FERPA & COPPA Compliance

Federal student privacy: how Ed.ai meets FERPA and COPPA

Ed.ai is built as a "school official" under FERPA and operates under the school-authorization model for COPPA. Here's what that means in practice.

Three badges at the top:

  • ✓ FERPA compliant

  • ✓ COPPA compliant

  • ✓ Student data hosted in the United States

FERPA

Ed.ai's role under FERPA

Ed.ai operates as a "school official with legitimate educational interest" under FERPA §99.31(a)(1)(i)(B). This is the standard framework for an ed-tech vendor working under the direction of a school or district.

In practical terms, this means:

  1. We act under the direction of the school. A district administrator, a principal, or a teacher invites us in. We process student data only for the educational purposes specified by that school official.

  2. We use data only for the purposes the school authorized. Grading, feedback, mastery analytics, targeted practice, and the AI teaching assistant — nothing else. No secondary use, no repurposing.

  3. We never redisclose student data. Not to other districts, not to our other customers, not to any third party — except the sub-processors listed on /sub-processors, all of whom are contractually bound to the same restrictions.

  4. Parents and eligible students retain their FERPA rights. Access, review, amendment, and consent requests are routed through the school or district, consistent with the FERPA framework.

How Ed.ai meets each FERPA obligation

  • School-official exception (§99.31(a)(1)(i)(B)) — Contract with the school defines legitimate educational interest. Access limited to authorized teachers and admins. · /dpa

  • Direct control by the school — All processing purposes are set in the DPA. Schools can suspend, change, or revoke access at any time. · /dpa

  • No redisclosure — Sub-processors sign DPAs that prohibit redisclosure. Current list published at all times. · /sub-processors

  • Parent/eligible student rights — Requests are handled through the school per the FERPA framework. We support the school in fulfilling requests. · /privacy-policy §10

  • Record of disclosures — Audit logs retained for the duration of the contract + 1 year after termination. · /security

  • Data destruction on contract end — Deletion from production systems within 90 days of contract termination; final purge from backups and archival systems within 12 months. · /privacy-policy §8

Data categories under FERPA

We distinguish between two kinds of information, both treated under FERPA:

  • Directly identifying information: name, student ID, date of birth, email. Stored in the product database (US), never sent to a language model.

  • Educational records content: scanned handwritten work, transcriptions, teacher-assigned grades, mastery analytics. Stored in the product database (US). Before any LLM call, names and class rosters are masked. See /de-identification.

COPPA

Ed.ai's approach: school-authorization model

For students under 13, Ed.ai operates under the school-authorization model described in the FTC's COPPA FAQ. This means:

  • The school authorizes the collection of personal information from students under 13 on behalf of parents, where the data is used solely for educational purposes determined by the school.

  • Ed.ai does not serve advertising, does not build behavioral profiles, and does not monetize student data. These are the conditions under which the school-authorization model applies.

  • Parents retain the right to review, request deletion, and refuse further collection. These requests are routed through the school and supported by Ed.ai.

What Ed.ai never does under COPPA

  • No behavioral advertising to students. Ever.

  • No targeted advertising of any kind based on student data.

  • No sale of student information.

  • No model training on student work (ours or any sub-processor's).

  • No profile-building about students outside the educational purpose authorized by the school.

Quick-scan compliance table

  • Is Ed.ai FERPA compliant? — Yes — Ed.ai operates as a "school official with legitimate educational interest." · This page · /dpa

  • Is Ed.ai COPPA compliant? — Yes — under the school-authorization model. · This page · /dpa

  • Is student data sold or shared for advertising? — Never. · /trust-pledge Pledge 3

  • Is student data used to train AI models? — No. Neither Ed.ai nor our AI sub-processors retain or train on student work. · /ai-transparency

  • Where is student data stored? — Microsoft Azure, US region. AI processing also uses Google Cloud (Gemini), US-hosted; neither retains student work. · /security

  • Who are your sub-processors? — Published on /sub-processors. · /sub-processors

  • Can we sign a DPA? — Yes — we offer NDPA v2.1 pre-signed with General Offer (Exhibit E) + state exhibits for California, Texas, Florida, New York, North Carolina, Pennsylvania, and Alabama. · /dpa

  • How long is student data retained? — While the district contract is active, or until the district/parent requests deletion. Deletion from production within 30 days of request; final purge from backups and archival systems within 12 months. · /privacy-policy §8

  • Are records of disclosure kept? — Yes — audit logs for the contract duration. · /security

FAQ

Do parents need to consent individually for each student?

Not when Ed.ai is used under the school-authorization model. The school, acting on behalf of parents, authorizes the processing for educational purposes. Parents retain their FERPA and COPPA rights — access, review, amendment, and deletion — exercised through the school.

Who's the controller of student data?

The school or district is the controller (FERPA "educational agency or institution"). Ed.ai is the processor ("school official" under FERPA, "operator" under most state laws). The DPA spells this out.

What happens at the end of the school year?

Student work and derived analytics are retained while the district contract is active — this supports multi-year progression tracking (e.g., 8th grade to 9th grade). There is no automatic year-by-year purge. When the district or a parent requests deletion, production data is removed within 30 days; backups and archival systems are fully purged within 12 months. When the contract ends, all student work is deleted from production within 90 days (backups within 12 months).

Can districts or parents access my students' data?

Parents and eligible students access data through the school, consistent with FERPA. Districts access data through authorized admins. Ed.ai supports the school in fulfilling requests.

What if a parent wants their child excluded from Ed.ai?

Parents who want their child excluded from the Ed.ai service should contact the school. Ed.ai is an AI-based grading product — there is no version of it that runs without AI, and there is no per-student AI opt-out. Exclusion is handled by the school at the access level: the school controls access to Ed.ai and can choose not to use it for specific students or classes, consistent with FERPA's school-official framework.

What if we're a private school?

FERPA applies primarily to schools receiving federal funding. Many private schools adopt FERPA-equivalent policies. Ed.ai's commitments (no advertising, no model training, US hosting, human-in-the-loop) apply identically, and we sign the same DPAs.

Contact

  • Privacy inquiries: privacy@ed.ai

  • Mailing: Ed AI Technologies, Inc. · 56 Broad St STE 63766 · Boston, MA 02109

  • Phone: +1 617 545 7366