1. Overview
The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g and 34 CFR Part 99, is the U.S. federal law that protects the privacy of student education records. BecauseConcordiumOS processes education records on behalf of schools, we design our platform and our contractual commitments to help your institution meet its FERPA obligations.
2. ConcordiumOS as a "School Official"
Schools may disclose education records, without prior consent, to a "school official" with a "legitimate educational interest." When a school uses ConcordiumOS, Valence Systems acts as a school official performing an institutional service the school would otherwise perform itself. In that role we:
- Use education records only to provide the contracted Services to the school;
- Remain under the direct control of the school with respect to the use and maintenance of education records;
- Do not re-disclose education records except as directed by the school or as permitted by FERPA.
3. Education Records We Access
Depending on the modules a school enables, ConcordiumOS may process student names, contact details, enrollment and attendance records, schedules, academic and athletics information, tuition and billing status, and communications. We access only what is necessary to deliver the Services the school has configured.
4. School Ownership & Control
The school owns and controls its education records at all times. Schools can access, correct, export, and delete records through the application, and can direct us to return or delete data. We do not use education records for any purpose other than providing the Services.
5. No Advertising, No Sale, No Profiling
Consistent with FERPA and the broader Student Privacy Pledge principles, we do not sell student data, use it for targeted advertising, or build non-educational profiles of students. Student data is used solely to operate ConcordiumOS for your school.
6. Directory Information
FERPA permits schools to designate certain information as "directory information." ConcordiumOSdoes not independently publish directory information; any sharing of such data is configured and controlled by the school in accordance with its own FERPA notice and policies.
7. Parent & Eligible-Student Rights
FERPA gives parents, and students once they turn 18 or enter postsecondary education ("eligible students"), the right to inspect and review education records and to request corrections.ConcordiumOS supports schools in fulfilling these rights by making records accessible and exportable. Because the school controls the records, parents and students should direct requests to their school; we will assist the school in responding.
8. Subprocessors & Disclosures
We use a limited set of vetted subprocessors (for example, cloud hosting) that are contractually bound to protect education records and to use them only to provide services to us. A current list and the applicable safeguards are described in our Data Processing Addendum.
9. Security Safeguards
- Encryption of data in transit (TLS) and at rest;
- Role-based access control and least-privilege access for staff;
- Tenant isolation so each school's data is segregated;
- Audit logging, monitoring, and regular security review.
10. Data Breach Notification
If we become aware of a security incident affecting a school's education records, we will notify the affected school without undue delay and cooperate in its response, consistent with our agreement and applicable law.
11. Data Retention & Deletion
Education records are retained according to the school's instructions and our agreement. Upon termination, or at the school's request, we return or securely delete education records as described in the Data Processing Addendum.
12. Related Laws & Commitments
In addition to FERPA, our practices are designed to align with the Children's Online Privacy Protection Act (COPPA) and applicable state student-privacy laws (such as SOPIPA-style statutes). We are happy to sign a school's or state's student data privacy agreement (SDPA) where required.
13. Contact
To request a Data Processing Addendum or discuss your institution's privacy requirements, contact privacy [at] concordiumos.com.