StudyStack
Log inStart Studying
For School Administrators

FERPA Compliance

StudyStack is built with student privacy as a core design principle. This page explains how we handle student education records in compliance with the Family Educational Rights and Privacy Act (FERPA).

Last updated: April 12, 2026

Encrypted at Rest & in Transit

All student data is encrypted using AES-256 at rest and TLS 1.3 in transit. No exceptions.

No Third-Party Sharing

Student education records are never sold, shared with advertisers, or disclosed to unauthorized third parties.

Teacher Controls

Teachers and administrators maintain full control over student data, including the ability to view, export, and delete.

Deletion on Request

Student data is permanently deleted within 30 days of a verified deletion request from an authorized party.

1. Our Role Under FERPA

When StudyStackis used in an educational setting, we operate as a "school official" with a legitimate educational interest under FERPA (34 CFR § 99.31(a)(1)). This means we access student education records only as necessary to provide the educational services contracted by the school or teacher.

We are under the direct control of the school or district with respect to the use and maintenance of education records, and we comply with the same conditions governing the use and re-disclosure of personally identifiable information (PII) from education records that apply to other school officials.

2. What Student Data We Process

StudyStack processes the minimum student data necessary to provide the Service:

  • Account information — Student name (or pseudonym) and class association, as provided by the teacher or school administrator.
  • Usage data — How students interact with assigned materials (completion status, time spent, scores on practice activities).
  • Generated content — Study materials and responses created by or for the student through the Service.

We do not collect Social Security numbers, biometric data, disciplinary records, health records, or any data beyond what is needed for the educational purpose.

3. Data Encryption and Security

3.1 Encryption in Transit

All data transmitted between users and StudyStack is encrypted using TLS 1.3. API communications with third-party services (database, AI processing, payment) are also encrypted end-to-end.

3.2 Encryption at Rest

Student data stored in our database is encrypted at rest using AES-256 encryption. Database backups are also encrypted. File uploads are stored in encrypted object storage.

3.3 Access Controls

Access to production systems containing student data is restricted to authorized personnel only, using multi-factor authentication and role-based access controls. All access is logged and auditable.

4. No Third-Party Sharing of Student Data

Student education records are never shared with unauthorized third parties. Specifically:

  • We do not sell student data. We will never sell student data.
  • We do not share student data with advertisers, data brokers, or marketing companies.
  • We do not use student data for targeted advertising or non-educational profiling.
  • Our AI processing partner (OpenAI) operates under a data processing agreement that prohibits use of student data for model training or any purpose other than generating the requested educational content.

5. Teacher and Administrator Controls

Teachers and school administrators have full control over student data within StudyStack:

  • View — Access all student records and activity associated with their classes.
  • Export — Download student data in standard formats (CSV, JSON) at any time.
  • Delete — Remove individual student records or bulk-delete class data. Deletion is permanent and irreversible after the 30-day soft-delete period.
  • Manage access — Control which students can access shared materials and activities.

6. Data Deletion

  1. Teachers and administrators may delete student data at any time through the Service dashboard or by contacting us.
  2. Upon receiving a verified deletion request, student data enters a 30-day soft-delete period during which it can be recovered if the request was made in error.
  3. After 30 days, all student data — including account information, usage data, generated content, and uploaded files — is permanently and irreversibly purged from all systems, including backups.
  4. End-of-year data cleanup tools are available for teachers who wish to purge all student data at the end of an academic term.

7. Breach Notification

In the unlikely event of a data breach involving student education records, we will:

  1. Notify affected schools and districts within 72 hours of discovering the breach.
  2. Provide a detailed incident report including the nature and scope of the breach, the data affected, and the remediation steps taken.
  3. Cooperate fully with school and district IT and legal teams during investigation and response.
  4. Comply with all applicable state breach notification laws.

8. SOC 2 Compliance Roadmap

SOC 2 Type II certification is on our roadmap.

We are actively working toward SOC 2 Type II certification to provide independent third-party assurance of our security controls. We currently follow SOC 2 Trust Service Criteria as our internal security framework. Contact us for our current security questionnaire and documentation.

9. Data Processing Agreements

We are happy to execute Data Processing Agreements (DPAs) with schools and districts. Our standard DPA covers FERPA, COPPA, and applicable state student privacy laws. Contact us at hello@study-stack.com to initiate a DPA.

10. Contact

For questions about our FERPA compliance, data handling practices, or to request a security review, please contact us:

Questions about student privacy?

We are happy to walk you through our security practices and provide any documentation your district needs.

Contact Us