// Trust & Security Report
Carnegie Learning, Inc.
K-12 educational technology platform with AI-powered tutoring. Product lines: CLEAR Math (K-12 core and supplemental), CLEAR Literacy/Lenses on Literature (6-12 ELA), CLEAR Languages (6-12 world language instruction), and CLEAR Services (professional development, tutoring). Serves 5.5M+ students and educators across all 50 US states and Canada.
Certifications held
2
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on carnegielearning.com“an independent security attestation that ensures we meet strict standards for protecting your data. Criteria: Security. Latest Review Period: February 1, 2025 to July 31, 2025. Coverage: All ClearMath, ClearLiteracy, and ClearLanguages solutions in the U.S.”
Verify on carnegielearning.com“A Texas state security certification that ensures strict standards for protecting sensitive data and remain compliant with state-level regulations.”
> Show 4 unconfirmed / not-held certifications
source: carnegielearning.comNo public evidence of certification found on vendor's website or security documentation.
source: carnegielearning.comNo mention found. HIPAA is healthcare-specific; Carnegie Learning is K-12 education focused and does not position itself as HIPAA-compliant.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States (primary); supports UK/EU/Switzerland residents under GDPR framework. Policy states: 'Personal information we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our affiliates or subcontractors maintain facilities.'
Terms of Use explicitly prohibit users from using 'Site Content to train, upload to, develop, improve or otherwise modify machine learning or artificial intelligence tools or technologies.' However, Carnegie Learning internally uses student learning data to power their own AI-driven coaching systems (MATHia adaptive tutor). No explicit customer opt-out documented for this internal use.
// Security controls
Independent audits and certifications
SOC 2 Type II and TX-RAMP; company emphasizes using independent audits to meet industry standards
carnegielearning.comBreach response protocol
In case of unauthorized disclosure of student information, district will be notified within 48 hours. Breach Response Team convenes consisting of COO, Engineering Leadership, Corporate IT, Security, and Legal Counsel as needed.
carnegielearning.comGDPR compliance framework
Dedicated compliance section for UK/European/Switzerland residents; affirms data subject rights (access, correction, erasure, portability) under GDPR
carnegielearning.comData handling for school data
Processes school-provided data 'on behalf of Schools and only in the ways permitted by the applicable School agreement.' Uses include analytics, service improvement, and research.
carnegielearning.comEncryption and data transmission
No specific details on encryption methods, TLS versions, or data-at-rest encryption published on public-facing security page.
carnegielearning.com// Products & data scope
data: Student learning activity, assessments, AI tutoring interactions
K-12 math curriculum with AI-powered adaptive coaching (MATHia). EdReports gave Elementary version all-green ratings. Uses student data to personalize learning paths.
data: Student reading engagement, comprehension assessments
Grades 6-12 ELA solutions including Fast ForWord and ClearFluency. Recent award for high-quality ELA curriculum.
data: Student language learning activity, assessments
World language instruction (Spanish, French, German, Chinese, Italian) for grades 6-12. Includes Symtalk supplemental program.
data: Teacher professional development records, implementation data
Professional learning, Patterns PL, high-impact tutoring, district impact services. Does not directly collect student data.
// What to watch
- No dedicated trust center or comprehensive security documentation page; trust information fragmented across privacy policy and security practices page.
- ISO 27001 not held; company relies on SOC 2 Type II for primary security assertion.
- Data Processing Agreement (DPA) not publicly available; customers must request during contract negotiations.
- Encryption standards (in-transit, at-rest) not specified in public documentation.
- Internal AI model training on student learning data appears to use actual student data; no opt-out explicitly documented, though this is standard industry practice for adaptive learning platforms.
- TX-RAMP is state-specific (Texas); limited applicability outside Texas for compliance-sensitive districts.
- Subprocessors and vendor chain not publicly disclosed (unlike some competitors); privacy policy references 'applicable School agreement' for specifics.
- No mention of ISO 27017 (cloud), ISO 27018 (personal data protection in cloud), or ISO 27701 (privacy info management extensions).
- Product maturity: SOC 2 audit period Feb 2025-July 2025 is current; confidence in attestation is reasonable but relatively narrow certification scope.
// At a glance
Pricing model
District/school licensing (not disclosed publicly); per-student or per-school annual subscriptions typical for EdTech
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Carnegie Learning, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
carnegielearning.com