FERPA Compliance

Our Commitment

FERPA compliance is not an afterthought at ConexED. It is foundational to how we build, deploy, and operate our platform. Every feature we develop, every integration we support, and every operational process we follow is designed with student privacy and FERPA requirements in mind. We understand that the institutions we serve are entrusted with sensitive student information, and we take that responsibility seriously.

ConexED has served hundreds of higher education institutions, including community colleges, universities, and multi-campus systems. Our compliance framework has been reviewed and approved by institutional compliance officers, legal teams, and IT security departments across the country. We maintain this trust by continuously investing in our security infrastructure, staff training, and compliance documentation.

We welcome the opportunity to work with your compliance and legal teams to address any questions about our FERPA posture. We provide detailed data processing agreements, security questionnaires, and documentation tailored to the needs of higher education procurement and compliance processes.

What is FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records. FERPA applies to all educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education. This includes virtually all public and most private postsecondary institutions.

Under FERPA, educational institutions must protect the confidentiality of student education records and may not disclose personally identifiable information (PII) from those records without the student's written consent, except in certain defined circumstances. One such exception allows disclosure to "school officials" with a "legitimate educational interest," which is the basis for ConexED's access to student data.

FERPA also grants students (and parents of dependent students) the right to inspect and review their education records, request corrections, and have some control over the disclosure of their information. Institutions that fail to comply with FERPA risk losing federal funding, making compliance a critical priority for every college and university in the United States.

ConexED as School Official

Under FERPA's school official exception (34 CFR 99.31(a)(1)), an institution may disclose education records to a contractor or outside party to whom the institution has outsourced institutional services or functions, provided that the party meets certain conditions. ConexED meets all of these conditions and is designated as a "school official" in our agreements with each institution.

Specifically, ConexED performs an institutional service or function for which the institution would otherwise use employees. We are under the direct control of the institution with respect to the use and maintenance of education records. We are subject to the same conditions governing the use and redisclosure of PII that apply to other school officials. And we do not use education records for any purpose other than the purpose for which the disclosure was made.

Each institution that deploys ConexED includes our platform in their annual FERPA notification to students, identifying ConexED as a school official with a legitimate educational interest. We provide template language for this notification and work with your compliance team to ensure it meets your institution's specific requirements.

Our data processing agreements explicitly define the scope of data access, the permitted uses, the restrictions on redisclosure, and the security obligations that ConexED assumes. These agreements are designed to satisfy the requirements of FERPA, state privacy laws, and institutional policies simultaneously.

Data We Process

ConexED processes several categories of student education records on behalf of institutions. These include student directory information (name, email, phone number, student ID), enrollment and academic data (courses, majors, class standing, enrollment status), advising records (appointment history, advising notes, action items, referrals), and early alert data (flags, risk indicators, intervention records).

The specific data elements processed depend on the integrations your institution has enabled. For example, an institution that integrates ConexED with their SIS and LMS may share enrollment data, grades, and attendance records. An institution that uses only the scheduling module may share only directory information and appointment data. You control what data flows into ConexED through your integration configuration.

We do not process data beyond what is necessary to deliver the services your institution has contracted. We do not mine student data for behavioral profiling, advertising targeting, or any commercial purpose unrelated to the institutional services we provide. Student data is never shared with third parties for their own purposes.

Security Controls

ConexED implements robust technical security controls to protect student education records. All data is encrypted in transit using TLS 1.2 or higher, ensuring that information moving between your institution, end users, and our servers cannot be intercepted. Data at rest is encrypted using AES-256 encryption, covering databases, file storage, and backups.

Our infrastructure runs on Amazon Web Services (AWS) within the United States, leveraging AWS's SOC 2-certified data centers and physical security controls. We use virtual private cloud (VPC) isolation to ensure that each institution's data is logically separated from other customers. Database access is restricted to application servers within the VPC, and direct database access by personnel requires multi-factor authentication and is logged.

We deploy a web application firewall (WAF) to protect against common web exploits, distributed denial-of-service (DDoS) protection, and intrusion detection systems that monitor for suspicious activity around the clock. All security events are logged and reviewed by our security operations team. We conduct regular vulnerability scans and address identified issues according to their severity level.

Our application is developed following secure coding practices, including input validation, parameterized queries to prevent SQL injection, output encoding to prevent cross-site scripting, and regular dependency updates to address known vulnerabilities. Our development process includes security code reviews and automated security testing in our continuous integration pipeline.

Access Controls

ConexED implements the principle of least privilege for all access to student data. Within the platform, role-based access controls (RBAC) ensure that users can only see and interact with the data relevant to their responsibilities. An advisor sees only their assigned students. A department head sees aggregate data for their department. An institution's administrator can configure these roles and permissions to match their organizational structure.

On the ConexED operations side, access to production systems and customer data is strictly limited. Only a small number of senior engineering and operations staff have access to production databases, and all access requires multi-factor authentication. Every access event is logged with the user's identity, timestamp, and the data accessed. These logs are retained for a minimum of one year and are reviewed regularly.

We support single sign-on (SSO) integration through SAML 2.0, Azure AD, Google Workspace, Shibboleth/InCommon, and CAS. SSO integration allows institutions to enforce their own password policies, multi-factor authentication requirements, and account lifecycle management through their existing identity provider. We strongly recommend SSO for all institutional deployments.

Breach Notification

In the unlikely event of a data breach affecting student education records, ConexED will notify the affected institution within 24 hours of confirming the breach. Our notification will include a description of the incident, the types of data involved, the approximate number of records affected, the steps we are taking to contain and remediate the breach, and recommended actions for the institution.

We will cooperate fully with the institution's investigation and remediation efforts, including providing access to relevant logs, forensic analysis results, and technical support. We will also assist the institution in meeting its notification obligations under FERPA, state breach notification laws, and any other applicable regulations.

ConexED maintains a detailed incident response plan that is tested and updated annually. This plan covers detection, containment, eradication, recovery, and post-incident analysis. Our incident response team includes senior engineering staff, legal counsel, and communications personnel to ensure a coordinated and effective response.

Staff Training

All ConexED employees complete FERPA training as part of their onboarding process, regardless of their role. This training covers the fundamentals of FERPA, the types of data we handle, our obligations as a school official, and the specific policies and procedures employees must follow when handling student data. Employees must pass an assessment to demonstrate their understanding before gaining access to any systems containing student data.

We conduct annual refresher training for all staff, supplemented by targeted training when regulations change or when we identify areas for improvement. Our engineering team receives additional training on secure development practices, privacy by design principles, and data minimization. Support staff who interact with institutions receive training on handling data access requests and recognizing potential privacy issues.

All ConexED employees sign confidentiality agreements that explicitly cover student education records. Our employee handbook includes detailed policies on data handling, acceptable use of company systems, and the consequences of policy violations. We maintain a culture where privacy and security are everyone's responsibility, not just the compliance team's.

Compliance Resources

We provide institutions with a comprehensive set of compliance resources to support their FERPA obligations. These include a pre-signed Data Processing Agreement (DPA) that defines our responsibilities as a school official, a completed HECVAT (Higher Education Community Vendor Assessment Toolkit) security questionnaire, and a detailed FERPA compliance guide specific to the ConexED platform.

We also provide template language for your annual FERPA notification, a data flow diagram showing how student data moves through the ConexED platform, and a list of all subprocessors who may have access to student data. All compliance documentation is available to institutional administrators through our customer portal and is updated whenever significant changes occur.

Our compliance team is available to participate in your institution's data governance reviews, security audits, and compliance assessments. We regularly respond to HECVAT questionnaires, state-specific security surveys, and custom compliance questionnaires from institutional procurement and IT departments. We understand the rigor of higher education compliance processes and are prepared to meet those expectations.

Contact Us

For FERPA compliance questions, data processing agreement requests, or compliance documentation, please contact our compliance team:

ConexED Compliance Team
Email: compliance@conexed.com
Address: ConexED, Inc., 2825 E. Cottonwood Pkwy, #500, Cottonwood Heights, 84121

For urgent data security concerns, please contact security@conexed.com. Our security team monitors this address around the clock and will respond to urgent inquiries within four hours.