EduLensEduLens

Products

EduLens K-5Safety, dismissal, messaging & more
EduLens for Higher EducationAI chat, faculty insights, governance
EduLens 6-12Soon
About
Blog
Watch DemoContact
Back to blog
GeneralMarch 12, 20267 min read

FERPA Compliance Checklist for School Technology Vendors

A practical checklist for IT directors and administrators evaluating edtech vendors for FERPA compliance. What to ask, what to look for, and red flags.

When your district evaluates a new edtech vendor, FERPA compliance isn't a line item — it's a prerequisite. But "FERPA compliant" has become a marketing buzzword that every vendor claims. Here's how to verify it actually means something.

The Checklist

Ask every vendor these questions before signing:

1. Data Access Controls

  • Can parents only see their own children's data?
  • Can teachers only see students in their assigned classrooms?
  • Is data isolated between schools in a multi-school deployment?
  • Are there role-based access controls (admin vs. teacher vs. parent)?

2. Audit Trail

  • Does the system log every access to student PII?
  • Can you see who accessed what data and when?
  • Are audit logs retained for the FERPA-required minimum (as long as the records exist)?

3. Data Handling

  • Is data encrypted in transit (TLS) and at rest (AES-256)?
  • Where is the data stored? Is it in the United States?
  • Does the vendor have a documented data retention and deletion policy?
  • Can the school request complete data deletion when the contract ends?

4. Third-Party Sharing

  • Does the vendor share student data with any third parties?
  • Are subprocessors documented and contractually bound?
  • Is student data ever used for advertising, marketing, or profiling?

5. Breach Notification

  • What is the vendor's breach notification timeline?
  • Will they notify both the school and affected parents?
  • Do they have an incident response plan?

Red Flags

  • The vendor can't provide a Data Privacy Agreement (DPA)
  • "FERPA compliant" is claimed but no specifics are given
  • Student data is used for "product improvement" or "analytics" without clear guardrails
  • No audit trail exists for data access
  • Data is stored outside the United States

Going Beyond FERPA

In New York, vendors must also comply with Education Law § 2-d and provide a Parents' Bill of Rights. COPPA applies when children under 13 are involved. And increasingly, districts are requiring HECVAT assessments for higher education vendors and applying similar rigor to K-12.

The best vendors don't treat compliance as a checkbox — they build it into their architecture from day one.

See EduLens in Action

Schedule a personalized demo for your school, district, or university.

Request a Demo