FERPA Compliance Notice

Last Updated: July 4, 2025

Overview

Speddy is committed to protecting the privacy of student educational records in compliance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.

Our Role Under FERPA

When providing services to educational institutions, Speddy operates as:

  • A "School Official" with legitimate educational interests
  • Under direct control of the school district regarding education records
  • Subject to FERPA's use and re-disclosure requirements

What is FERPA?

FERPA is a federal law that protects the privacy of student education records. It gives parents certain rights regarding their children's education records, which transfer to students at age 18.

How Speddy Ensures FERPA Compliance

1. Limited Access

  • Only authorized school personnel can access student data
  • Each user sees only their assigned students
  • Role-based permissions restrict data access

2. Purpose Limitation

We use student data ONLY for:

  • Scheduling special education services
  • Tracking IEP-related sessions
  • Generating required documentation
  • Facilitating service delivery

3. No Unauthorized Disclosure

We NEVER:

  • Sell student data
  • Share data for marketing purposes
  • Disclose records without proper authorization
  • Use student data for purposes beyond service delivery

4. Security Measures

  • Encryption of all data in transit and at rest
  • Secure authentication systems
  • Regular security audits
  • Employee training on FERPA requirements

Parent and Eligible Student Rights

Under FERPA, parents and eligible students have the right to:

  1. Inspect and Review education records
  2. Request Corrections to inaccurate records
  3. Consent to Disclosures (with certain exceptions)
  4. File a Complaint with the U.S. Department of Education

Directory Information

Speddy does not collect or maintain directory information. All student data is treated as confidential educational records.

Data Minimization

We practice data minimization by:

  • Collecting only essential information for service delivery
  • Using initials instead of full names where possible
  • Not collecting unnecessary personal information
  • Allowing schools to control what data is entered

Consent and Authorization

Schools must ensure they have appropriate consent before entering student data into Speddy. We rely on schools to:

  • Obtain necessary parental consent
  • Verify authorized user access
  • Maintain consent documentation

Audit Rights

Schools maintain the right to:

  • Audit our FERPA compliance
  • Review access logs
  • Request compliance documentation
  • Inspect security measures

Subprocessors and Third Parties

Our subprocessors who may process educational data:

  • Supabase: Database services (FERPA-compliant infrastructure)
  • Anthropic: AI services (receives only anonymized prompts)

Stripe processes payments but never receives student data.

Data Retention and Deletion

  • Data is retained while students are actively receiving services
  • Schools control retention periods
  • Data is permanently deleted upon school request
  • No data is retained after contract termination

Training and Awareness

All Speddy team members with potential access to student data:

  • Receive FERPA training
  • Sign confidentiality agreements
  • Understand use limitations
  • Follow data protection protocols

Incident Response

In case of any incident potentially affecting student data:

  1. Immediate containment measures
  2. Notification to affected schools within 48 hours
  3. Full cooperation with school investigation
  4. Remediation and prevention measures

School Responsibilities

Schools using Speddy must:

  • Designate Speddy as a "school official" in their FERPA notice
  • Ensure users are authorized to access student records
  • Maintain appropriate consent documentation
  • Supervise use of student data in the system

Questions and Complaints

For FERPA questions about Speddy:

Blair Stewart
[EMAIL PLACEHOLDER]
[ADDRESS PLACEHOLDER]

For FERPA complaints:

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-8520

Annual Notification

Schools should include Speddy in their annual FERPA notification as a designated school official with legitimate educational interests in:

  • Scheduling special education services
  • Maintaining service delivery records
  • Supporting IEP implementation

Best Practices for Schools

1. User Management

  • Regularly review user access
  • Remove access for departed employees
  • Use role-based permissions appropriately

2. Data Entry

  • Enter minimum necessary information
  • Use initials when full names aren't required
  • Verify accuracy of entered data

3. Consent Documentation

  • Maintain records of parental consent
  • Document legitimate educational interest
  • Keep authorization records current

Compliance Certification

Speddy certifies that:

  • We understand FERPA requirements
  • We will use education records only as directed
  • We will not disclose records without authorization
  • We maintain appropriate security safeguards

This notice is provided for informational purposes. Schools should consult their own legal counsel regarding FERPA compliance.

Return to Login