor Training

Training received by employees and subcontractors on federal and state laws governing confidentiality of PII.

5.1 Current Organizational Context

Talk and Comment maintains a minimal-access model. Access to student PII is restricted to authorized personnel only, significantly reducing the training footprint and risk surface.

5.2 Founder Training and Knowledge

Zak El Fassi maintains working knowledge of the following laws and regulations as they apply to Talk and Comment's handling of student data:

• Family Educational Rights and Privacy Act (FERPA) — Federal requirements governing the privacy of student education records.
• Children's Online Privacy Protection Act (COPPA) — Federal requirements for the collection of personal information from children under 13.
• New York Education Law § 2-d — New York State requirements for the privacy and security of student data and teacher/principal data.
• 8 NYCRR Part 121 — Implementing regulations for Education Law § 2-d.

5.3 Future Employees and Subcontractors

Should Talk and Comment hire employees or engage subcontractors who may access student PII:

• They will receive training on applicable federal and state privacy laws (FERPA, COPPA, Education Law § 2-d) prior to being granted access to any systems containing student data.
• Training will be repeated annually and whenever there are material changes to applicable law or company data practices.
• Training completion will be documented and records retained.
• No individual will be granted access to systems containing student PII until training is complete.

6. Section 4 — Contracting Processes for Employees and Subcontractors

Contracting processes ensuring employees/subcontractors are bound by written agreement to data security and privacy.

6.1 Current State

Talk and Comment limits direct access to student PII data stores to essential personnel only. All individuals with access are bound by the commitments in this Plan, the NDPA, and applicable law.

6.2 Sub-Processor Agreements

All third-party sub-processors used by Talk and Comment are engaged under written agreements that include data protection obligations. These include:

• Data Processing Agreements (DPAs) or equivalent contractual terms with each sub-processor.
• Restrictions on sub-processors' use of data to only what is necessary to provide their service to Talk and Comment.
• Requirements for sub-processors to maintain appropriate security measures.
• Obligations regarding data breach notification.

See Section 13 for the complete sub-processor list and data handling details.

6.3 Future Employees and Subcontractors

If Talk and Comment engages employees or subcontractors who will have access to student PII:

• Each individual will be required to execute a written confidentiality agreement prior to accessing any student data.
• The agreement will include obligations regarding the proper handling, security, and non-disclosure of student PII.
• The agreement will specify that violations may result in termination and may be subject to legal action.
• The agreement will survive termination of the employment or contractor relationship.

7. Section 5 — Data Security and Privacy Incident Management

How data security and privacy incidents are managed, including specific plans for identifying breaches and reporting obligations.

7.1 Incident Identification

Talk and Comment monitors for potential data security incidents through:

• Application monitoring: Error tracking and logging to identify unusual application behavior, unexpected access patterns, or system anomalies.
• Infrastructure alerts: DigitalOcean and AWS provide built-in monitoring and alerting for infrastructure-level events (unusual login attempts, configuration changes, resource anomalies).
• Sub-processor notifications: Talk and Comment monitors communications from sub-processors regarding security incidents that may affect student data.
• User reports: Teachers or EA administrators may report suspected incidents to support@talkandcomment.com.

7.2 Incident Classification

Upon identification of a potential incident, Talk and Comment will assess:

1. What data was potentially affected? (audio recordings, email addresses, transcription text, etc.)
2. Whose data was potentially affected? (students, teachers, which EAs)
3. What was the nature of the incident? (unauthorized access, data loss, system compromise, accidental disclosure, etc.)
4. What is the scope? (number of records, number of individuals, number of EAs)
5. Is the incident ongoing or contained?

7.3 Incident Response Steps

1. Contain: Immediately take steps to stop the incident and prevent further data exposure. This may include revoking access credentials, taking systems offline, or isolating affected components.
2. Assess: Determine the scope, nature, and impact of the incident.
3. Notify: Report the incident to affected Educational Agencies in accordance with Section 7.4 below.
4. Remediate: Address the root cause of the incident and implement measures to prevent recurrence.
5. Document: Maintain a written record of the incident, including timeline, scope, response actions, and outcome.

7.4 Breach Notification

In the event of a breach or unauthorized release of student PII or teacher/principal APPR data:

• Timing: Talk and Comment will notify affected Educational Agencies no later than 72 hours after discovery of the breach, consistent with Exhibit G of the NDPA.
• Method: Notification will be sent via email to the EA's designated contact, with follow-up by phone if appropriate.
• Content: The notification will include, to the extent known at the time:
  • A description of the incident
  • The date(s) of the incident and date of discovery
  • A description of the types of data involved
  • An estimate of the number of records and individuals affected
  • Steps taken to contain and remediate the incident
  • Contact information for follow-up questions
• Ongoing updates: Talk and Comment will provide supplemental information as it becomes available during the investigation.
• Cooperation: Talk and Comment will cooperate with the EA's own investigation and notification obligations under Education Law § 2-d.

7.5 Post-Incident Review

After resolution of any data security incident involving student PII, Talk and Comment will:

• Conduct a post-incident review to identify root causes and lessons learned.
• Update this Plan, security configurations, or practices as warranted.
• Communicate relevant changes to affected EAs.

8. Section 6 — Data Transition

How data will be transitioned to the EA when no longer needed.

8.1 Data Return

Upon expiration or termination of the contract, or upon request by the EA, Talk and Comment will make available to the EA any student PII or education records in Talk and Comment's possession that were provided by or created on behalf of the EA.

Format and Method: - Audio recordings will be provided as downloadable files in their original format (e.g., MP3, WebM). - Transcription text (if applicable) will be provided in a standard machine-readable format (e.g., CSV, JSON, or plain text). - Account-level data (email addresses, usage metadata) will be provided in CSV or JSON format. - Data will be transmitted via a secure method agreed upon with the EA (e.g., encrypted file transfer, secure download link).

Timeline: - Talk and Comment will make data available for export within 30 days of a written request from the EA. - The EA will be given a reasonable period (not less than 30 days) to retrieve the data before destruction proceeds.

8.2 Self-Service Export

Where technically feasible, Talk and Comment will provide teachers and administrators with the ability to export their own content (recordings and transcriptions) directly from the application during the contract term.

9. Section 7 — Secure Destruction of Data

Secure destruction practices and how certification will be provided.

9.1 Destruction Practices

Upon expiration or termination of the contract (and after the data transition period described in Section 6), Talk and Comment will securely destroy all student PII and education records received from or created on behalf of the EA.

Destruction methods by data type:

9.2 Certification of Destruction

Upon completion of data destruction, Talk and Comment will provide the EA with a written certification confirming:

• The types of data destroyed
• The date(s) of destruction
• The method(s) of destruction
• A statement that, to the best of Talk and Comment's knowledge, all student PII received from or created on behalf of the EA has been destroyed, except as retained in automated backups which will age out per the provider's retention schedule

The certification will be signed by an authorized representative of Talk and Comment and provided to the EA within 60 days of the destruction request (allowing time for backup rotation).

10. Section 8 — Alignment with Educational Agency Policies

How program/practices align with EA's applicable policies.

10.1 Commitment to Alignment

Talk and Comment is committed to operating in a manner consistent with the data security and privacy policies of each Educational Agency it serves. We recognize that EAs may have policies that go beyond minimum legal requirements.

10.2 How We Align

• NDPA as the Alignment Mechanism: The NDPA executed between Talk and Comment and each EA serves as the primary vehicle for aligning Talk and Comment's practices with EA-specific requirements. Any EA-specific obligations or restrictions are documented in the NDPA and its exhibits.
• Responsive to EA Requirements: If an EA identifies specific policy requirements that are not addressed by this Plan or the NDPA, Talk and Comment will work with the EA in good faith to evaluate whether and how those requirements can be accommodated.
• Data Use Limitations: Talk and Comment uses student data solely to provide the contracted educational service. This inherently aligns with EA policies that restrict vendor use of student data.
• Acceptable Use: Talk and Comment's product is designed for a narrow, educational purpose (voice feedback). This limited scope naturally aligns with EA acceptable use policies for educational technology.

10.3 Limitations

In cases where an EA has specific policy requirements not addressed by this Plan or the NDPA, Talk and Comment will work with the EA in good faith to evaluate and accommodate those requirements where feasible.

11. Section 9 — Alignment with NIST Cybersecurity Framework v1.1

How program/practices materially align with the NIST Cybersecurity Framework.

Talk and Comment has elected to demonstrate alignment using Option (ii): Narrative descriptions explaining how our practices align with each of the 23 categories across the five NIST CSF functions. Our descriptions reflect our actual practices and demonstrate meaningful alignment with each category.

IDENTIFY (ID)

ID.AM — Asset Management

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy.

Talk and Comment maintains an understanding of all systems and data assets involved in delivering our service. Our infrastructure consists of a defined set of cloud services: DigitalOcean (application hosting and managed database), AWS S3 and CloudFront (file storage and content delivery), and a small number of third-party SaaS tools (see Sub-Processor List). The application codebase is maintained in version control. Audio recordings and database contents are identified as our primary data assets. As a small operation, our asset inventory is inherently manageable and is reviewed as part of infrastructure changes.

ID.BE — Business Environment

The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

Talk and Comment's mission is to provide voice feedback tools for K-12 education. Our primary stakeholders are teachers and students in U.S. school districts. Cybersecurity roles and responsibilities are clearly defined, and risk management is informed by the educational context of our users, including the sensitivity of student data and obligations under FERPA, COPPA, and Education Law § 2-d. The product's narrow scope (voice recording and playback) limits our attack surface and data exposure.

ID.GV — Governance

The policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

Talk and Comment's governance is exercised through clear ownership of privacy and security decisions at the executive level. This Plan, our Privacy Policy, and our Terms of Service constitute our governance documentation. We maintain awareness of applicable laws (FERPA, COPPA, Education Law § 2-d) and incorporate their requirements into our practices and contracts (NDPAs). Governance is reviewed at least annually.

ID.RA — Risk Assessment

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

Talk and Comment conducts informal but substantive risk assessments when making infrastructure decisions, selecting sub-processors, or modifying data handling practices. Key risks we have identified and addressed include: unauthorized access to audio recordings (mitigated by access controls and encryption), compromise of database credentials (mitigated by managed database service, restricted network access, and credential rotation), and third-party sub-processor incidents (mitigated by selecting reputable providers with strong security postures). Our limited data collection (no SSNs, no grades, no health data) reduces the overall risk profile.

ID.SC — Supply Chain Risk Management

The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk.

Talk and Comment evaluates third-party sub-processors based on their security practices, data handling commitments, and reputation. We preferentially select providers that offer SOC 2 compliance, data processing agreements, and transparent security documentation. Our sub-processor list is intentionally small to limit supply chain risk. We review sub-processor security postures when onboarding new providers and when renewing or modifying existing relationships. Major sub-processors (AWS, DigitalOcean) publish detailed security documentation that we review.

PROTECT (PR)

PR.AC — Identity Management, Authentication, and Access Control

Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.

Production infrastructure access is limited to authorized personnel only. Database access is restricted to application servers via network-level controls (DigitalOcean trusted sources). There is no shared production access and no public-facing database endpoints. User-facing authentication (Pro tier) uses email/password with bcrypt hashing. Session management follows Rails framework security defaults (signed/encrypted cookies, CSRF protection). API keys for third-party services are stored as server-side environment variables, not in client-side code.

PR.AT — Awareness and Training

The organization's personnel and partners are informed and trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.

All personnel with access to student data maintain current knowledge of applicable privacy laws, security best practices, and the threat landscape relevant to web application security. Training is ongoing and is supplemented by a formal training program as the organization grows (as described in Section 5 of this Plan). Sub-processors are selected in part based on their own demonstrated security awareness and training programs.

PR.DS — Data Security

Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information.

All data is encrypted in transit (TLS/HTTPS) and at rest (AES-256 for S3, managed encryption for PostgreSQL). Audio recordings are stored in AWS S3 with server-side encryption. Database records are stored in DigitalOcean Managed PostgreSQL with encryption at rest. Passwords are hashed with bcrypt. Data is stored exclusively in the United States. The application follows Rails security conventions for input validation, parameterized queries (preventing SQL injection), and output encoding (preventing XSS). Data backups are maintained via the managed database provider's automated backup system.

PR.IP — Information Protection Processes and Procedures

Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets.

This Data Security and Privacy Plan serves as our primary security policy document. The application codebase is maintained in version control with a review process for changes. Infrastructure configurations are documented. A baseline system configuration is maintained for production servers. Data destruction procedures are documented in Section 7. This Plan is reviewed and updated at least annually.

PR.MA — Maintenance

Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

Talk and Comment uses managed cloud services (DigitalOcean, AWS) that handle infrastructure-level maintenance, patching, and hardware management. Application-level dependencies (Ruby gems, JavaScript packages) are updated regularly to address security vulnerabilities. The Ruby on Rails framework provides a security mailing list that we monitor for critical patches. DigitalOcean Managed PostgreSQL applies database engine patches automatically.

PR.PT — Protective Technology

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Protective technologies include: TLS termination at the CDN (CloudFront) and application server level; network-level access restrictions on the database; Rails built-in CSRF protection, secure session handling, and parameter filtering; application-level logging of access and errors; and managed firewall rules at the hosting provider level. Audit/log records are maintained in accordance with our operational needs and log retention practices.

DETECT (DE)

DE.AE — Anomalies and Events

Anomalous activity is detected and the potential impact of events is understood.

Talk and Comment monitors for anomalous activity through application-level logging, infrastructure monitoring provided by DigitalOcean and AWS, and error tracking. Unusual patterns — such as unexpected spikes in API requests, failed authentication attempts, or access from unusual locations — would be visible in application logs and infrastructure dashboards. The narrow scope of our application (voice recording and playback) makes anomalous behavior patterns relatively easy to identify.

DE.CM — Security Continuous Monitoring

The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

Continuous monitoring is provided through multiple layers: DigitalOcean provides infrastructure-level monitoring and alerting (CPU, memory, disk, network anomalies); AWS provides S3 access logging and CloudFront access logs; application logs capture request patterns, authentication events, and errors; and PostHog provides product analytics that can surface unusual usage patterns. These signals are reviewed regularly and anomalies are investigated promptly.

DE.DP — Detection Processes

Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

Detection relies on the monitoring capabilities described above, combined with active operational oversight. Sub-processor notifications (e.g., DigitalOcean security advisories, AWS security bulletins) provide an additional detection channel. Detection processes are reviewed as part of the annual review of this Plan.

RESPOND (RS)

RS.RP — Response Planning

Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.

Talk and Comment maintains an incident response process as described in Section 5 of this Plan. The process includes containment, assessment, notification, remediation, and documentation steps. The designated incident commander coordinates all security events. For incidents involving student PII, the 72-hour notification commitment to affected EAs is a core element of the response plan.

RS.CO — Communications

Response activities are coordinated with internal and external stakeholders (e.g., external support from law enforcement agencies).

In the event of a security incident involving student PII, Talk and Comment will communicate with: (1) affected Educational Agencies within 72 hours per the NDPA; (2) affected sub-processors if their services are involved; and (3) law enforcement if criminal activity is suspected or legally required. A designated communications lead coordinates incident response messaging, ensuring consistent and accurate information sharing.

RS.AN — Analysis

Analysis is conducted to ensure effective response and support recovery activities.

Incident analysis includes determining the root cause, scope, and impact of the event; identifying the data and individuals affected; and evaluating the effectiveness of existing controls. Analysis findings inform remediation actions and updates to this Plan. For incidents involving student data, analysis specifically focuses on what PII was involved and which EAs are affected.

RS.MI — Mitigation

Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

Mitigation actions may include: revoking or rotating compromised credentials; isolating affected systems; blocking suspicious IP addresses or access patterns; patching identified vulnerabilities; and engaging sub-processors to take corrective action on their platforms. The specific mitigation actions depend on the nature of the incident.

RS.IM — Improvements

Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

After resolution of a security incident, Talk and Comment conducts a post-incident review. Lessons learned are incorporated into this Plan, security configurations, monitoring rules, and operational practices. Material changes resulting from incident reviews are communicated to affected EAs.

RECOVER (RC)

RC.RP — Recovery Planning

Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

Recovery planning leverages the redundancy and backup capabilities of our managed cloud infrastructure. Database recovery uses DigitalOcean's point-in-time recovery feature. Audio file recovery leverages S3's built-in durability (99.999999999%) and versioning capabilities where enabled. Application recovery involves redeployment from version-controlled source code. Recovery priorities are: (1) contain the incident, (2) restore service availability, (3) verify data integrity, (4) resume normal operations.

RC.CO — Communications

Recovery activities are coordinated with internal and external parties (e.g., coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

Recovery communications follow the same channels as incident response communications. Affected EAs are kept informed of recovery progress and expected timelines for service restoration. If the incident involves a sub-processor, recovery is coordinated with that provider.

RC.IM — Improvements

Recovery planning and processes are improved by incorporating lessons learned into future activities.

Recovery experiences are incorporated into updated recovery procedures, infrastructure configurations, and backup strategies. Material improvements are documented in updates to this Plan.

12. Parents' Bill of Rights — Supplement

In accordance with New York Education Law § 2-d, Talk and Comment provides the following supplemental information for the Parents' Bill of Rights:

12.1 Student Data Privacy and Security

1. A student's personally identifiable information cannot be sold or released for any commercial purposes. Talk and Comment does not sell student PII. Period. We do not release student data for commercial or marketing purposes of any kind.

2. Parents have the right to inspect and review the complete contents of their child's education record. Parents may request access to any data associated with their child by contacting their child's school district. Talk and Comment will cooperate with the EA to facilitate such requests.

3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. Talk and Comment encrypts all data in transit (TLS) and at rest (AES-256 for files, managed encryption for database). Access controls restrict data access to authorized systems only. See Section 4 for full details.

4. A complete list of all student data elements collected by Talk and Comment is available for review. The data elements collected are enumerated in the NDPA (Exhibit E) and in Section 2 of this Plan. In summary: audio recordings, playback metadata, and for Pro-tier users, email address and transcription text.

5. Parents have the right to have complaints about possible breaches and unauthorized releases of student data addressed. Complaints may be directed to the EA or to Talk and Comment at support@talkandcomment.com. Talk and Comment will investigate and respond to all such complaints.

12.2 Talk and Comment's Supplemental Information

13. Sub-Processor List

The following third-party sub-processors are used by Talk and Comment in the delivery of its service. Each processes data on Talk and Comment's behalf, subject to contractual data protection obligations.

14. Transcription — Self-Hosted Infrastructure

This section provides specific disclosure regarding Talk and Comment's audio transcription capabilities.

14.1 Scope

• Transcription functionality is available to Pro-tier users only.
• Free-tier users are not affected. Students in read-only mode are not affected.
• Transcription is initiated by the teacher (the account holder) when they choose to generate a text transcript of their voice recording.

14.2 Self-Hosted Architecture

• Audio transcription is performed on Talk and Comment's own infrastructure, hosted in the United States.
• No audio data is sent to any third-party AI provider for transcription purposes.
• The transcription engine runs on the same infrastructure as the primary application, subject to the same security controls described in this Plan.

14.3 Data Handling

• Transcription is an opt-in feature — it does not happen automatically.
• Audio data processed for transcription does not leave Talk and Comment's servers.
• The resulting transcription text is stored in our database (encrypted at rest) and is subject to all the same protections as other student data.
• If an EA does not wish for transcription features to be available, the EA may request that transcription be disabled for its accounts.

14.4 Future Changes

• Should Talk and Comment introduce any third-party transcription provider in the future, affected Educational Agencies will be notified in advance and this Plan will be updated accordingly.
• Any such change would be subject to the sub-processor management practices described in Section 6 of this Plan.

Document History

This Data Security and Privacy Plan is maintained by Talk and Comment LLC. Questions or concerns may be directed to support@talkandcomment.com.