This document is provided for informational purposes during our pre-launch period. A comprehensive, attorney-reviewed version will be published prior to the platform processing student data.
FERPA & STUDENT PRIVACY
Student Privacy Is Not a Feature.
It’s the Foundation.
How SPEDScribe handles student education records under FERPA, AB 1584, and SOPIPA.
Last updated: April 2026
School Official Designation
“SPEDScribe operates as a School Official with a legitimate educational interest under FERPA (34 CFR Section 99.31(a)(1)), performing institutional services that the school would otherwise use employees to perform, under the direct control and supervision of the contracting local educational agency.”
This designation means SPEDScribe operates under the same obligations as a school employee with respect to student education records. We do not disclose student records to any third party without authorization from the contracting district, except as required by law.
Our 10 Commitments
We do not collect, maintain, use, or share student data beyond what is needed for authorized educational purposes at the direction of the contracting school district.
We do not sell student data. Ever. Under any circumstances. This commitment is unconditional and is not subject to any business condition or future policy change without explicit district consent.
We do not use student data for targeted advertising. No student record is ever used to serve advertising to any person.
We do not create student profiles for non-educational commercial purposes. Student records are used solely to generate the documentation requested by the provider.
We use AES-256 encryption at rest, TLS 1.3 in transit, automated PII redaction before AI processing, and role-based access control to protect all student data.
We provide breach notification without unreasonable delay as required by FERPA, and in writing to affected districts within 72 hours of confirmed breach discovery.
We support parent and student access rights by assisting schools in fulfilling FERPA access requests, including providing copies of relevant records in a timely manner.
We delete or return all student data upon contract termination. All district data is exported and delivered to the district, then permanently deleted from our systems within 90 days. A deletion certificate is provided upon request.
We do not use student data to train AI models. All AI processing occurs on de-identified transcripts only. No student record has ever been used to train any model in our pipeline.
All subprocessors are bound by data processing agreements requiring equivalent data protection obligations, including zero-data-retention commitments and FERPA compliance.
Data Flow
This is exactly how student data moves through the SPEDScribe system:
PII is removed at step 2. The AI processes only de-identified text. Student identifiers never reach the AI pipeline.
AB 1584 Compliance (California Education Code § 49073.1)
The contracting district owns all student data — SPEDScribe does not own or claim any rights to student records
No non-educational use of student data for any commercial purpose
All student data is returned to the district in portable format upon contract termination
Permanent deletion of all district data within 90 days of termination
Written deletion certificate provided to the district upon request
30 days advance notice of any changes to subprocessors handling student data
SOPIPA Compliance
Consistent with the Student Online Personal Information Protection Act, SPEDScribe:
Contact
For questions about our FERPA compliance, student data practices, or to submit a data request:
privacy@spedscribe.ai
See also: Privacy Policy · Security & Trust Center · Subprocessors