FERPA Vendor Risk Assessment for Schools & Universities

FERPA (20 U.S.C. § 1232g) protects education records — any records directly related to a student that are maintained by an educational institution or a party acting for the institution. When schools share education records with vendors, they typically rely on the "school official" exception (§ 99.31(a)(1)), which allows disclosure without parental consent if the vendor: (1) performs a service that the school would otherwise perform itself, (2) is under the direct control of the school regarding the use and maintenance of education records, and (3) uses education records only for the purposes specified in the agreement. The school must also ensure the vendor does not re-disclose education records to other parties without authorization. Critically, the school — not the vendor — is responsible for FERPA compliance. If a vendor mishandles student data, the school faces investigation by the Department of Education's Student Privacy Policy Office (SPPO), potential loss of federal funding eligibility, and reputational damage with parents and the community.

FERPA distinguishes between education records (protected) and directory information (can be disclosed under certain conditions). Directory information includes names, addresses, phone numbers, dates of attendance, degrees received, and similar general information. Schools can designate what constitutes directory information and must give parents/students the opportunity to opt out of its disclosure.

This distinction matters for vendor assessment because some EdTech tools only access directory information, while others access full education records including grades, disciplinary records, IEP/504 plans, and financial aid data. Your assessment depth should match the data sensitivity. A vendor accessing only directory information (after proper notice and opt-out procedures) presents lower FERPA risk than a vendor accessing grades, attendance records, or special education data. However, many schools over-rely on the directory information exception — if a vendor accesses more than what the school has designated as directory information, the school official exception or written parental consent is required.

For each vendor that accesses student education records, document your assessment of:

Data use limitations. Does the vendor's terms of service or data privacy agreement restrict use of education records to the contracted purpose only? Watch for broad data licensing terms that allow the vendor to use student data for product improvement, advertising, or analytics beyond the contracted service.

Data retention and deletion. What happens to student data when the contract ends or when a student leaves? FERPA does not prescribe specific retention periods, but schools should ensure vendors delete education records upon contract termination or school request.

Subprocessor and third-party sharing. Does the vendor share student data with subprocessors? Under what conditions? The school must maintain "direct control" over how education records are used — this extends to the vendor's subprocessors.

Security safeguards. What technical and organizational measures protect student data? Encryption, access controls, breach notification procedures, and incident response capabilities. ThirdProof checks these automatically across 27 intelligence sources.

Breach notification. How quickly will the vendor notify the school of a data breach? What information will be provided? Schools need adequate notice to meet their own notification obligations to parents and the Department of Education.

Student data privacy certifications. Does the vendor participate in the Student Data Privacy Consortium's National Data Privacy Agreement (NDPA) or hold relevant certifications? These are not FERPA requirements but indicate vendor maturity around student data protection.

Inventory all EdTech vendors. Create a complete list of every technology vendor that accesses student education records. Include LMS platforms, SIS systems, communication tools, assessment platforms, library systems, and any tool where students log in with school credentials. Many schools discover they have 50-200+ EdTech vendors when they conduct a thorough inventory.

Classify by data access level. Tier vendors based on what student data they access: Tier 1 (full education records including grades, disciplinary, special education), Tier 2 (limited education records like attendance and course enrollment), Tier 3 (directory information only). Assessment depth should match tier.

Review contracts and terms. Ensure every vendor with access to education records has a written agreement establishing the school official relationship. Many schools use the Student Data Privacy Consortium NDPA as a standardized template. Review vendor terms of service for data use provisions that conflict with FERPA requirements.

Conduct independent assessment. Vendor self-attestations about security are insufficient — schools should verify vendor security posture, compliance certifications, breach history, and business legitimacy independently. ThirdProof assessments provide evidence-based verification that supplements vendor-provided documentation.

Document and maintain. Keep records of your vendor assessment process, findings, and decisions. If the SPPO investigates, you need evidence of reasonable oversight — not just signed agreements, but documented due diligence.