Compliance & security

Built to meet
university standards.

Universities have real legal obligations when evaluating third-party software. Laika is built to meet those requirements, so your IT and procurement teams aren't the bottleneck.

Federal law
ADA / WCAG 2.1 AA
Compliant
Accessible to every student and staff member, by law.

The DOJ finalized a rule under Title II of the ADA requiring all public universities to ensure their third-party software meets WCAG 2.1 Level AA standards by April 24, 2026. Universities are legally responsible for verifying that every vendor they deploy meets the standard. Laika is built to meet it.

Standard
WCAG 2.1 Level AA, the DOJ-mandated benchmark for public universities
Keyboard nav
All features fully operable without a mouse
Screen readers
ARIA labels on all interactive elements, semantic HTML throughout
Color contrast
4.5:1 minimum ratio for all text, audited and passing
Alt text
Item photos auto-populated with AI-generated descriptions at upload
Documentation
Accessibility statement available at laikacampus.com/accessibility
Student privacy
FERPA
Compliant
Student data handled with care, and with the law in mind.

FERPA governs the privacy of student education records. When Laika collects a student's name, email, or ID number during a claim, that data is subject to FERPA protections. We collect only what's necessary to return a lost item, keep it isolated per university, and never share it across institutions.

Data collected
Name, email, student ID, phone. Only what's needed to verify pickup.
Data isolation
Each university's data is fully scoped. Never visible across institutions.
Purpose limitation
Collected solely for lost item recovery. Not shared, sold, or used elsewhere.
Retention
Claim records retained per institution's policy. Deletion available on request.
Documentation
FERPA data handling statement and DPA template available on request — email privacy@laikacampus.com
Vendor assessment
HECVAT 4
In progress
The standard questionnaire, completed before you ask.

Most vendors wait to be asked for a HECVAT. We're completing it proactively so when your IT team requests it, it's ready. Your procurement process doesn't stall.

Version
HECVAT 4.1.5, released February 2025
Sections covered
Organization, Product, Infrastructure, IT Accessibility, AI, Privacy
Infrastructure
Answered using Vercel and Supabase SOC 2 documentation
AI section
Answered using Anthropic's published responsible AI and data handling policies
Availability
Shared with any institution on request. Completed once, valid for all.
Infrastructure
Data security
SOC 2 infrastructure
Enterprise-grade infrastructure. No servers to manage.

Laika runs entirely on Vercel and Supabase, both SOC 2 Type II certified. We don't run servers ourselves, so your institution takes on no infrastructure risk. All data is encrypted. All university data is isolated.

Hosting
Vercel (SOC 2 Type II), globally distributed
Database
Supabase on AWS us-east-1 (SOC 2 Type II), row-level security enabled
Encryption
All data encrypted at rest and in transit via TLS 1.2+
Data isolation
University-scoped access. No institution can see another's data.
Incident response
Documented plan. Affected universities notified within 72 hours of any breach.
Documentation
DPA template, incident response plan, and infrastructure docs available on request — email privacy@laikacampus.com
Questions about
compliance?
Get in touch → privacy@laikacampus.com