← Back to HeuriSight.com

FERPA Compliance

What is FERPA?

FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal privacy law that gives parents and eligible students (18+) certain rights with respect to their education records, including:

• Right to inspect and review educational records maintained by the school
• Right to request corrections to records believed to be inaccurate or misleading
• Right to control disclosure of personally identifiable information from education records
• Right to file complaints with the U.S. Department of Education

How HeuriSight Complies with FERPA

School Official Status

When providing services to educational institutions, HeuriSight operates as a "School Official" with "legitimate educational interest" under FERPA.

This means we:

• ✓ Only access student data for authorized institutional purposes (assessment, learning analytics)
• ✓ Maintain strict confidentiality and security of all educational records
• ✓ Do not re-disclose personally identifiable information without proper authorization
• ✓ Return or securely destroy data upon contract termination

Data Minimization

We only collect and process the minimum data necessary to provide our services:

• Student name, email, and ID (as provided by institution)
• Academic work submitted through the platform
• Assessment conversations and results
• Learning analytics generated from student interactions

We do NOT collect:

• ❌ Social Security numbers
• ❌ Financial information
• ❌ Medical or health records
• ❌ Disciplinary records
• ❌ Unnecessary personal information

Access Controls

HeuriSight implements role-based access controls to ensure only authorized users can access student data:

• Students can only see their own data
• Instructors can only access data for students in their courses
• Facilitators can access data for students in cohorts they manage
• Administrators have institution-wide access per their authorization level

Data Security

All student data is protected with enterprise-grade security measures:

• Encryption in transit (TLS 1.3+)
• Encryption at rest (AES-256)
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing
• 24/7 security monitoring

Third-Party Service Providers

HeuriSight uses the following third-party services, all under strict data processing agreements that ensure FERPA compliance:

• AWS (Amazon Web Services): Cloud infrastructure and secure storage
• Auth0: Authentication and identity management
• OpenAI: AI processing (data processing agreement in place, no training on student data)
• Neo4j: Secure graph database services
• Pinecone: Vector database services

Key Protections:

• All vendors are contractually prohibited from using student data for any purpose other than providing services to HeuriSight
• Student data is never used to train third-party AI models
• All vendors maintain SOC 2 Type II compliance or equivalent

Student & Parent Rights

Under FERPA, students (or parents of students under 18) have the right to:

• Request access to their education records through their institution
• Request correction of inaccurate or misleading records
• Provide consent before personally identifiable information is shared (except where FERPA allows disclosure)
• File complaints with the U.S. Department of Education if they believe their rights have been violated

To exercise these rights, students or parents should contact their institution's registrar or educational records office.

Questions About FERPA Compliance?

If you have questions about how HeuriSight complies with FERPA:

Email: LokeshDani@xopol.is
Subject: "FERPA Compliance Question"

For formal FERPA inquiries or to file a complaint, contact:

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-8520
Website: ed.gov/ferpa

---

Last Updated: December 1, 2025
© 2025 HeuriSight by Xopolis Inc. • Virginia C-Corporation