PRGN-01

Does your solution process FERPA-related data?

Explanation

This question is asking whether your software solution processes data that falls under the Family Educational Rights and Privacy Act (FERPA), which is a federal law that protects the privacy of student education records in the United States. FERPA-related data includes any personally identifiable information from education records maintained by educational institutions or agencies. As the guidance notes, this includes any data maintained by or on behalf of an educational institution that directly relates to an identifiable student. Examples include: - Student names, IDs, and contact information - Course enrollments and grades - Academic transcripts - Financial aid information - Disciplinary records - Class schedules This question is being asked in a security assessment because FERPA imposes specific legal requirements for handling student data. Educational institutions must ensure that any vendor or third-party service provider that processes FERPA-protected data has appropriate security controls in place to protect that data from unauthorized access, use, disclosure, or destruction. To best answer this question: 1. Be honest about whether your solution processes FERPA-related data 2. If it does, be prepared to explain what types of FERPA data you process 3. Be ready to describe the specific controls you have in place to protect this data 4. Understand that processing FERPA data requires additional compliance measures Note that answering 'Yes' is not necessarily negative - many educational technology solutions legitimately process FERPA data. What matters is having appropriate safeguards in place.

Guidance

FERPA-related data includes any data maintained by (or on behalf of) the institution that is directly related to an identifiable student.

Example Responses

Example Response 1

Yes, our learning management system processes FERPA-related data as part of its core functionality We handle student enrollment information, assignment submissions, grades, and communication between students and instructors To protect this data, we implement role-based access controls, encryption of data in transit and at rest, comprehensive audit logging, and regular security assessments Our staff undergoes annual FERPA compliance training, and we have established data handling procedures that align with FERPA requirements We also provide educational institutions with the tools they need to respond to student requests to access their own educational records in compliance with FERPA.

Example Response 2

No, our solution does not process FERPA-related data Our product is a facilities management system that helps educational institutions track and manage maintenance requests, building access, and utility usage While the system is used by educational institutions, it does not collect, store, or process any student educational records or personally identifiable information related to students The system only maintains information about physical assets, maintenance schedules, and staff responsible for facilities management If an institution were to add student information to free-text fields (which is not the intended use), our terms of service require customers to comply with applicable regulations for any data they choose to enter into our system.

Example Response 3

No, while our company provides services to educational institutions, our particular solution is a staff-only HR management system that processes employee data but does not interact with student records or information Our system specifically handles faculty and administrative staff hiring, onboarding, benefits management, and professional development tracking We have implemented technical controls to prevent the system from being used to store student information, including field validation that flags potential student ID formats However, we recognize that some staff members may also be students (such as teaching assistants or work-study participants), and in those cases, we advise our clients to ensure they're handling dual-role individuals in compliance with FERPA when using our system.

Context

Tab
Privacy
Category
General Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron