FERPA Compliance
Effective as of April 14, 2026 · Last updated: April 14, 2026
Questions? Email [email protected]. See also our Privacy Policy and Data Processing Agreement.
For K–12 schools and LEAs: This page explains exactly how Angstroma handles student education records under FERPA. A signed Data Processing Agreement (DPA) is required before activating any student-linked feature. Contact [email protected] to request a DPA.
1. What is FERPA?
The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations at 34 C.F.R. Part 99, is a federal law that protects the privacy of student education records. FERPA applies to all educational institutions that receive funding from the U.S. Department of Education — including virtually all public K–12 schools and most private schools.
FERPA gives parents (and students who have reached age 18 or attend a post-secondary institution — "eligible students") specific rights regarding their children's education records, including the right to inspect, correct, and control disclosure of those records.
Angstroma is designed to help schools comply with FERPA when using our accessibility services. This page explains our obligations and yours.
2. Our Role: Data Processor
Under FERPA and applicable data protection law, Angstroma operates as a data processor (a "school official" under FERPA). The school — the Local Education Agency (LEA) or educational institution — remains the data controller for all student education records.
What this means in practice:The school decides what student data to share with Angstroma, for what purpose, and retains full legal responsibility for compliance with FERPA, COPPA, IDEA, and applicable state law. Angstroma processes student data only on the school's documented instructions.
Angstroma does not independently determine the purposes or means of processing student education records. We process only what the school provides, for the accessibility services the school has contracted.
3. School Official Status (34 C.F.R. § 99.31(a)(1))
FERPA permits schools to disclose education records — without prior parental consent — to "school officials" who have a "legitimate educational interest" in the records. 34 C.F.R. § 99.31(a)(1).
Schools that execute a Data Processing Agreement (DPA) with Angstroma formally designate Angstroma as a school official for the purpose of providing accessibility services. Our legitimate educational interest is:
- Reading IEP documents to extract accessibility accommodation types
- Configuring accessibility features on behalf of enrolled students
- Providing teachers and administrators with accommodation compliance dashboards
This designation is limited. Angstroma accesses education records only to the extent necessary to deliver contracted accessibility services — and for no other purpose.
Schools must include Angstroma in their Annual FERPA Notice if they designate us as a school official. The annual notice must identify the criteria used to determine who constitutes a school official and what constitutes a legitimate educational interest. Contact [email protected] for suggested FERPA notice language.
4. What Education Records We Access
| Record Type | What We Access | What We Do NOT Access |
|---|---|---|
| Student identifier | School-assigned opaque ID (e.g., "student_4821") — not the student's name or SSN | Name, SSN, government-issued ID |
| IEP document | Full document text for extraction — immediately redacted before any external processing; source file deleted after parsing | We do not retain IEP document text in any database |
| Accommodation types | Extracted accommodation categories (e.g., "TextToSpeech", "LargeFont") — anonymized | Medical diagnoses, narrative descriptions with identifying information |
| Accessibility preferences | Feature toggle states and values set by or for the student | Assessment scores, grades, disciplinary records |
| Usage telemetry | Aggregated counts of which features the student activates | Individual keystrokes, content viewed, browsing behavior |
5. IEP Document Processing
IEP documents contain some of the most sensitive student education records. Angstroma applies multiple layers of protection:
- Secure Upload. IEP files are uploaded directly to Angstroma's encrypted storage over TLS 1.3. Files are never cached at CDN level.
- Automated PII Redaction. Before any content leaves our systems, an automated redaction engine processes the document text. It identifies and replaces: student names →
[STUDENT]; dates of birth →[DATE]; parent/guardian names →[GUARDIAN]; phone numbers →[PHONE]; email addresses →[EMAIL]; street addresses →[ADDRESS]; SSNs →[SSN]; and other direct identifiers. The number of redactions is logged (for audit purposes) but the original values are never logged. - AI Extraction (Redacted Text Only). The redacted document text is transmitted to Anthropic's Claude AI to identify accommodation types. Anthropic receives only de-identified text — no student names, dates, or identifiers.
- Immediate File Deletion. Upon completion of processing (whether successful or failed), the source IEP file is permanently and irreversibly deleted from our storage. This deletion is logged in our immutable audit trail.
- Accommodation Storage. Only the accommodation type codes (e.g.,
TextToSpeech,LargeFont) and brief anonymized descriptions are stored in our database — linked to the school's opaque student identifier, never to the student's name.
Result: After IEP processing, Angstroma's database contains only: an opaque student ID, a list of accommodation types, and anonymized feature preferences. No PII from the original IEP document is retained.
6. Sub-Processors & AI
The following sub-processors may handle student education records as part of delivering Angstroma's accessibility services:
| Sub-Processor | Role | Data Accessed | Location |
|---|---|---|---|
| Microsoft Azure | Cloud hosting, encrypted database, blob storage | All student data (encrypted at rest, AES-256) | United States |
| Anthropic (Claude AI) | IEP accommodation extraction | Redacted IEP text only — no identifiable student information | United States |
| Cloudflare | WAF, DDoS protection, TLS termination | IP addresses only (no education record content) | Global |
| Sentry | Error monitoring | Error context only — student IDs excluded from error reports | United States |
Angstroma maintains Data Processing Agreements with all sub-processors that handle student data. Contact [email protected] for a complete sub-processor list and copies of applicable DPAs.
7. Disclosure & Re-Disclosure Prohibition
Angstroma will not disclose student education records to any third party except:
- To sub-processors listed in Section 6, as necessary to deliver contracted services
- As explicitly authorized in writing by the school's Data Processing Agreement
- As required by a court order or other applicable law — in which case Angstroma will notify the school prior to disclosure unless legally prohibited from doing so
Angstroma will never:
- Sell, rent, or trade student education records
- Use student data for advertising, marketing, or any commercial purpose
- Disclose student data to other Angstroma customers or to the public
- Use student data to build profiles for purposes unrelated to accessibility service delivery
8. Breach Notification
In the event of any unauthorized access to, or accidental or unlawful destruction, loss, alteration, or disclosure of, student education records:
- Angstroma will notify the affected school(s) within 48 hours of becoming aware of the incident
- Notification will include: the nature of the incident, the categories of records involved, the approximate number of students affected, the likely consequences, and the measures taken or proposed to address the incident
- Angstroma will cooperate fully with the school's incident response and any regulatory investigation
- We will provide regular updates until the incident is fully resolved and remediated
To report a suspected security incident: [email protected]
9. Parent & Eligible Student Rights
Under FERPA, parents (and eligible students) have the right to:
- Inspect and review education records maintained by Angstroma on behalf of the school
- Request amendment of records believed to be inaccurate, misleading, or in violation of privacy rights
- Request deletion of all data associated with their child or themselves
- Receive a copy of their child's data in a machine-readable format
These rights are exercised through the school, which is the data controller. Schools submit requests to Angstroma at [email protected] with the subject line "FERPA Data Request — [School Name]". Angstroma responds and acts within 30 days. All deletion requests are confirmed in writing.
Parents and students: Please contact your school's FERPA coordinator to exercise your rights. Your school will coordinate the request with Angstroma on your behalf.
10. Data Processing Agreement (DPA)
A signed DPA is required before any school activates IEP upload, student profile linking, or any other student-data feature in Angstroma. The DPA:
- Formally designates Angstroma as a school official under 34 C.F.R. § 99.31(a)(1)
- Establishes the controller/processor relationship
- Lists authorized sub-processors and their roles
- Sets data retention and deletion schedules
- Defines security requirements and incident response obligations
- Provides mechanisms for parent and eligible student rights requests
- Includes representations required for COPPA compliance (16 C.F.R. Part 312)
The DPA is provided at no additional cost to Schools tier subscribers. Contact [email protected] to request, review, and execute a DPA.
11. Contact
| FERPA / student privacy | [email protected] |
|---|---|
| DPA requests | [email protected] |
| Security incidents | [email protected] |
| Legal inquiries | [email protected] |