COPPA and FERPA Compliance Approach

Operational controls, evidence, and Data Processing Agreement

Version 2.2

Publication date: May 11, 2026

Audience: Schools, universities, esports organisations, partners, procurement teams, and investors

Plain-language summary

This document describes how SONIX is designed and operated to support compliance with the US Children's Online Privacy Protection Act (COPPA, as amended in 2025) and the Family Educational Rights and Privacy Act (FERPA).

FERPA does not recognise vendor certifications. This is a compliance approach, not a certification.

Annex 1 contains a Data Processing Agreement (DPA) that schools and esports organisations sign as part of an Institutional Customer Agreement with SONIX.

CONFIDENTIAL — For evaluation purposes only.

Table of contents

1. Executive summary

2. About SONIX and the SONIX product suite

3. Six privacy commitments that apply to every user

4. COPPA — our approach for users under 13

5. FERPA — institutional deployments

6. Operational evidence available on request

7. Subprocessors used in the school deployment

8. References

ANNEX 1 — Data Processing Agreement (DPA)

ANNEX 2 — US state student-data law addenda available

1. Executive summary

Plain-language summary

SONIX is built to be the most protective gaming-communication platform on the market.

We don't record voice. We don't profile users. We don't run targeted ads. We don't train AI on user content. We don't sell data.

For schools, SONIX is provided under an Institutional Customer Agreement that designates SONIX as a 'school official' under FERPA and includes a strong Data Processing Agreement.

For users under 13, SONIX is not directed to them; we apply the 2025 COPPA standards as our baseline and exceed them.

Document structure:

• Part A (§§ 2-3): What SONIX is, plus the commitments that apply to every user.
• Part B (§ 4): Our COPPA approach for users under 13 in the United States.
• Part C (§§ 5-7): Our FERPA approach for US schools and the operational evidence available.
• Annex 1: The Data Processing Agreement (DPA) institutional customers sign.
• Annex 2: State-law addenda available for US schools.

2. About SONIX and the SONIX product suite

SONIX is operated by SONIX SA, a Swiss company headquartered at Rue de Genève 100, 1004 Lausanne, Switzerland, registered under CH-550-1185270-2. SONIX SA was previously known as TYXIT SA.

SONIX comprises three modules and one paid subscription:

• Pulsar — voice and text chat, with persistent group spaces (Crews) and direct messages. Voice is never recorded.
• Arena — a tournament platform that hosts tournaments organised by third-party Tournament Organisers. SONIX provides the platform; SONIX does not organise, fund, or sponsor tournaments.
• Orbital — a mini-game environment hosting both SONIX-developed games and games from approved third-party developers. Third-party games receive only the user's SONIX username (pseudonym) and avatar.
• Supersonix — an optional paid subscription unlocking premium features across the three modules.

All three modules are available free of charge. None require behavioural data collection to function.

Institutional deployments

Schools, universities, and esports organisations deploy SONIX to their members under an Institutional Customer Agreement. The Organisation administrator controls which modules are enabled, can apply domain restrictions, can manage members, and can configure additional safety settings. Administrators cannot read members' private messages or access passwords.

3. Six privacy commitments that apply to every user

These commitments apply to every SONIX user regardless of age, country, or subscription. They are reflected in our Privacy Policy and Terms of Use, and our systems are built to enforce them.

Commitment

Operational meaning

1. Voice stays private

Pulsar voice and video are never recorded, transcribed, stored, or analysed by SONIX. No voiceprints. No emotion detection. No speech-to-text. Encrypted in transit, ephemeral in processing.

2. No behavioural advertising

No targeted advertising. No user advertising profiles. No data shared with ad networks for ad-targeting purposes.

3. No AI training on user content

We do not use user content, voice, messages, avatars, or other personal data to train AI or ML models. Aggregated, anonymised, non-personal signals only for service improvement.

4. No sale of personal data

No sale. No rental. No licensing for third-party marketing.

5. Minimal data collection

We collect only what is needed. No special-category data is collected proactively.

6. Strong user rights

Users can access, correct, export, restrict, or delete their data through account settings or privacy@sonix.gg. We respond within 30 days.

4. COPPA — our approach for users under 13

4.1 When COPPA applies to SONIX

The US Children's Online Privacy Protection Act (15 U.S.C. §§ 6501-6506; 16 CFR Part 312) applies to operators of online services that are (i) directed to children under 13, or (ii) have actual knowledge they are collecting personal information from children under 13.

The FTC's 2025 amendments to the COPPA Rule (published 22 April 2025 in the Federal Register, effective 23 June 2025, compliance deadline 22 April 2026) tightened several requirements, summarised in § 4.8 below.

4.2 Our position: not directed to children under 13

SONIX is designed and marketed for gamers (recreational and competitive) and is not directed to children under 13. This is evidenced by:

• our positioning, branding, and visual design, which target teenagers and adults engaged in gaming;
• our minimum age policy (13+ globally, 16+ in the EEA and UK) stated in the Terms of Use and Privacy Policy;
• our age screen at registration, which blocks completion of signup for users below the applicable minimum age;
• our internal subject-matter assessment under the FTC's multi-factor test (visual content, audio content, characters, language, advertising, audience composition) — documented and available on request under NDA.

4.3 Operational controls

To support COPPA compliance, SONIX maintains the following controls:

• Age screen at registration. The user enters their date of birth at registration. If the date indicates the user is under 13 (or under 16 in the EEA and UK), registration cannot be completed.
• Self-declaration approach. Consistent with the standard industry practice for general-audience services (matching the published approach of Discord and FACEIT), we rely on user self-declaration at signup. We do not require ID verification or parental email at the moment of registration.
• Parental consent at sensitive moments. We require verifiable parental consent (or adult age confirmation) at moments where the law or risk profile demands it, including: (i) Supersonix subscription purchase by users below the age of majority; (ii) prize claim where a Tournament Organiser requires verification; (iii) ID or age verification triggered by an account flag. These verifications are performed by a trusted third-party verification provider that returns only the verification result to SONIX.
• Actual-knowledge protocol. If SONIX becomes aware that a registered user is under the applicable minimum age, we (i) suspend the account, (ii) delete the personal data associated with the account in accordance with our retention schedule, except where a limited record is retained for abuse-prevention or to demonstrate compliance, (iii) offer the parent or legal guardian the ability to provide verifiable consent to reinstate the account where they wish to do so. We act on confirmed reports within 24 hours.
• Dedicated channels. moderation@sonix.gg for reports about underage users; privacy@sonix.gg for parental rights, deletion requests, and other COPPA-related enquiries.
• No behavioural advertising or profiling — ever. Because SONIX does not profile any user for advertising in the first place, no special carve-out is needed for children. This is structurally simpler and stronger than competing approaches that profile adults but try to exclude children from profiling.

4.4 Voice and biometric data — explicit position

Voice content collected from a child is personal information under COPPA. The 2025 amendments expressly require operators that collect children's audio to describe the use and confirm immediate deletion after responding to the request for which it was collected.

SONIX does not face this issue, because we do not record, transcribe, store, or analyse voice from any user. Pulsar voice is ephemeral. Specifically:

• no recording;
• no transcription;
• no AI analysis;
• no voiceprint or other biometric extraction;
• ephemeral processing only, encrypted in transit.

Voice in SONIX is therefore outside the scope of the 2025 COPPA Rule's audio retention requirements.

4.5 No advertising, profiling, sale, or AI training of children's data

Beyond what COPPA requires, SONIX makes the following absolute commitments in respect of users under 18:

• we do not target advertising at users under 18, regardless of consent;
• we do not profile users under 18 for advertising;
• we do not sell, rent, or licence the personal information of users under 18;
• we do not use the personal information of users under 18 to train AI or ML models;
• we do not disclose the personal information of users under 18 to third parties beyond what is strictly necessary to operate the Service (essential hosting providers and payment processors under written DPAs).

These commitments apply even where the user or parent might consent to broader use; we simply do not do these things with users under 18.

4.6 Retention and deletion

Our retention schedule (Privacy Policy § 11) applies to all users. Personal data of users under 18 is retained no longer than necessary for the specific purpose for which it was collected, and never indefinitely. Parents and legal guardians have the right to review, request deletion of, and refuse further collection of their child's personal information. Requests are submitted to privacy@sonix.gg. We verify the requester's identity and respond within 30 days.

4.7 Information Security Program

SONIX maintains a written Information Security Program supervised by a designated Security Coordinator (the CTO or delegate). The Program includes annual risk assessment, regular vulnerability scanning and periodic third-party security testing, documented breach response plan, encryption in transit and at rest, role-based access control with audit logging, and oversight of sub-processors. Summary documentation is available under NDA from security@sonix.gg.

4.8 2025 COPPA Final Rule — alignment

The 2025 amendments to the COPPA Rule introduced several specific requirements. Our position on each:

2025 Final Rule requirement

SONIX position

Separate verifiable parental consent for third-party disclosure (advertising, AI training).

Structurally inapplicable. We do not disclose children's data to third parties for advertising, AI training, or non-integral purposes. Only essential processors (hosting, payments) under written DPAs.

Expanded definition of personal information to include biometric and government-issued IDs.

We do not extract, store, or use biometric identifiers. Government-issued ID is used only at sensitive moments through a trusted vendor that returns only the age signal.

Audio file handling: privacy notice must describe use and confirm immediate deletion.

We do not record, store, or process audio files. Voice is ephemeral.

No indefinite retention; written retention policy publicly disclosed.

Published retention schedule in Privacy Policy § 11.

Written Information Security Program with named coordinator, annual risk assessment, regular testing, sub-processor oversight.

Maintained as described in § 4.7.

AI training using children's data never integral; requires separate consent.

We do not use any user's data — children or adults — to train AI. No separate consent requested because we do not engage in the practice.

School authorisation exception for educational technology.

Where SONIX is deployed by a US school, the School authorises SONIX as a school official under FERPA. See § 5.

5. FERPA — institutional deployments

5.1 When FERPA applies to SONIX

FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) protects "education records" directly related to a student and maintained by an educational agency or institution receiving federal funding (or by a party acting for the institution).

SONIX is not an educational institution. FERPA becomes relevant when a US school, university, or other federally funded educational agency uses SONIX in an official capacity and student personal information is processed within that context.

5.2 School-official model — explicit designation

Where SONIX is deployed by a US School under our Institutional Customer Agreement, SONIX operates under the "school official" exception to FERPA's consent requirement (34 CFR § 99.31(a)(1)(i)(B)).

In the Institutional Customer Agreement and the DPA at Annex 1, SONIX is expressly designated as a school official with a legitimate educational interest within the meaning of 34 CFR § 99.31(a)(1)(i)(B). The Agreement and DPA reflect each of the four conditions for the exception:

1. SONIX performs an institutional service or function for which the School would otherwise use employees;
2. SONIX is under the direct control of the School with respect to the use and maintenance of education records;
3. SONIX is subject to the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of personally identifiable information from education records;
4. SONIX meets the criteria specified in the School's annual notification of FERPA rights for being a school official with a legitimate educational interest in education records.

5.3 How SONIX operates under institutional control

The Institutional Customer Agreement and the DPA require SONIX to:

• process student personal information only on the documented instructions of the School and only for the purposes of providing the Service;
• not use student personal information for advertising, marketing, profiling, sale, or training of AI/ML models;
• not redisclose student personal information except as directed by the School, to approved sub-processors under written agreements, or as required by law (with notice to the School where lawful);
• delete or return student personal information at the end of the agreement, or earlier on the School's request;
• provide the School with the means to access, correct, and export education records on behalf of students and parents who hold FERPA rights;
• notify the School of any data breach within the timeframe specified in the DPA;
• comply with any state-specific addenda agreed for the deployment.

5.4 Data minimisation in schools

SONIX is built so that institutional deployments do not require academic records. In school workspaces:

• we collect the bare minimum required to operate Pulsar, Arena, and Orbital for the workspace's members;
• we do not collect student IDs, grades, transcripts, attendance, or any academic content unless the School explicitly directs us to for a specific feature;
• workspaces are private by default — public discovery and the public Crews feature are disabled or scoped to the workspace;
• administrative controls scope what data is shared between workspace members and external SONIX users;
• logs are retained only as long as necessary for security and operational integrity.

5.5 Voice in Pulsar in school deployments

The same voice-privacy commitments apply (no recording, no transcription, no analysis, no biometric extraction, encrypted in transit, ephemeral processing). This means voice content is not part of any education record; there is no voice archive a school could be asked to produce; and there is no risk that voice would be reused for advertising, profiling, or AI training. This is a substantive improvement over commodity gaming-voice platforms used in scholastic esports, which typically allow third-party recording and may store voice.

5.6 Retention and deletion for schools

Schools control the retention of workspace data within the limits set out in the Institutional Customer Agreement. By default, SONIX retains workspace data for the duration of the contract; on termination, SONIX securely deletes or anonymises workspace data within 30 days, with the option for the School to request a return of data in a structured, machine-readable format before deletion. Schools may also request deletion of specific users, specific Crews, specific time periods, or specific content categories at any time.

5.7 Security and accountability

The Information Security Program applies to school deployments. The Institutional Customer Agreement provides:

• breach notification to the School within 48 hours of becoming aware of a breach affecting workspace data;
• annual security review on request;
• third-party audit reports (SOC 2 once available, penetration test summaries) under NDA;
• right of audit (reasonable notice, business hours, subject to confidentiality);
• a published sub-processor list with notice of changes and right to object;
• cyber-liability and errors-and-omissions insurance at commercially reasonable levels.

5.8 US state student-data laws

Beyond FERPA, a growing number of US states have student-data protection laws. SONIX has prepared state-specific addenda to the Institutional Customer Agreement for the most material of these. The current set is summarised in Annex 2. For other states, we will negotiate appropriate terms with the School.

6. Operational evidence available on request

On request under NDA, SONIX provides the following operational evidence to schools, partners, and procurement teams:

• screenshots and demo of the age-screen UI;
• screenshots and demo of the in-app deletion / account-closure flow;
• the published retention schedule (Privacy Policy § 11);
• the current sub-processor list (published at sonix.gg/subprocessors);
• a summary of the Information Security Program and the name/role of the Security Coordinator;
• annual risk-assessment summary and most recent penetration-test summary;
• breach response plan summary;
• the moderation procedure (notice-and-action, statement of reasons, internal complaints);
• references from other school customers (where they consent to being named);
• SOC 2 Type II report (once available — anticipated [DATE]).

Contact: security@sonix.gg or sales@sonix.gg.

7. Subprocessors used in the school deployment

The current up-to-date list of sub-processors is maintained at sonix.gg/subprocessors. The categories used for school deployments are:

• cloud hosting and infrastructure;
• content delivery network;
• transactional email delivery (account confirmations, security alerts, breach notifications);
• payment processing (only for Supersonix; not used for school-paid licences, which are invoiced);
• age and identity verification (only at sensitive moments);
• customer support tooling.

All sub-processors operate under written DPAs that flow down obligations equivalent to those in our own DPA. Schools receive at least 30 days' advance notice of changes and may object on reasonable grounds.

8. References

• FTC — Complying with COPPA: Frequently Asked Questions.
• FTC — Children's Online Privacy Protection Rule (COPPA), 16 CFR Part 312, as amended 22 April 2025.
• FTC — Verifiable Parental Consent guidance, including the 2025 expanded methods.
• US Department of Education, Student Privacy Policy Office — Responsibilities of Third-Party Service Providers under FERPA.
• US Department of Education — FERPA, 20 U.S.C. § 1232g; 34 CFR Part 99.
• EU GDPR, Regulation (EU) 2016/679.
• Swiss FADP (revised, in force 1 September 2023), and FODP.
• EU DSA, Regulation (EU) 2022/2065.
• European Commission Guidelines on the protection of minors under DSA Article 28, July 2025.

ANNEX 1

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Institutional Customer Agreement between the institution identified in the cover page of the Institutional Customer Agreement (the "School") and SONIX SA ("SONIX").

Where the School is a US educational institution receiving federal funding under FERPA, this DPA also operates as the agreement designating SONIX as a school official with a legitimate educational interest within the meaning of 34 CFR § 99.31(a)(1)(i)(B).

Where the deployment involves personal data subject to the GDPR or the Swiss FADP, this DPA also operates as the data-processing agreement under Article 28 GDPR and equivalent FADP provisions.

1. Definitions

• "Student Data". Personal information of students and other Authorised Users processed under this DPA. Where FERPA applies, includes "education records" as defined in 20 U.S.C. § 1232g(a)(4) and 34 CFR § 99.3.
• "Authorised User". A student, staff member, or other person authorised by the School to use SONIX through the School's workspace.
• "Personal Data". Has the meaning given in the GDPR (Art. 4(1)) or the FADP (Art. 5(a)), as applicable.
• "Data Breach". A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Student Data.
• "Sub-processor". A third party engaged by SONIX to process Student Data in connection with the Services.

2. Role of the parties

The School is the data controller (and, where FERPA applies, the educational agency or institution responsible for the education records). SONIX is the data processor (and, where FERPA applies, a school official as defined in 34 CFR § 99.31(a)(1)(i)(B)). SONIX shall process Student Data only on behalf of and in accordance with the School's documented instructions.

In relation to FERPA, SONIX:

• performs an institutional service or function for which the School would otherwise use employees;
• is under the direct control of the School with respect to the use and maintenance of education records;
• is subject to the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of personally identifiable information from education records;
• meets the criteria specified in the School's annual notification of FERPA rights for being a school official with a legitimate educational interest in education records.

3. Purpose and scope

SONIX shall process Student Data solely for the purpose of providing, maintaining, securing, and supporting the Services to the School and its Authorised Users, and shall not process Student Data for any other purpose without the School's prior written consent.

SONIX shall NOT use Student Data for:

• advertising, marketing, or behavioural targeting of any kind;
• user profiling for commercial purposes;
• sale, rental, or licensing to any third party;
• training, fine-tuning, or evaluation of artificial intelligence or machine learning models;
• development of products or services not part of the Services provided to the School;
• any purpose unrelated to the Services.

4. Sub-processors

SONIX may engage Sub-processors solely to support delivery of the Services. SONIX shall:

• maintain an up-to-date list of Sub-processors, published at sonix.gg/subprocessors;
• ensure each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA;
• give the School at least 30 days' advance notice of the addition or replacement of any Sub-processor; during that period, the School may object on reasonable grounds, in which case the parties will work in good faith to find a resolution (which may include termination if none can be reached);
• remain liable to the School for the acts and omissions of its Sub-processors as if they were its own.

5. Redisclosure and law enforcement requests

SONIX shall not disclose Student Data to any third party except: (i) as expressly directed by the School in writing; (ii) to approved Sub-processors as described in § 4; or (iii) where required by law. Where SONIX receives a legally binding request for Student Data from a public authority, SONIX shall, unless legally prohibited from doing so, give prompt notice to the School and disclose only the minimum information required.

6. Data minimisation, accuracy, and student/parent rights

SONIX shall process only the Student Data necessary for the Services and shall provide tools for the School to access, correct, export, and delete Student Data. The School is responsible for responding to requests from students, parents, and eligible students under FERPA. SONIX shall provide reasonable assistance to the School in responding to such requests, including access to the relevant Student Data and the ability to perform corrections and deletions.

7. Retention and deletion

SONIX shall retain Student Data only for the duration necessary to provide the Services or as instructed by the School, unless a longer retention period is required by law. On request by the School, or upon termination of the Institutional Customer Agreement, SONIX shall, at the School's election:

1. return all Student Data to the School in a structured, commonly used, machine-readable format within 30 days; and/or
2. securely delete or anonymise all Student Data within 30 days of termination, subject to documented backup retention cycles and any retention required by law.

SONIX shall ensure deletion requests are propagated to applicable Sub-processors.

8. Security

SONIX shall implement appropriate technical and organisational measures to protect Student Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These shall include:

• encryption of Student Data in transit (TLS) and at rest;
• role-based access control with least-privilege principles for SONIX staff;
• audit logging of administrative actions on production systems;
• regular vulnerability scanning and periodic third-party security testing;
• a designated Security Coordinator and a written Information Security Program reviewed annually.

9. Data breach notification

SONIX shall notify the School of any Data Breach affecting Student Data without undue delay, and in any event within 48 hours of becoming aware of the breach. The notification shall describe (to the extent known): the nature of the breach, the categories and approximate numbers of affected Authorised Users, the likely consequences, the measures taken or proposed to address it, and the contact point for further information.

10. Audit and demonstration of compliance

SONIX shall make available to the School the information necessary to demonstrate compliance with this DPA, including SOC 2 reports (once available), penetration test summaries, and architecture documentation. The School, or an independent auditor designated by the School and bound by confidentiality, may audit SONIX's compliance with this DPA upon at least 30 days' notice, no more than once per year (except where reasonably required following a Data Breach), during business hours, in a manner that does not unreasonably interfere with SONIX's operations.

11. International transfers

Where Student Data is transferred from a jurisdiction whose data protection law restricts international transfers (including the EEA, the UK, or Switzerland), the parties shall rely on a transfer mechanism recognised by that jurisdiction (such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or the FDPIC-approved Swiss clauses). The applicable clauses are incorporated by reference into this DPA and prevail over conflicting provisions in respect of transferred Student Data.

12. Data location

Subject to § 11, Student Data shall be stored within the United States (for US Schools) or within the EEA / Switzerland (for EU / UK / Swiss Schools), as specified in the Institutional Customer Agreement. Transfers to other locations require the School's prior written consent and appropriate safeguards.

13. Insurance

SONIX shall maintain cyber-liability and errors-and-omissions insurance at commercially reasonable levels appropriate to the size and nature of the deployment. Certificates of insurance are available on request.

14. Term and termination

This DPA forms part of the Institutional Customer Agreement and continues for the duration of that agreement. Provisions that by their nature should survive termination — including those relating to confidentiality, return or deletion of Student Data, the audit right (for one year following termination), liability, and applicable law — shall survive.

15. Governing law and jurisdiction

This DPA is governed by the law of the School's home jurisdiction (i.e., the law of the relevant US state for US Schools, the laws of England and Wales for UK Schools, and Swiss law for Swiss / EU Schools, unless otherwise agreed in the Institutional Customer Agreement). Disputes arising under this DPA shall be subject to the courts of the agreed jurisdiction set out in the Institutional Customer Agreement.

16. Order of precedence

In case of any conflict between this DPA, the Institutional Customer Agreement, the SONIX Terms of Use, and the SONIX Privacy Policy in relation to the processing of Student Data, the order of precedence is: (i) any state-law addendum; (ii) this DPA; (iii) the Institutional Customer Agreement; (iv) the SONIX Privacy Policy; (v) the SONIX Terms of Use.

17. Signature

This DPA is signed electronically as part of acceptance of the Institutional Customer Agreement, or on a separate written document where the School requires.

Signed for the School: ______________________ Date: ___________________

Signed for SONIX SA: ______________________ Date: ___________________

ANNEX 2

US state student-data law addenda available

Beyond FERPA, a growing number of US states have enacted student-data protection laws that impose additional requirements on third-party service providers. SONIX maintains the following addenda, ready to attach to the Institutional Customer Agreement on request:

• New York Education Law § 2-d Addendum. Most prescriptive of the US state laws. Includes Parents' Bill of Rights, detailed data security expectations, NYSED reporting alignment, and student data definitions matching state usage.
• California SOPIPA Addendum (SB 1177). Student Online Personal Information Protection Act. Covers the K-12 audience, prohibits targeted advertising and the sale of student information, and addresses the secondary use of student information.
• Colorado SB 188 Addendum. Student Data Privacy and Transparency Act. Addresses the transparency, parental rights, and data security expectations specific to Colorado schools.
• Illinois SOPPA Addendum (105 ILCS 85). Student Online Personal Protection Act. Covers data breach notification, transparency, and statutory deletion of student information.
• Connecticut Public Act 16-189 Addendum. Specific Connecticut requirements including breach notification timing, board-level approval workflows, and parents-rights alignment.
• Florida student data laws (multiple statutes) Addendum. Combines applicable Florida requirements (including FS 1002.222 and 1006.062) for K-12 deployments.

For deployments in other states, SONIX will work with the School to negotiate an appropriate state-specific addendum or to integrate the state's requirements into a customised version of the DPA.

‍