TeachStack is FERPA Compliant

What FERPA Requires

FERPA (the Family Educational Rights and Privacy Act) is a federal law that protects the privacy of student education records. It gives parents and eligible students the right to access, correct, and control the disclosure of those records. Schools may share student records with service providers like TeachStackonly when we operate under the school's direct control and use the data exclusively to provide educational services.

How TeachStack Complies

• We never sell student data to third parties.
• Student data is used only to provide the TeachStack service.
• We delete student data within 30 days of account deletion.
• All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Teachers control what content is shared with students.

What Data We Collect

Data Retention

1. Our Role Under FERPA

When TeachStackis used in an educational setting, we operate as a "school official" with a legitimate educational interest under FERPA (34 CFR § 99.31(a)(1)). This means we access student education records only as necessary to provide the educational services contracted by the school or teacher.

We are under the direct control of the school or district with respect to the use and maintenance of education records, and we comply with the same conditions governing the use and re-disclosure of personally identifiable information (PII) from education records that apply to other school officials.

2. What Student Data We Process

TeachStack processes the minimum student data necessary to provide the Service:

• Account information — Student name (or pseudonym) and class association, as provided by the teacher or school administrator.
• Usage data — How students interact with assigned materials (completion status, time spent, scores on practice activities).
• Generated content — Study materials and responses created by or for the student through the Service.

We do not collect Social Security numbers, biometric data, disciplinary records, health records, or any data beyond what is needed for the educational purpose.

3. Data Encryption and Security

3.1 Encryption in Transit

All data transmitted between users and TeachStack is encrypted using TLS 1.3. API communications with third-party services (database, AI processing, payment) are also encrypted end-to-end.

3.2 Encryption at Rest

Student data stored in our database is encrypted at rest using AES-256 encryption. Database backups are also encrypted. File uploads are stored in encrypted object storage.

3.3 Access Controls

Access to production systems containing student data is restricted to authorized personnel only, using multi-factor authentication and role-based access controls. All access is logged and auditable.

4. No Third-Party Sharing of Student Data

Student education records are never shared with unauthorized third parties. Specifically:

• We do not sell student data. We will never sell student data.
• We do not share student data with advertisers, data brokers, or marketing companies.
• We do not use student data for targeted advertising or non-educational profiling.
• Our AI processing partner (OpenAI) operates under a data processing agreement that prohibits use of student data for model training or any purpose other than generating the requested educational content.

5. Teacher and Administrator Controls

Teachers and school administrators have full control over student data within TeachStack:

• View — Access all student records and activity associated with their classes.
• Export — Download student data in standard formats (CSV, JSON) at any time.
• Delete — Remove individual student records or bulk-delete class data. Deletion is permanent and irreversible after the 30-day soft-delete period.
• Manage access — Control which students can access shared materials and activities.

6. Data Deletion

1. Teachers and administrators may delete student data at any time through the Service dashboard or by contacting us.
2. Upon receiving a verified deletion request, student data enters a 30-day soft-delete period during which it can be recovered if the request was made in error.
3. After 30 days, all student data — including account information, usage data, generated content, and uploaded files — is permanently and irreversibly purged from all systems, including backups.
4. End-of-year data cleanup tools are available for teachers who wish to purge all student data at the end of an academic term.

7. Breach Notification

In the unlikely event of a data breach involving student education records, we will:

1. Notify affected schools and districts within 72 hours of discovering the breach.
2. Provide a detailed incident report including the nature and scope of the breach, the data affected, and the remediation steps taken.
3. Cooperate fully with school and district IT and legal teams during investigation and response.
4. Comply with all applicable state breach notification laws.

8. SOC 2 Compliance Roadmap

9. Data Processing Agreements

We are happy to execute Data Processing Agreements (DPAs) with schools and districts. Our standard DPA covers FERPA, COPPA, and applicable state student privacy laws. Contact us at privacy@teach-stack.com to initiate a DPA.

10. Contact for Data Requests

For data deletion requests, FERPA inquiries, or parent access requests, please contact our privacy team directly:

• Privacy email: privacy@teach-stack.com
• General inquiries: hello@teach-stack.com
• Company: Leonenko Group LLC