This document is provided for informational purposes during our pre-launch period. A comprehensive, attorney-reviewed version will be published prior to the platform processing student data.

FERPA & STUDENT PRIVACY

Student Privacy Is Not a Feature.
It’s the Foundation.

How SPEDScribe handles student education records under FERPA, AB 1584, and SOPIPA.

Last updated: April 2026

How SPEDScribe Operates Under FERPA

“SPEDScribe processes student data only at the direction of, and on behalf of, the contracting district. We sign a Data Processing Agreement with every district before any student data flows through our systems.”

We do not disclose student records to any third party without authorization from the contracting district, except as required by law. The formal FERPA framing of our role (including any “school official” designation under 34 CFR Section 99.31(a)(1)) is pending attorney review.

Our 10 Commitments

01
Purpose limitation

We do not collect, maintain, use, or share student data beyond what is needed for authorized educational purposes at the direction of the contracting school district.

02
No sale of student data

We do not sell student data. Ever. Under any circumstances. This commitment is unconditional and is not subject to any business condition or future policy change without explicit district consent.

03
No targeted advertising

We do not use student data for targeted advertising. No student record is ever used to serve advertising to any person.

04
No commercial profiling

We do not create student profiles for non-educational commercial purposes. Student records are used solely to generate the documentation requested by the provider.

05
Industry-standard security

We use AES-256 encryption at rest, TLS 1.3 in transit, layered server-side PII redaction before AI processing, and role-based access control to protect all student data.

06
Breach notification

We provide breach notification without unreasonable delay as required by FERPA, and in writing to affected districts within 72 hours of confirmed breach discovery.

07
Support for access rights

We support parent and student access rights by assisting schools in fulfilling FERPA access requests, including providing copies of relevant records in a timely manner.

08
Data return and deletion

We delete or return all student data upon contract termination. All district data is exported and delivered to the district, then permanently deleted from our systems on the schedule described in our Data Processing Agreement. A deletion certificate is provided upon request.

09
No AI training on student data

Our AI provider (Anthropic) does not use customer inputs or outputs to train models under their commercial terms. AI processing occurs on layered server-side PII-redacted transcripts; redaction reduces exposure of student identifiers but is not a guarantee of full removal. To date, no student record has been used to train any AI model in our pipeline; Anthropic's commercial terms preclude such use going forward.

10
Subprocessor obligations

All subprocessors are bound by data processing agreements requiring equivalent data protection obligations, including handling of student data governed by FERPA and contractual terms governing retention and training.

Data Flow

This is exactly how student data moves through the SPEDScribe system:

Audio Recording
Server-Side PII Redaction
Redacted Transcript
Clinical Intelligence Engine
Draft Documentation
Provider Review & Approval
Export to IEP System

Server-side PII redaction at step 2 is designed to strip identifiers before transcripts reach the AI provider. The redaction reduces exposure of student identifiers; it is not a guarantee that every identifier is removed.

AB 1584 Alignment (California Education Code § 49073.1)

The contracting district owns all student data; SPEDScribe does not own or claim any rights to student records

No non-educational use of student data for any commercial purpose

All student data is returned to the district in portable format upon contract termination

Permanent deletion of all district data on the schedule described in our Data Processing Agreement

Written deletion certificate provided to the district upon request

30 days advance notice of any changes to subprocessors handling student data

SOPIPA Alignment

Consistent with the Student Online Personal Information Protection Act, SPEDScribe:

Does not use student data for targeted advertising
Does not sell student information to any third party
Does not create student profiles for non-educational commercial purposes
Maintains reasonable security procedures and practices
Deletes student data upon request from the contracting district

Contact

For questions about our FERPA compliance, student data practices, or to submit a data request:
privacy@spedscribe.ai

See also: Privacy Policy · Security & Trust Center · Subprocessors