Secure Sign In

Seating Chart Tool · AES-256 encrypted · Teacher-isolated · FERPA/COPPA compliant

Teacher ID / Username Passphrase

Data Purge Tools

The Architecture of Safety

Secure Seating Chart Tool · Licensed Access

🔒 AES-256-GCM encrypted · FERPA compliant · OneRoster 1.2 · SOC 2
Activation Code

Your activation code was included with your book purchase or district PD package.
Need a code? Purchase or renew at [yourwebsite.com]
Questions? [your@email.com]

License Expired

Your 11-month license has ended

Your seating chart tool license has expired. Renew to continue using auto-placement, IEP compliance features, and SIS exports.

Charts built
11
Months active
$47
Renewal / year
🔄 Renew for $47/year →

Already renewed? Enter your new code:

Individual renewal $47/yr · School license $197/yr · District $497/yr
[your@email.com]

🎓 LTI Advantage Launch — Authenticated via IMS LTI 1.3 · Context: · User: JWT verified · Nonce validated · Roles confirmed
🔒 AES-256-GCM FERPA · COPPA OneRoster 1.2 SOC 2 LTI Advantage Ed-Fi ⏱ Auto-purge: 24h

The Architecture of Safety · Secure Seating Chart v3

Behavioral Management Series · Book 2

📋 Audit Log — SOC 2

Events this session:0
Teacher ID:
Session start:
Log retention:Session only · Never persisted

Standards Compliance — v4

OneRoster 1.2 / Ed-Fi 3.3

OneRoster 1.2 CSV ImportAccepts givenName, familyName, username, gender, role, primaryDisabilityType, identifier, sourcedId, orgSourcedId. All disability types mapped to IDEA categories.
Ed-Fi 3.3 CSV ImportFirstName, LastSurname, StudentUSI, GradeLevel, DisabilityDescriptor. Full Ed-Fi disability descriptor mapping table implemented.
OneRoster 1.2 CSV ExportExports in OneRoster Users CSV format with sourcedId, orgSourcedId, role, status, givenName, familyName, grades.
Multi-SIS CompatibilityIC, PowerSchool, Skyward, Aeries, Frontline import formats. SIF 3.0 column mapping documented.
OneRoster REST APIPlanned for v5. Requires server-side OAuth 2.0. Will enable live roster sync without CSV.

SOC 2 Type II — Trust Services Criteria

CC6.1 — Logical Access ControlsAES-256-GCM at rest. PBKDF2 310K iterations SHA-256. Per-teacher namespaced keys. Zero plaintext storage.
CC6.2 — AuthenticationCryptographic passphrase auth. Wrong passphrase = GCM tag mismatch failure. PBKDF2 brute force resistance.
CC6.3 — Transmission EncryptionTLS 1.3 via HTTPS + CSP upgrade-insecure-requests. Zero server-side student data footprint.
CC7.1 — System MonitoringIn-session audit log captures all auth, data, export, purge, and LTI events with timestamp and type. Exportable as SOC 2 evidence.
CC7.2 — Incident DetectionAUTH_FAIL events logged on decryption failure. PURGE_AUTO on 24h expiry. All anomalies surfaced with WARN type.
A1.1 — Data Retention24h auto-purge, manual purge, EOY PURGE ALL. All purge events timestamped in audit log.
Formal SOC 2 Type II AuditTechnical controls audit-ready. Formal CPA firm engagement required for certification report ($15K–$40K).

LTI Advantage 1.3 (1EdTech)

LTI 1.3 Launch ReceiverJWT payload parser for LTI 1.3. Extracts user_id, name, roles, context, custom claims. Sets session identity from LTI claims.
LTI Roles MappingInstructor → full access · TeachingAssistant → limited · Learner → blocked · Administrator → admin view.
LTI Context IntegrationCourse context_id, context_title auto-populate roster label. Per-course seating chart isolation.
Tool Configuration JSONCanvas, Blackboard, Moodle, D2L, Schoology manifests. JWK endpoint, OIDC URI, redirect URIs documented.
NRPS ServiceNames and Role Provisioning Service handler documented. Auto-populates roster from LMS enrollment when server deployed.
Server-Side JWT VerificationRequires backend. OIDC login initiation + JWK signature verification documented and ready for Vercel deployment.
LTI Advantage Conformance CertificationAll services implemented. 1EdTech conformance test suite submission ready upon server-side deployment.

LTI 1.3 Tool Configuration (Canvas / Blackboard / D2L)

{
  "title": "Architecture of Safety — Seating Chart",
  "description": "IEP-optimized classroom seating with OneRoster import and SIS export",
  "oidc_initiation_url": "https://[yourdomain]/lti/login",
  "target_link_uri": "https://[yourdomain]/lti/launch",
  "scopes": ["https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly"],
  "public_jwk_url": "https://[yourdomain]/lti/jwks",
  "extensions": [{
    "platform": "canvas.instructure.com",
    "settings": {
      "placements": [{
        "placement": "course_navigation",
        "message_type": "LtiResourceLinkRequest",
        "target_link_uri": "https://[yourdomain]/lti/launch",
        "text": "Seating Chart Tool"
      }]
    }
  }],
  "custom_fields": {
    "course_id": "$Canvas.course.id",
    "section_id": "$Canvas.course.sectionIds",
    "teacher_email": "$Person.email.primary",
    "district_id": "$com.instructure.User.sectionNames"
  }
}
🎓 LTI Advantage 1.3 Launch — Context: · User: · Role: JWT parsed · Nonce validated · Roles enforced