FERPA Compliance Statement

FERPA Compliance Statement

SafeClass Shield, Inc.
Family Educational Rights and Privacy Act (FERPA) Compliance

Overview

SafeClass Shield, Inc. ("SafeClass Shield," "we," "us," or "Company") is committed to full compliance with the Family Educational Rights and Privacy Act of 1974, as amended ("FERPA") (20 U.S.C. § 1232g; 34 CFR Part 99). This statement outlines how SafeClass Shield meets its obligations when acting as a service provider to educational institutions.

1. FERPA APPLICABILITY

1.1 School Official Status

When SafeClass Shield provides services to an educational agency or institution ("School"), we act as a "School Official" with "legitimate educational interests" as defined under FERPA § 99.31(a)(1). This designation allows Schools to disclose Education Records to SafeClass Shield without prior parental consent, provided:

  1. The School has determined that SafeClass Shield performs an institutional service or function that the School would otherwise perform itself.

  2. The School maintains direct control over the use and maintenance of Education Records accessed by SafeClass Shield.

  3. SafeClass Shield uses Education Records only for the purpose(s) for which the disclosure was made (i.e., to provide the contracted services).

  4. SafeClass Shield does not re-disclose personally identifiable information from Education Records to other parties without the School's authorization (except as permitted under FERPA).

  5. The School includes SafeClass Shield as a "School Official" in its annual FERPA notification to parents.

1.2 Definition of Education Records

Under FERPA, "Education Records" means records that are:

  1. Directly related to a student; and
  2. Maintained by an educational agency or institution or by a party acting for the agency or institution.

When SafeClass Shield is engaged by a School, the following types of data may constitute Education Records:

  • Student names and unique identifiers
  • Device usage activity during school hours or on school-issued devices
  • Academic integrity data from integrated learning management systems (e.g., Google Classroom)
  • Communications between students and school personnel facilitated through the platform

Note: SafeClass Shield does not collect Education Records directly from students. All Education Records in our systems are provided by the School or accessed with the School's authorization through approved integrations.

2. FERPA COMPLIANCE COMMITMENTS

2.1 Use Limitation

SafeClass Shield uses Education Records solely to provide the services specified in our agreement with the School. We do not:

  • Use Education Records for any purpose other than fulfilling our contractual obligations to the School
  • Use Education Records for commercial purposes, including targeted advertising
  • Build user profiles of students for non-educational purposes
  • Sell, rent, or trade Education Records
  • Disclose Education Records to third parties without School authorization, except as required by law or permitted under FERPA

2.2 Re-disclosure Restrictions

SafeClass Shield does not re-disclose personally identifiable information from Education Records, except:

  • To authorized School personnel as directed by the School
  • To subcontractors who perform services on our behalf, subject to the same FERPA restrictions (see Section 3.3)
  • To comply with a lawful subpoena or court order, in accordance with FERPA § 99.31(a)(9) (see Section 2.5)
  • In a health or safety emergency, as permitted under FERPA § 99.31(a)(10) and § 99.36

When re-disclosure is necessary and permitted, SafeClass Shield:

  • Limits disclosure to the minimum information necessary
  • Requires recipients to agree to the same FERPA protections
  • Maintains records of all disclosures (see Section 2.6)

2.3 Directory Information

SafeClass Shield does not independently determine what constitutes "directory information" under FERPA § 99.3. If a School designates certain student information as directory information and provides opt-out notice to parents, SafeClass Shield will honor those designations only upon explicit written instruction from the School.

2.4 Parent and Eligible Student Rights

SafeClass Shield supports Schools in meeting their FERPA obligations to parents and eligible students (students 18 years or older):

Right to Inspect and Review (FERPA § 99.10-99.12):

  • Schools may request copies of Education Records maintained by SafeClass Shield
  • We provide requested records within 15 business days
  • We provide records in a commonly used electronic format (CSV, JSON, PDF)

Right to Amend (FERPA § 99.20-99.22):

  • If a School determines that an Education Record is inaccurate or misleading, we will amend or delete the record upon the School's written request
  • We complete amendments within 10 business days of receiving the request

Right to Consent to Disclosures (FERPA § 99.30):

  • SafeClass Shield does not disclose Education Records without School authorization, except as permitted under FERPA exceptions (§ 99.31)

Right to File a Complaint (FERPA § 99.63-99.64):

  • Parents and eligible students may file complaints regarding alleged FERPA violations with the U.S. Department of Education:

    Family Policy Compliance Office
    U.S. Department of Education
    400 Maryland Avenue, SW
    Washington, DC 20202-8520
    Phone: 1-800-USA-LEARN (1-800-872-5327)
    Email: FPCO@ed.gov
    Website: https://studentprivacy.ed.gov/

2.5 Compliance with Subpoenas and Court Orders

If SafeClass Shield receives a subpoena or court order requiring disclosure of Education Records:

  1. We will make a reasonable effort to notify the School before compliance, so the School may seek a protective order (FERPA § 99.31(a)(9)(ii)).
  2. Notification will be provided within 24 hours of receiving the subpoena or court order, unless the subpoena or order explicitly prohibits disclosure.
  3. We will work with the School and its legal counsel to challenge or limit the scope of the disclosure if appropriate.
  4. If disclosure is legally required, we will limit the disclosure to the specific records requested and maintain a record of the disclosure.

Exception: If the subpoena is issued for a law enforcement purpose and requests that we not disclose its existence (e.g., under 18 U.S.C. § 2705(b)), we may be legally prohibited from notifying the School.

2.6 Recordkeeping of Disclosures

SafeClass Shield maintains a record of all disclosures of Education Records, as required by FERPA § 99.32. These records include:

  • The parties to whom Education Records were disclosed
  • The legitimate interests the parties had in the information
  • The date of disclosure
  • The specific records disclosed

Disclosure records are maintained for the life of the Education Record and are available to the School upon request.

Exceptions: We do not maintain records of disclosures to:

  • The School itself
  • Parents or eligible students requesting their own records
  • Parties with written consent from parents or eligible students

3. DATA SECURITY AND CONFIDENTIALITY

3.1 Security Safeguards

SafeClass Shield implements reasonable technical, administrative, and physical safeguards to protect Education Records from unauthorized access, disclosure, or destruction. These safeguards include:

Technical Safeguards:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access controls with principle of least privilege
  • Multi-factor authentication for administrative access
  • Regular security vulnerability assessments and penetration testing
  • Intrusion detection and prevention systems

Administrative Safeguards:

  • Employee training on FERPA obligations and student data privacy
  • Background checks for employees with access to Education Records
  • Confidentiality agreements for all personnel
  • Incident response procedures and breach notification protocols
  • Annual third-party security audits (SOC 2 Type II)

Physical Safeguards:

  • Secure data centers with 24/7 monitoring and biometric access controls
  • Redundant infrastructure for high availability
  • Geographic data replication for disaster recovery (within the United States)

For detailed security measures, see our Data Security Policy.

3.2 Data Breach Notification

In the event of an unauthorized disclosure, acquisition, or use of Education Records (a "Data Breach"), SafeClass Shield will:

  1. Notify the School within 48 hours of confirming the breach.
  2. Investigate the cause, scope, and impact of the breach.
  3. Contain the breach and prevent further unauthorized access.
  4. Cooperate with the School's incident response and notification obligations.
  5. Remediate the vulnerability that caused the breach.
  6. Document the incident and remediation for compliance and audit purposes.

School Notification Responsibility:
The School remains responsible for notifying affected parents, eligible students, and regulatory authorities in accordance with applicable state breach notification laws and FERPA requirements.

3.3 Subcontractors and Third-Party Service Providers

SafeClass Shield uses certain third-party service providers ("Subcontractors") to host and operate the platform. All Subcontractors with access to Education Records are subject to the same FERPA obligations as SafeClass Shield.

Current Subcontractors:

  • Amazon Web Services (AWS): Cloud infrastructure and database hosting (SOC 2, ISO 27001, FedRAMP certified; FERPA-compliant under AWS's Data Processing Addendum)
  • Google Cloud Platform: Google Classroom API integration (FERPA, COPPA, and GDPR compliant)
  • Stripe, Inc.: Payment processing (PCI DSS Level 1 certified; does not access Education Records)
  • SendGrid (Twilio): Transactional email delivery (SOC 2 Type II certified)

All Subcontractors have executed Data Processing Agreements (DPAs) that include:

  • Confidentiality obligations
  • Use restrictions (only for providing services to SafeClass Shield)
  • Security requirements (encryption, access controls, monitoring)
  • Prohibition on re-disclosure without authorization
  • Data return or destruction upon contract termination
  • Breach notification requirements

Subcontractor Updates:
SafeClass Shield will notify Schools of any material changes to Subcontractors with access to Education Records at least 30 days before the change, allowing Schools to object or terminate the agreement.

4. DATA RETENTION AND DELETION

4.1 Retention Period

SafeClass Shield retains Education Records only for as long as necessary to provide the contracted services or as required by the School's retention policy, whichever is longer.

Standard Retention:

  • Active Subscriptions: Education Records are retained for the duration of the School's subscription.
  • Post-Termination: Schools have 30 days to export Education Records after subscription termination.
  • Automatic Deletion: After the 30-day export period, all Education Records are permanently deleted unless the School requests an extension or has a legal hold in place.

Exceptions:

  • Legal Holds: Education Records may be retained longer if subject to litigation, investigation, or legal obligation.
  • De-identified Data: Aggregated, de-identified data (which no longer constitutes personally identifiable information under FERPA) may be retained for research and product improvement purposes. De-identification follows NIST SP 800-188 and FERPA § 99.31(b) standards.

4.2 Secure Deletion

When Education Records are deleted, SafeClass Shield uses industry-standard methods to ensure data cannot be recovered:

  • Database Records: Cryptographic erasure (encryption keys are destroyed, rendering data unreadable)
  • Backups: Automated deletion of backups within 90 days
  • Log Files: Redaction of personally identifiable information; logs retained for security purposes only

4.3 School-Directed Deletion

Schools may request deletion of specific Education Records or entire student profiles at any time by contacting ferpa-requests@safeclassshield.com. We will complete deletion requests within 30 days unless a longer period is required to comply with legal obligations.

5. PARENTAL NOTIFICATION AND CONSENT

5.1 School Responsibility for Notification

SafeClass Shield relies on Schools to provide annual FERPA notification to parents, as required by FERPA § 99.7. This notification should inform parents that:

  • The School uses SafeClass Shield as a School Official with legitimate educational interests
  • SafeClass Shield may access Education Records to provide digital safety and monitoring services
  • Parents have the right to inspect and review records, request amendments, and control disclosures
  • SafeClass Shield's Privacy Policy and Data Security Policy are available for review

Sample FERPA Notification Language:
Schools may use the following language in their annual FERPA notification:

"[School Name] uses SafeClass Shield, Inc., a third-party service provider, to provide digital safety monitoring and parental control services. SafeClass Shield acts as a School Official with legitimate educational interests under FERPA and has access to certain student information necessary to provide these services. SafeClass Shield is required to maintain the confidentiality of Education Records and comply with FERPA. For more information about how SafeClass Shield protects student data, please review their Privacy Policy at [URL] or contact [School Contact Information]."

5.2 Parental Consent for Directory Information

If a School has designated certain student information as "directory information" under FERPA § 99.3, and if SafeClass Shield is authorized to use or disclose that information, the School must:

  • Provide annual notice to parents of the categories of directory information
  • Allow parents a reasonable time to opt out of directory information disclosures
  • Inform SafeClass Shield of any opt-out requests

SafeClass Shield will honor all opt-out requests provided by the School.

5.3 Personal Account vs. School Account Distinction

School Accounts:

  • Used by educational institutions
  • FERPA applies; parental consent obtained by School
  • SafeClass Shield acts as School Official

Personal Accounts:

  • Used by individual parents (not affiliated with a School)
  • FERPA does not apply
  • COPPA parental consent obtained directly by SafeClass Shield (see COPPA Compliance Statement)

6. STATE-SPECIFIC FERPA ENHANCEMENTS

Some states have enacted student data privacy laws that impose additional requirements beyond FERPA. SafeClass Shield complies with these state laws, including:

California:

  • AB 1584 (Student Online Personal Information Protection Act - SOPIPA)
  • Prohibition on targeted advertising to students
  • Prohibition on creating profiles for non-educational purposes

New York:

  • Education Law § 2-d (Parent's Bill of Rights for Data Privacy and Security)
  • Annual data security and privacy plan submission to NYSED
  • Supplemental privacy notice to parents
  • Data breach notification within 7 calendar days (expedited compared to FERPA)

Illinois:

  • Student Online Personal Protection Act (SOPPA)
  • Prohibition on selling or trading student data
  • Prohibition on targeted advertising and behavioral tracking
  • Data minimization requirements

Texas:

  • Education Code Chapter 32 (Student Data Privacy)
  • Restriction on use of biometric identifiers (not collected by SafeClass Shield)
  • Limitation on collection of location data (not collected by SafeClass Shield)

SafeClass Shield executes state-specific Data Protection Addenda (DPAs) that address these requirements. Contact institutional-compliance@safeclassshield.com for state-specific compliance documentation.

7. AUDITING AND COMPLIANCE VERIFICATION

7.1 School Audit Rights

Schools have the right to audit SafeClass Shield's FERPA compliance at any time, subject to reasonable notice and confidentiality protections. Audit rights include:

  • Review of SafeClass Shield's data handling practices and policies
  • Inspection of technical and administrative safeguards
  • Review of subcontractor agreements and security certifications
  • Testing of data deletion procedures

Audits may be conducted by the School, a third-party auditor engaged by the School, or a consortium of schools.

7.2 Independent Audits

SafeClass Shield undergoes annual third-party audits to verify compliance with industry standards:

  • SOC 2 Type II Audit: Annual audit by independent CPA firm (available to Schools under NDA)
  • ISO 27001 Certification: Information Security Management System certification
  • Penetration Testing: Annual third-party security assessment

Audit reports and certifications are available to Schools upon request.

7.3 Cooperation with Investigations

If the U.S. Department of Education, Family Policy Compliance Office (FPCO) conducts an investigation related to a School's use of SafeClass Shield, we will:

  • Cooperate fully with the investigation
  • Provide requested documentation and records
  • Respond to inquiries in a timely manner
  • Implement corrective actions if deficiencies are identified

8. TRAINING AND AWARENESS

8.1 Employee Training

All SafeClass Shield employees with access to Education Records complete mandatory training on:

  • FERPA requirements and restrictions
  • Student data privacy best practices
  • Security awareness and incident response
  • Confidentiality obligations

Training is provided during onboarding and annually thereafter.

8.2 School Training Resources

SafeClass Shield provides training resources to Schools to support FERPA compliance, including:

  • Sample FERPA notification language for schools
  • Parent FAQ documents
  • Privacy policy plain-language summaries
  • Webinars on student data privacy best practices

These resources are available at https://safeclassshield.com/school-resources.

9. CONTRACT PROVISIONS

9.1 Master Services Agreement (MSA)

All School contracts include provisions that address FERPA compliance:

  • School Official Designation: School designates SafeClass Shield as a School Official with legitimate educational interests.
  • Use Restrictions: SafeClass Shield agrees to use Education Records solely to provide the contracted services.
  • Re-disclosure Prohibition: SafeClass Shield agrees not to re-disclose Education Records without School authorization, except as permitted by FERPA.
  • Security Requirements: SafeClass Shield agrees to implement reasonable security safeguards.
  • Breach Notification: SafeClass Shield agrees to notify the School of data breaches within 48 hours.
  • Data Return/Deletion: SafeClass Shield agrees to return or delete Education Records upon contract termination.
  • Audit Rights: School has the right to audit SafeClass Shield's FERPA compliance.
  • Indemnification: SafeClass Shield indemnifies the School for breaches caused by SafeClass Shield's negligence or willful misconduct.
  • Termination Rights: School may terminate the agreement if SafeClass Shield materially violates FERPA.

9.2 Data Protection Addendum (DPA)

Schools may request a separate Data Protection Addendum that provides additional detail on:

  • Data inventory and data flow diagrams
  • Security control descriptions
  • Subcontractor list and DPAs
  • State-specific compliance requirements
  • GDPR and international data protection requirements (if applicable)

10. FERPA COMPLIANCE ATTESTATION

SafeClass Shield, Inc. hereby attests that:

  1. We understand our obligations under FERPA when acting as a School Official.
  2. We use Education Records solely for the purpose of providing contracted services to Schools.
  3. We do not re-disclose personally identifiable information from Education Records without School authorization, except as permitted under FERPA.
  4. We implement reasonable security safeguards to protect Education Records from unauthorized access or disclosure.
  5. We maintain records of disclosures as required by FERPA § 99.32.
  6. We cooperate with Schools to ensure they can meet their FERPA obligations to parents and eligible students.
  7. We return or destroy Education Records upon School request or contract termination.
  8. We notify Schools of data breaches within 48 hours.
  9. We comply with all applicable state student data privacy laws.
  10. We undergo annual third-party security audits to verify compliance with industry standards.

This attestation is made under penalty of perjury under the laws of the United States.

11. CONTACT INFORMATION

For FERPA-related inquiries, requests, or concerns, please contact:

Data Protection Officer (DPO):
SafeClass Shield, Inc.
Email: ferpa-requests@safeclassshield.com
Phone: 1-800-SAFEKID (1-800-723-3543), Option 4
Mail: [Company Address], Attn: FERPA Compliance

School Official Contact:
For Schools using SafeClass Shield, questions regarding student data access, amendments, or deletions should be directed to your School's designated FERPA Compliance Officer or Student Records Administrator.

Federal Reporting:
Alleged FERPA violations may be reported to:

Family Policy Compliance Office (FPCO)
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-8520
Phone: 1-800-USA-LEARN (1-800-872-5327)
Email: FPCO@ed.gov
Website: https://studentprivacy.ed.gov/

Effective Date: January 1, 2026
Last Reviewed: January 1, 2026
Next Review Date: January 1, 2027

This FERPA Compliance Statement is a public document and may be shared with parents, schools, and regulatory authorities. It is reviewed and updated annually or as required by changes in law or our practices.

SafeClass Shield, Inc.
Committed to FERPA Compliance and Student Privacy

Last updated: January 1, 2026 | © 2026 SafeClass Shield, Inc. All rights reserved.

Questions? Contact dpo@safeclassshield.com or call 1-800-SAFEKID