CommonGage Data Inventory
Last updated: 2026-06-29
What CommonGage Does and Does Not Store
CommonGage is an operational platform for district staff. It does not store grades, attendance records, disciplinary records, IEPs, 504 plans, student SSNs, or any direct student academic records. The data model is designed for school engagement coordination by and for adults employed by the district.
Data Categories
1. District Configuration
| Field | Purpose | Sensitivity |
|---|---|---|
| District name, slug | Tenant identification | Internal |
| ClassLink TenantId | SSO mapping | Internal |
2. Staff User Accounts
| Field | Purpose | Sensitivity |
|---|---|---|
| Name, email address | Account identity | Moderate (staff PII) |
| Role (org_admin / zone_coordinator / building_staff) | Authorization | Internal |
| Zone/school assignment | Scope limiting | Internal |
| Password hash (PBKDF2, 100K iterations) | Authentication | High |
| Last login timestamp | Security audit trail | Internal |
| ClassLink UserId | SSO mapping | Internal |
Staff email addresses and names are the only personal data stored. This is standard for any district-deployed SaaS tool (equivalent to what a Google Workspace or Microsoft 365 tenant would hold for staff).
3. School & Zone Structure
| Data | Purpose | Notes |
|---|---|---|
| School name, code, level | School catalog | Mirrors district roster |
| Zone name, type | Organizational grouping | District-defined |
| Hub name, short name | Sub-zone grouping | District-defined |
| Board directors (name, role, contact info) | Leadership directory | Staff/leadership PII |
4. Calendar Events
| Field | Purpose | Sensitivity |
|---|---|---|
| Event title, description, location | Event catalog | Operational |
| Start/end datetime | Scheduling | Operational |
| Engagement type (AI-classified) | Analytics | Derived, no PII |
| Source reference (iCal URL) | Provenance | Internal |
Calendar events are sourced from school-provided iCal feeds. They represent community events, school activities, and engagement opportunities — not student records.
5. Deliverable Tracking
Status and notes for district-defined deliverables (e.g., site council completion, engagement plan submission) per school per academic year. Tracks completion status and staff-authored notes. No student data.
6. Engagement Support Records
Logs of Engagement Support (Family And Community Engagement) support interactions. Contains visit type, date, notes, and assigning staff — operational records for coordinator accountability.
7. Invite Records
Short-lived invite tokens for staff onboarding (7-day expiry). Contains invitee email, role, and whether the invite has been used. Deleted on acceptance.
Data That CommonGage Does NOT Store
- Student names, IDs, or any student-identifiable information
- Grades, test scores, or academic records
- Attendance records
- Disciplinary records
- IEPs, 504 plans, or special education records
- Student SSNs or government-issued identifiers
- Parent/guardian contact information
- Student demographic data (race, ethnicity, socioeconomic status)
Data Flows
District Staff Browser
│
│ HTTPS (TLS 1.2+)
▼
Cloudflare Workers (API)
│ │
│ TLS (sslmode=require) │ HTTPS
▼ ▼
Neon PostgreSQL Anthropic API
(primary store) (event classification only;
no PII in prompt)
▲
│ iCal fetch (HTTPS)
School-provided calendar URLs
Anthropic data path: Only event title, description, and datetime fields are sent for classification. Staff names, email addresses, and school identifiers are never included in LLM prompts.
ClassLink data path: CommonGage receives UserId, Email, DisplayName, and TenantId from ClassLink's userinfo endpoint at login time. These are stored in the staff user record. No other data is pulled from ClassLink.
Data Location
All production data is stored in Neon's AWS us-east-1 region. Cloudflare Workers execute at the edge globally but hold no persistent data; all state is in Neon.
FERPA Assessment
CommonGage's primary data subjects are district employees, not students. The platform does not maintain an "education record" as defined by FERPA (20 U.S.C. § 1232g). Districts should confirm that any school calendar events ingested via iCal feeds do not include student-identifiable event details before connecting a feed.
If a district chooses to add student-identifiable fields to event descriptions in their iCal feeds, those fields would be stored by CommonGage and would constitute education records under FERPA. Districts are responsible for ensuring their iCal feeds comply with their data governance policies before connecting them to CommonGage.