FERPA Compliance
How EngagedLab protects student education records under the Family Educational Rights and Privacy Act.
Last updated: January 15, 2026
What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g) is a US federal law that protects the privacy of student education records. FERPA applies to educational institutions that receive funding from the US Department of Education. When institutions use EngagedLab, we act as a “school official” with “legitimate educational interest” under FERPA, processing student data solely to provide our educational services.
Our FERPA Commitment
Student data is never sold
We never sell, rent, or trade personally identifiable information (PII) from student education records.
No advertising use
Student data is never used for targeted advertising, profiling, or non-educational commercial purposes.
Data minimisation
We collect only the minimum data necessary to provide educational services under the institutional agreement.
Access controls
Student data is accessible only to authorised institutional personnel and EngagedLab staff with a legitimate need.
Encryption
All student data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Institutional control
The institution maintains control and ownership of all student education records processed by EngagedLab.
1. EngagedLab as a School Official
Under FERPA's “school official” exception (34 CFR § 99.31(a)(1)), institutions may disclose education records to EngagedLab without prior consent from parents or eligible students, provided that:
- EngagedLab performs an institutional function for which the institution would otherwise use employees
- EngagedLab is under the direct control of the institution regarding use and maintenance of education records
- EngagedLab uses education records only for the purposes for which disclosure was made
- EngagedLab meets the criteria set forth in the institution's annual FERPA notification
These requirements are formalised in our institutional service agreements, which include a FERPA-compliant Data Processing Addendum.
2. Education Records We Process
In the context of institutional deployments, the following student data may constitute “education records” under FERPA:
| Data Category | Examples | Purpose |
|---|---|---|
| Student identifiers | Name, email, institutional ID (via SSO) | Account creation, LTI integration |
| Academic performance | Quiz scores, challenge results, mastery levels | Learning analytics, grade passback |
| Learning interactions | Lab attempts, time on task, hints used | Adaptive learning, engagement tracking |
| Course enrolment | Course assignment, section, instructor | Multi-tenant content delivery |
| Progress data | Concept mastery states, misconceptions | Bayesian mastery tracking |
3. Technical Safeguards
We implement the following technical and organisational measures to protect education records:
Multi-Tenant Isolation
Each institution's data is logically isolated. Students and educators from one institution cannot access another institution's data. Queries are scoped by institution_id at the database layer.
Role-Based Access Control (RBAC)
Granular permissions ensure instructors see only their own students' data. Department heads see only their department. Institutional admins see only their institution.
Audit Logging
All access to student education records is logged with timestamp, user ID, data accessed, and action performed. Logs are retained for 3 years.
SSO / LTI Authentication
Institutional deployments use SAML or OIDC SSO, ensuring students authenticate through their institution's identity provider. LTI 1.3 deep linking eliminates separate credentials.
Data Encryption
TLS 1.3 for transit. AES-256 for storage. Database connection strings and API keys use secret management.
Breach Notification
In the event of a data breach affecting education records, we notify the institution within 72 hours with details of the scope, impact, and remediation steps.
4. Parental & Eligible Student Rights
Under FERPA, parents of students under 18 (and eligible students 18 or older) have the right to:
- Inspect and review education records maintained by the institution
- Request amendment of records believed to be inaccurate or misleading
- Consent to disclosure (except in cases where FERPA authorises disclosure without consent)
- File a complaint with the US Department of Education regarding alleged FERPA violations
These rights are exercised through the institution, not directly through EngagedLab. We cooperate fully with institutional FERPA officers to fulfil these obligations.
5. De-identification & Research Use
When we use learning data to improve our AI models or for research, we follow FERPA’s de-identification standard:
- • All direct identifiers (name, email, institutional ID) are removed
- • Records are aggregated to prevent re-identification
- • We do not attempt to re-identify de-identified data
- • Our research partners sign agreements prohibiting re-identification
De-identified data does not constitute education records under FERPA (34 CFR § 99.3).
6. Data Retention & Deletion
When an institutional agreement ends, we follow this process:
Data export made available to the institution in machine-readable format
Institution confirms receipt and completeness of export
All education records are permanently deleted within 90 days of contract termination
Deletion is certified in writing to the institution
Backups containing education records are purged within 30 additional days
7. FERPA Compliance Officer
For questions about EngagedLab’s FERPA compliance, institutional onboarding, or to request our Data Processing Addendum:
Email: compliance@engagedlab.co.uk
Response time: Within 2 business days
Complaints about FERPA violations may be filed with:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202