Skip to content

FERPA Compliance

Under FERPA, parents or legal guardians of eligible students have the right to request, inspect and review their child’s education records as maintained by the school. For reference, “education records” are defined under 34 CFR § 99.3 as any records “directly related to a student” and “maintained by an educational agency or institution or by a party acting for the agency or institution.”

FERPA also stipulates that academic institutions cannot provide copies of an eligible student’s records without the express written permission of that student’s parent or legal guardian. There are certain exceptions to this disclosure rule. According to 34 CFR § 99.31, schools do not require consent for disclosure to parties that meet the following conditions:

  • School officials, including teachers, who are determined to have legitimate educational interests
  • Contractors, consultants, volunteers or other parties to whom the school has outsourced institutional services or functions
  • Officials from another school, school system or institution of postsecondary education where the student seeks or intends to enroll
  • Appropriate parties in connection with financial aid to the student
  • Organizations conducting studies for, or on behalf of, educational agencies or institutions to develop, validate or administer predictive tests; administer student aid programs; or improve instruction
  • Accrediting organizations carrying out accrediting functions
  • In compliance with a judicial order or lawfully issued subpoena
  • Appropriate parties in connection with a health or safety emergency (according to the conditions described in 34 CFR § 99.36)
  • State and local authorities if the allowed disclosure concerns the juvenile justice system and its ability to effectively serve the student in question (according to the conditions described in 34 CFR § 99.38)

As a private company that serves educational institutions, we do not store any information about any individual associated with these institutions unless we have designed and developed software that we are paid to maintain on our own servers. In this case, our policy is to defer consent to any such information to the institution in which the student attends.

HIPAA Compliance

We are occasionally requested to build or maintain software that contains private health information and medical records. As such, we adhere to the following checklist to ensure safe and restricted storage of said information:

  • Transport Encryption (HTTPS/TLS 1.2)
  • Backup and Storage Encryption (AES 256 or RSA 4096)
  • Identity and Access Management
  • Permanent Disposal
  • Business Associate Agreements

These are applied by using only third-party services that are also HIPPA compliant, such as the Google Cloud Platform, Microsoft Azure, and Amazon Web Services. Apple’s iCloud platform is not HIPAA compliant.

PCI DSS Compliance

While we do not store cardholder information on our side, several of our platforms receive cardholder information. Though we are not obligated, we commit to upholding all requirements below to meet PCI DSS compliance.

  • Installation and maintenance of a firewall configuration to protect cardholder data
  • Use of vendor-supplied defaults for system passwords and other security parameters is strictly prohibited
  • Protection of stored cardholder data
  • Encrypted transmission of cardholder data across open, public networks
  • Use of frequently updated anti-virus software and other protective programs
  • Development and maintenance of secure systems and applications
  • Access to cardholder data is strictly prohibited by any employee or manager
  • Every person with computer access is assigned a unique ID
  • Physical access to cardholder data is strictly prohibited
  • All access to network resources and cardholder data is tracked and monitored
  • Security systems and processes are regularly tested
  • A policy that addresses information security for all personnel is in place

Last modified on April 27, 2023

Start your journey
to better business.

Your mission-critical systems can't afford to be down, so don't wait for a problem to happen.