FERPA Compliance

Last updated: February 26, 2026

1. Our Commitment to FERPA

Education Management Studio (d/b/a “EMStudio Pro”) is committed to protecting the privacy of student education records in accordance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. We understand that educators trust us with sensitive student information, and we take that responsibility seriously. This page describes how EMStudio Pro supports FERPA compliance and the role educators play in maintaining compliance.

2. What Is FERPA

FERPA is a federal law that protects the privacy of student education records. It applies to all educational agencies and institutions that receive federal funding. Under FERPA:

  • Parents (and eligible students over 18) have the right to access and review their education records
  • Parents have the right to request corrections to inaccurate records
  • Schools must obtain written consent before disclosing personally identifiable information from education records, with certain exceptions
  • Schools may designate “school officials” with a “legitimate educational interest” to access education records without consent

FERPA defines “education records” broadly to include any records directly related to a student that are maintained by an educational agency or institution, or by a party acting for the agency or institution.

3. How EMStudio Pro Supports FERPA Compliance

EMStudio Pro is designed with privacy and security as foundational principles. The platform supports FERPA compliance through:

  • Data isolation: Each educator's data is completely isolated from all other users through Row-Level Security (RLS) policies enforced at the database level
  • Encryption: All data is encrypted in transit (TLS/SSL) and at rest in both our database (Supabase) and file storage (Cloudflare R2)
  • Minimal data collection: We only collect the data necessary for the educational services the platform provides
  • No student accounts: Students never interact directly with the platform, reducing the risk of unauthorized access to education records
  • No data monetization: We never sell, rent, or use student data for advertising, marketing, or any non-educational purpose
  • User-controlled deletion: Educators can delete student records at any time, and all data is permanently removed upon account deletion

4. Role of the Educator

Under FERPA, the responsibility for protecting student education records lies primarily with the educational institution and its authorized personnel. When educators use EMStudio Pro:

  • School-employed teachers: If you work for an educational institution that receives federal funding, your institution may designate you as a “school official” with a “legitimate educational interest,” which permits access to student records without parental consent. You are responsible for confirming that your use of EMStudio Pro is consistent with your institution's policies and FERPA requirements.
  • Private tutors and independent educators: If you are an independent educator, FERPA may apply to records you receive from a FERPA-covered institution. You should ensure that any student data you enter into EMStudio Pro has been obtained with proper authorization or consent.

EMStudio Pro acts as a service provider to educators, processing student data on their behalf. We do not independently determine the purposes or means of processing student data — those decisions are made by the educator.

5. Technical Safeguards

EMStudio Pro implements comprehensive technical safeguards to protect student education records:

  • Row-Level Security (RLS): Every database table enforces RLS policies at the PostgreSQL level. These policies ensure that database queries automatically filter results to only include the authenticated user's data. Even in the event of an application-level vulnerability, the database itself prevents cross-user data access.
  • Secure Authentication: User authentication is managed through Supabase Auth with secure session tokens, PKCE authorization flow, and encrypted cookie storage.
  • Encrypted Connections: All communication between client devices and our servers uses TLS/SSL encryption (HTTPS). Data at rest is encrypted in both our database and file storage systems.
  • Presigned File URLs: Uploaded files are not publicly accessible. They are served through time-limited presigned URLs that expire after a short period, preventing unauthorized access to file content.
  • No Shared Data: There are no features in EMStudio Pro that allow users to share data with other users. Each account is entirely self-contained.

6. Data Access Controls

Access to student data within EMStudio Pro is strictly controlled:

  • Only the educator who created a record can view, edit, or delete it
  • There is no administrative “super user” access that allows viewing of other users' student data through the application interface
  • Database access by our engineering team is limited to operational necessity and does not involve routine viewing of student records
  • All database access is logged and auditable

7. Data Minimization

EMStudio Pro follows the principle of data minimization. We only collect and store the data that is necessary for the educational management services the platform provides:

  • Student records contain only the information educators choose to enter (names, grades, attendance, etc.)
  • We do not require or collect student Social Security numbers, home addresses, medical records, or other sensitive personal identifiers
  • We do not collect biometric data, geolocation data, or behavioral tracking data from students
  • Educators control what information they enter and can delete data at any time

8. Parental Rights

FERPA grants parents (and eligible students) specific rights regarding education records. EMStudio Pro supports these rights as follows:

  • Right to Access: Parents may request to inspect and review their child's education records through the educator. Educators can view and share (e.g., print or export) individual student records, grades, attendance, and report cards as needed to fulfill access requests.
  • Right to Amendment: Parents may request corrections to inaccurate records. Educators can edit any student record in the platform to correct errors.
  • Right to Consent: Parents have the right to consent before personally identifiable information from education records is disclosed. Educators are responsible for obtaining appropriate consent where required under FERPA.

9. Data Breach Response Procedures

In the unlikely event of a data breach affecting student education records, EMStudio Pro will:

  • Investigate and contain the breach as quickly as possible
  • Notify affected educators within 72 hours of becoming aware of the breach
  • Provide a clear description of what data was affected and what steps are being taken to address the breach
  • Cooperate with educators and their institutions in notifying parents and relevant authorities as required by law
  • Implement additional safeguards to prevent similar incidents in the future

If you suspect unauthorized access to your account or student data, please contact us immediately at info@emstudio.pro.

10. Data Retention and Disposal

We retain student education records for as long as the educator's account remains active. Our data retention practices include:

  • Educators can delete individual student records, classes, grades, and other data at any time
  • Upon account deletion, all associated data (including student records, uploaded files, and metadata) is permanently removed within 30 days
  • Backup copies are purged within 90 days of deletion
  • We do not retain student data after it is no longer needed to provide the service

For details on our full data retention practices, please see our Privacy Policy.

11. Contact Information

If you have questions about our FERPA compliance practices or need to report a data security concern, please contact us:

Education Management Studio
d/b/a EMStudio Pro
Email: info@emstudio.pro

Related Policies