Skip to content

Adding ferpa #838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gearnode wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Adding ferpa #838

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
48aa4ee
ferpa-framework
abouchardy Mar 13, 2026
bb9604b
pci-dss
abouchardy Mar 13, 2026
a3e3b0c
change-id-ferpa
abouchardy Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 126 additions & 0 deletions apps/console/public/data/frameworks/FERPA.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
{
"id": "FERPA",
"name": "FERPA",
"logo": {
Copy link

@cubic-dev-ai cubic-dev-ai bot Mar 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Don't include an empty logo object here; importing it creates empty logo files instead of falling back to the framework name.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At apps/console/public/data/frameworks/FERPA.json, line 4:

<comment>Don't include an empty `logo` object here; importing it creates empty logo files instead of falling back to the framework name.</comment>

<file context>
@@ -0,0 +1,126 @@
+{
+    "id": "FERPA",
+    "name": "FERPA",
+    "logo": {
+      "light": "",
+       "dark": ""
</file context>
Fix with Cubic

"light": "",
"dark": ""
},
"controls":[
{
"id": "1.1",
"description": "The provider qualifies as a 'school official' under the school official exception only if it meets all three conditions simultaneously: (1) it performs an institutional service or function for which the educational institution would otherwise use its own employees; (2) it is under the direct control of the institution with respect to the use and maintenance of education records; and (3) it is subject to the redisclosure limitations of § 99.33(a). All three conditions must be satisfied concurrently — none is optional. (34 CFR § 99.31(a)(1)(i)(B))"
},
{
"id": "1.2",
"description": "The provider must be formally designated as a school official with legitimate educational interest in the institution's annual FERPA notification to parents and eligible students. This designation must precede any disclosure of PII from education records. The provider cannot operate as a school official unless the institution has fulfilled this notification requirement and the provider's function is included within the scope of legitimate educational interest described in that notice. (34 CFR § 99.31(a)(1)(i)(A), § 99.7(a)(3)(iii); PTAC Vendor Guidance, 2015)"
},
{
"id": "1.3",
"description": "The provider must maintain a written agreement (contract or equivalent legal instrument) with the institution that establishes and documents the direct control requirement. The agreement must specify: the authorized purposes for which PII may be used; prohibitions on unauthorized use and redisclosure; data security and confidentiality obligations; and data return or destruction provisions upon contract termination. In the absence of a traditional contract, a Click-Wrap Terms of Service accepted by the institution may fulfill this requirement only if it contains all legally necessary provisions. (34 CFR § 99.31(a)(1)(i)(B); PTAC Online Educational Services guidance, 2014)"
},
{
"id": "1.4",
"description": "The institution retains responsibility for compliance with FERPA at all times, even when PII from education records is disclosed to the provider under the school official exception. The institution must be able to demonstrate that it exercises direct control over the provider's use and maintenance of PII. The provider must cooperate fully with any institutional audit, inquiry, or oversight action necessary to establish this direct control. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC Vendor FAQ, 2015)"
},
{
"id": "2.1",
"description": "The provider may only access, collect, process, or use the minimum amount of PII from education records strictly necessary to perform the contracted institutional function. Collection of PII beyond what is required for the specified purpose constitutes an unauthorized use of education records. This data minimization obligation applies to all forms of student data, including metadata, transactional data, and contextual data generated through student interaction with the provider's service. (34 CFR § 99.31(a)(1)(i)(B)(*1*); PTAC TOS Model, provision 5, 2016)"
},
{
"id": "2.2",
"description": "The provider must treat as PII all information that constitutes 'personally identifiable information' under FERPA, which includes: (a) direct identifiers such as student name, student ID number, social security number, and biometric records; (b) indirect identifiers such as date of birth, place of birth, mother's maiden name; and (c) any other information that, alone or in combination with other reasonably available information, would allow a reasonable person in the school community to identify the student. Metadata linked to an identifiable student is also PII. Only data from which all direct and indirect identifiers have been removed using a documented de-identification methodology constitutes de-identified data not subject to FERPA restrictions. (34 CFR § 99.3 definition of 'personally identifiable information'; PTAC Online Educational Services guidance, 2014)"
},
{
"id": "2.3",
"description": "The provider's contractual definition of 'data' or 'student information' subject to protection must encompass the full scope of FERPA-protected PII, including PII provided directly by the institution, PII generated by student interaction with the service, and metadata that could be linked to an identifiable student. Definitions that restrict protection to only information 'knowingly provided' or only direct identifiers are insufficient and create compliance gaps. (34 CFR § 99.3; PTAC TOS Model, provision 1, 2016)"
},
{
"id": "3.1",
"description": "The provider must implement and maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the PII held, designed to protect education records against unauthorized access, disclosure, use, modification, or destruction. The provider must conduct periodic risk assessments to identify and remediate security vulnerabilities in a timely manner. Evidence of these security controls must be available to the institution upon request. (34 CFR § 99.31(a)(1)(i)(B)(*2*) direct control requirement; PTAC TOS Model, provision 12, 2016)"
},
{
"id": "3.2",
"description": "The provider must maintain a written incident response plan covering security breaches involving PII from education records. The plan must include: procedures for detecting and containing a breach; notification timelines and procedures for informing the institution without undue delay upon discovery of an actual or suspected breach; a description of the breach and affected data; and remediation steps. The provider must share this plan with the institution upon request. Breach notification obligations to students and parents are the institution's responsibility and must be supported by the provider. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC TOS Model, provision 12, 2016; PTAC Data Breach Response Checklist)"
},
{
"id": "3.3",
"description": "The provider must restrict internal access to PII from education records on a need-to-know basis. Only personnel who require access to PII to perform their function under the contract may access such records. The provider must implement access controls and authentication mechanisms to enforce this restriction and must maintain records of which personnel have accessed education records. (34 CFR § 99.31(a)(1)(i)(B)(*2*); 34 CFR § 99.31(c) authentication requirement)"
},
{
"id": "3.4",
"description": "The provider must notify the institution of any planned changes to its terms of service, privacy policy, or data processing practices that would affect the use or protection of PII from education records before implementing such changes. Any material modification to data use, security controls, or subprocessor arrangements requires prior notice to and consent from the institution. Unilateral amendments without notice undermine the institution's ability to demonstrate direct control and constitute a FERPA compliance risk. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC TOS Model, provision 4, 2016)"
},
{
"id": "4.1",
"description": "PII from education records disclosed to the provider under the school official exception may only be used for the specific authorized purpose for which it was disclosed, as defined in the written agreement with the institution. The provider is strictly prohibited from using PII from education records for any other purpose, including but not limited to: marketing or advertising directed to students or their parents; targeted advertising; selling or licensing student data to third parties; profiling students for commercial purposes; or improving products or services unrelated to the contracted function. These prohibitions apply to the provider's officers, employees, and agents. (34 CFR § 99.33(a)(2); 34 CFR § 99.31(a)(1)(i)(B)(*3*); PTAC Online Educational Services guidance, 2014)"
},
{
"id": "4.2",
"description": "The provider must not scan or mine PII from education records or student-generated content for the purposes of advertising, marketing, or building commercial profiles of students or their parents. Data mining or content scanning is permissible only for purposes expressly authorized in the agreement, such as spam or malware detection, service improvement within the contracted function, or personalization of the educational service. The written agreement must explicitly address permissible and impermissible uses of student data and metadata. (34 CFR § 99.33(a)(2); PTAC TOS Model, provision 7, 2016)"
},
{
"id": "4.3",
"description": "Where the provider uses AI, machine learning, or automated processing on student data, all such processing must be limited to the authorized purpose defined in the agreement. AI systems used to process student PII must be configured to prevent training on FERPA-protected data for purposes outside the contracted function. Zero data retention policies with AI subprocessors must be documented and verified. The provider must disclose to the institution any AI subprocessors that process student PII and ensure those subprocessors are bound by the same use restrictions. (34 CFR § 99.31(a)(1)(i)(B)(*1*) and (*3*); § 99.33(a); PTAC TOS Model, provision 8, 2016)"
},
{
"id": "5.1",
"description": "The provider must make PII from education records accessible to the institution within a timeframe that allows the institution to fulfill its obligation under FERPA to respond to parental (or eligible student) access requests within 45 days of receipt of the request, or within any shorter timeframe required by applicable state law. The provider must maintain records in a manner that enables efficient retrieval and transmission to the institution upon request. (34 CFR § 99.10(b); PTAC Online Educational Services guidance, 2014, p. 4; PTAC TOS Model, provision 11, 2016)"
},
{
"id": "5.2",
"description": "The provider must maintain a written incident response plan and must notify the institution promptly upon discovering any actual or suspected unauthorized disclosure of PII from education records. Notification must include: the nature of the incident; the categories and approximate volume of records involved; the likely consequences of the breach; and the measures taken or proposed to address the breach. The provider must support the institution in meeting any applicable breach notification obligations to students, parents, or regulators. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC TOS Model, provision 12, 2016)"
},
{
"id": "5.3",
"description": "The provider must maintain a documented log or record of all disclosures of PII from education records to third parties, including subprocessors, sufficient to allow the institution to fulfill its recordkeeping obligations and to respond to requests for an accounting of disclosures from parents or eligible students. This record must include the date, identity of the recipient, and the purpose of each disclosure. (34 CFR § 99.32(a); 34 CFR § 99.33(d))"
},
{
"id": "6.1",
"description": "The provider must not redisclose PII from education records to any third party without the prior written consent of the institution, except where redisclosure is expressly authorized in the written agreement and consistent with FERPA. Any subprocessor or subcontractor to whom the provider discloses PII must be contractually bound by the same use restrictions and data protection obligations as the provider itself. The institution must be informed of all subprocessors with access to PII, and the provider must update this disclosure if subprocessors change. (34 CFR § 99.33(a)(1); 34 CFR § 99.31(a)(1)(i)(B)(*3*); PTAC TOS Model, provision 8, 2016)"
},
{
"id": "6.2",
"description": "When the provider receives a court order or lawfully issued subpoena requiring disclosure of PII from education records, the provider must notify the institution in advance of compliance so the institution may seek protective action, unless the order or subpoena prohibits such notification. The provider must not comply with such orders or subpoenas without coordination with the institution, except where legally prohibited from doing so. (34 CFR § 99.31(a)(9)(ii); § 99.33(b)(2))"
},
{
"id": "6.3",
"description": "The provider must maintain and make available to the institution upon request an up-to-date inventory of all subprocessors, sub-contractors, and agents that have access to PII from education records. This inventory must identify each party, describe their function, specify the categories of PII they process, and confirm that they are contractually bound by data protection obligations equivalent to those applicable to the provider. This transparency obligation supports the institution's ability to demonstrate direct control over the provider's data supply chain. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC TOS Model, provision 8, 2016)"
},
{
"id": "7.1",
"description": "Upon expiration or termination of the agreement, or upon the institution's request, the provider must return or securely destroy all PII from education records in its possession and in the possession of any subprocessors or agents to whom it has transferred such data. Destruction must follow a documented methodology that renders the data unrecoverable. The provider must provide written certification of destruction to the institution within a reasonable period. The obligation to destroy includes all copies, backups, and derivative data that could be used to reconstruct PII. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC Vendor FAQ, 2015; PTAC TOS Model, provision 9, 2016)"
},
{
"id": "7.2",
"description": "The provider must implement and document a data retention schedule that specifies the maximum period for which each category of PII from education records may be retained, limited to the duration necessary to perform the contracted function. PII must be deleted or anonymized in accordance with this schedule. Retention beyond the contractually specified period constitutes unauthorized maintenance of education records. (34 CFR § 99.31(a)(1)(i)(B)(*1*); PTAC TOS Model, provision 9, 2016)"
},
{
"id": "7.3",
"description": "Where the provider seeks to retain de-identified data derived from education records for product improvement, research, or other purposes after contract termination, the provider must apply a documented de-identification methodology that removes all direct and indirect identifiers, including name, student ID, date of birth, geographic information at a level smaller than a state, and any other data element that alone or in combination could identify a student. The provider must contractually prohibit any downstream recipient of de-identified data from attempting re-identification. The provider must disclose its de-identification methodology to the institution upon request. (34 CFR § 99.31(b)(1); PTAC TOS Model, provision 2, 2016)"
},
{
"id": "8.1",
"description": "The provider must maintain a written information security policy and privacy policy that govern its handling of PII from education records. These policies must be reviewed and updated at least annually or following any significant change to the provider's systems, organizational structure, or data processing practices. The provider must make these policies available to the institution upon request and must notify the institution of material policy changes. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC TOS Model, provision 12, 2016)"
},
{
"id": "8.2",
"description": "The provider must ensure that all personnel, contractors, and agents with access to PII from education records are trained on FERPA requirements and the provider's data protection obligations. Training must cover: the definition and scope of education records; the authorized purposes for which PII may be used; the prohibition on unauthorized use and redisclosure; security obligations; and incident reporting procedures. Training must be conducted at onboarding and refreshed at least annually. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC Vendor FAQ, 2015)"
},
{
"id": "8.3",
"description": "The provider must perform documented due diligence on all subprocessors and sub-contractors who will have access to PII from education records prior to engagement, and on a periodic basis thereafter. Due diligence must assess the subprocessor's security posture, data protection practices, and ability to comply with FERPA requirements. The provider must maintain records of this due diligence and make them available to the institution upon request. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC TOS Model, provision 8, 2016)"
},
{
"id": "8.4",
"description": "The provider must conduct periodic privacy impact assessments or equivalent risk evaluations when implementing new processing activities, systems, or technologies that involve PII from education records, including the introduction of AI or automated decision-making capabilities. The assessment must identify privacy risks, evaluate their likelihood and potential impact on students' rights, and document mitigating measures implemented. Results must be available to the institution upon request. (34 CFR § 99.31(a)(1)(i)(B)(*2*); PTAC Data Security Checklist, 2015)"
},
{
"id": "8.5",
"description": "The provider must maintain a documented business continuity and disaster recovery plan covering systems that process or store PII from education records. The plan must address: recovery time and recovery point objectives; backup procedures and tested restoration capability; and notification procedures to alert the institution of any service disruption affecting availability or integrity of education records. The plan must be tested at least annually and the results documented. (34 CFR § 99.31(a)(1)(i)(B)(*2*) direct control requirement; PTAC Data Security Checklist, 2015)"
},
{
"id": "8.6",
"description": "The provider must cooperate with the institution's right to audit or verify the provider's compliance with FERPA obligations and the terms of the written agreement. Upon reasonable notice from the institution, the provider must make available documentation, system access, and personnel necessary to confirm that education records are being maintained and used in compliance with FERPA. This audit right must be explicitly provided for in the written agreement. (34 CFR § 99.31(a)(1)(i)(B)(*2*); 34 CFR § 99.62; PTAC Online Educational Services guidance, 2014)"
}
]
}
Loading
Loading