EMStudioLegal

FERPA Compliance

Last updated: Last updated: April 12, 2026

Summary

EMStudio is built to protect student education records in line with FERPA. Student data always belongs to the school. We never sell, advertise with, or mine student data. Schools that want a formal relationship can sign our ready-made Data Processing Addendum.

1. What Is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student education records. It applies to all schools that receive funding from the US Department of Education — which includes virtually all public schools and most private institutions.

FERPA gives parents (and students over 18) the right to access their education records, request corrections, and control disclosures. Schools may share records with “school officials” who have a “legitimate educational interest” — this is how ed-tech vendors like EMStudio fit into the FERPA framework. For schools with students under 13, the related Children's Online Privacy Protection Act (COPPA) may also apply — see our COPPA Compliance page for details.

2. How FERPA Works with EMStudio

FERPA is a law that applies to schools, not directly to software vendors. Ed-tech tools like EMStudio become part of the FERPA framework when a school formally designates them as a “school official with legitimate educational interest.”

We build and operate EMStudio as if FERPA applies to us. Every practice described on this page is already in place — not waiting for a school to ask. Teachers can use EMStudio knowing that student data is handled in line with FERPA principles, regardless of whether their school has formally designated us. Our broader privacy commitments are detailed in our Privacy Policy and Commitments page.

For schools that want a formal relationship, we have a pre-built Data Processing Addendum (DPA) ready to sign, with all FERPA-required clauses included.

3. Who Owns Student Records

The school always owns student education records. EMStudio does not claim any ownership, license, or rights over student data entered by teachers. We are a tool that stores and organizes data on the teacher's behalf — we are not the source, authority, or owner of that data.

When a teacher deletes student data or closes their account, we permanently erase all associated records from our systems. See our Privacy Policy data retention section for details. Data ownership is also formalized in Section 5 of our Terms of Service.

4. What Counts as an Education Record

FERPA defines different categories of records. Here's how they map to EMStudio:

CategoryExamples in EMStudioFERPA Status
Protected education recordsGrades, attendance, transcripts, disciplinary notes shared with administrationProtected — requires authorization for disclosure
Directory informationStudent name, grade level, enrollment statusMay be disclosed if school has designated it — we do not publish or disclose any student information
Sole-possession teacher notesPersonal teaching notes kept by one teacher, never shared with othersExcluded from FERPA — not considered education records if kept solely by the teacher

EMStudio is a single-teacher tool — data entered by one teacher is never visible to other teachers, administrators, or anyone else. In many cases, data entered in EMStudio may qualify as sole-possession notes (excluded from FERPA). However, if a teacher shares reports or exports data to school administration, the records may become education records subject to FERPA. For a full breakdown of what data EMStudio collects, see the Data We Collect section of our Privacy Policy.

5. How We Support Schools

If a school designates EMStudio as a school official, we support the school's FERPA obligations by:

  • Processing student data solely under the school's direction and for educational purposes only
  • Maintaining strict access controls — only the teacher who entered the data can access it
  • Never disclosing student data to third parties except as described in our Sub-Processors page (all under contractual data protection obligations)
  • Returning or destroying data on school request
  • Cooperating with parent access and amendment requests directed through the school
  • Maintaining reasonable security measures as described on our Security page

6. Valid vs. Invalid Uses of Student Data

Valid Uses (what we do)Invalid Uses (what we never do)
Store and organize student records for teacher useTargeted advertising based on student data
Generate grade reports and attendance summariesBuilding marketing or behavioral profiles of students
Track IEP/504 accommodations for teacher referenceSelling or renting student data to any party
Provide lesson planning AI assistance (no student data sent — see AI Features & Data)Training AI models on student data
Export data for teacher or school useResearch unrelated to the educational purpose
Delete data on teacher or school requestData mining for commercial purposes

7. Directory Information

FERPA allows schools to designate certain information as “directory information” that may be disclosed without consent (e.g., student name, grade level). EMStudio does not publish, display publicly, or disclose any student information — including directory information. All student data is visible only to the teacher who entered it. Our Transparency page details everything we share and with whom.

8. Access & Amendment Rights

Under FERPA, parents (and eligible students over 18) have the right to inspect and review their education records and request amendments.

Since EMStudio is a teacher-facing tool:

  • Access requests should be directed to the school, which directs the teacher. Teachers can export any student's data from within EMStudio.
  • Amendment requests should follow the school's amendment procedure. Teachers can edit any student record directly in the app.
  • If a parent contacts EMStudio directly at info@emstudio.pro, we will direct them to the appropriate school or teacher and cooperate fully with the request.

9. No Re-Disclosure

EMStudio does not re-disclose student education records to any third party beyond the sub-processors necessary to operate the service. We do not share student data with other schools, teachers, researchers, marketers, or any other entity. Every sub-processor is under contractual obligations that prohibit re-disclosure — see our sub-processor student data breakdown for exactly what each vendor can access.

10. Data Security

We protect student education records with multiple layers of security:

  • Encryption in transit: All data transmitted over TLS 1.3
  • Encryption at rest: AES-256 encryption on all stored data
  • Row-Level Security: Database policies ensure each teacher can only access their own data — no teacher can ever see another teacher's students
  • Authentication: Secure authentication via Supabase with OAuth and email/password options
  • Access controls: Only the teacher who created a record can view, edit, or delete it
  • Rate limiting: Protection against brute-force and automated attacks
  • Content Security Policy: Strict CSP headers to prevent cross-site scripting and injection attacks

For complete details, see our Security page.

11. Breach Notification

In the event of a data breach affecting student education records:

  • If we have a formal relationship with a school via a DPA, we will notify the school within 24 hours of becoming aware of the breach
  • We will notify affected teachers without undue delay
  • Our notification will include: what happened, what data was affected, what we are doing about it, and recommended steps for the school
  • We will cooperate with the school's own notification obligations to parents and the Department of Education

For GDPR-specific breach notification timelines (72 hours to supervisory authority), see our GDPR Compliance page.

12. Data Return & Destruction

Upon request from a school or teacher, we will return all student data in a portable format (CSV spreadsheets in a ZIP file) and permanently delete it from our systems, including all sub-processors, within 30 days.

Teachers can self-serve this process at any time: export data from Settings, then delete their account. No email or support ticket required.

13. School-Official Designation

Ready when you are

If your school wants to formally designate EMStudio as a school official under FERPA, we have a pre-built Data Processing Addendum ready to sign. It includes all FERPA-required clauses, sub-processor lists, security measures, and breach notification commitments. Contact us at info@emstudio.pro to get started.

The DPA establishes:

  • EMStudio as a school official with legitimate educational interest
  • The school as the controller of student education records
  • EMStudio's obligations to process data only under the school's direction
  • Breach notification timelines (24 hours to the school)
  • Data return and destruction procedures
  • Sub-processor disclosure and change notification (30 days advance notice)
  • Standard Contractual Clauses for international data transfers (if applicable)

14. Contact

For questions about FERPA compliance, to initiate a school-official designation, or to request a signed Data Processing Addendum:

Education Management Studio
d/b/a EMStudio
Email: info@emstudio.pro

Related Policies