Compliance & security

Built to meet
university standards.

Universities have real legal obligations when evaluating third-party software. Faro is built from the ground up to meet those requirements — so your IT and procurement teams aren't the bottleneck.

Federal law
ADA / WCAG 2.1 AA
Compliant
Accessible to every student and staff member, by law.

The DOJ finalized a rule under Title II of the ADA requiring all public universities to ensure their third-party software meets WCAG 2.1 Level AA standards by April 24, 2026. This means universities are legally responsible for verifying that every vendor they deploy meets the standard — including Faro. We're built to meet it.

Standard
WCAG 2.1 Level AA — the DOJ-mandated benchmark for public universities
Keyboard nav
All features fully operable without a mouse
Screen readers
ARIA labels on all interactive elements, semantic HTML throughout
Color contrast
4.5:1 minimum ratio for all text — audited and passing
Alt text
Item photos auto-populated with AI-generated descriptions at upload
Documentation
Accessibility statement available at getfaro.com/accessibility
Student privacy
FERPA
Compliant
Student data handled with care — and with the law in mind.

FERPA governs the privacy of student education records. When Faro collects a student's name, email, or ID number during a claim, that data is subject to FERPA protections. We collect only what's necessary to return a lost item, keep it isolated per university, and never share it across institutions.

Data collected
Name, email, student ID, phone — only what's needed to verify pickup
Data isolation
Each university's data is fully scoped — never visible across institutions
Purpose limitation
Collected solely for lost item recovery — not shared, sold, or used elsewhere
Retention
Claim records retained per institution's policy — deletion available on request
Documentation
FERPA data handling statement and DPA template available on request
Vendor assessment
HECVAT 4
In progress
The standard questionnaire — completed proactively.

The Higher Education Community Vendor Assessment Toolkit is the security questionnaire used by hundreds of universities to evaluate third-party vendors. Most vendors wait to be asked. We're completing it proactively so that when your IT team asks for it, it's ready — and your procurement process doesn't stall.

Version
HECVAT 4.1.5 — the current version, released February 2025
Sections covered
Organization, Product, Infrastructure, IT Accessibility, AI, Privacy
Infrastructure
Answered using Vercel and Supabase SOC 2 documentation
AI section
Answered using Anthropic's published responsible AI and data handling policies
Availability
Shared with any institution upon request — completed once, valid for all
Infrastructure
Data security
SOC 2 infrastructure
Enterprise-grade infrastructure. No servers to manage.

Faro runs entirely on Vercel and Supabase — both SOC 2 Type II certified cloud providers. We don't host any servers ourselves, which means your institution isn't taking on infrastructure risk by deploying Faro. All data is encrypted. All university data is isolated.

Hosting
Vercel (SOC 2 Type II) — globally distributed, enterprise-grade
Database
Supabase on AWS us-east-1 (SOC 2 Type II) — row-level security enabled
Encryption
All data encrypted at rest and in transit via TLS 1.2+
Data isolation
University-scoped access — no institution can access another's data
Incident response
Documented plan — affected universities notified within 72 hours of any breach
Documentation
DPA template, incident response plan, and infrastructure docs available on request
Questions about
compliance?
Get in touch → eli@getfaro.com