NameCoach takes the privacy of its customers and users seriously. One of the most important ways that we fulfill that duty is by complying with all state and federal privacy legislation and, in particular, FERPA.
What is FERPA?
FERPA, The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g, and its implementing regulations, applies to all educational institutions that receive federal funding from the Department of Education. It protects personally identifiable information (“PII”) in students’ education records ("Student Education Records") from unauthorized disclosure. FERPA also affords students and parents the right to access their Student Education Records, the right to seek to have the records amended, and the right to have some control over the disclosure of PII from education records.
Under FERPA § 99.31(a)(1)(i)(B)) educational institutions can disclose PII to third parties (such as NameCoach) who are acting as a “School Official” by performing a service for the educational institution. The institution retains ownership of any education records that may be maintained by third parties performing services as a “School Official” for such institutions.
How does NameCoach maintain FERPA Compliance?
While transmitting and holding Student Education Records, we maintain technical and physical safeguards by using network and container level firewalls, and only support TLS encrypted connections to our application and services. We also enforce all password security via SSO or an external system such as a LMS. And, perhaps most importantly, all Student Education Records are encrypted.
We only store information in in AWS RDS or Aurora instances; we do not run our own datacenter and do not maintain physical copies of information. Access to NameCoach’s systems and/or Student Education Records is limited to application delivery and support staff who have a legitimate need to access the database to enable us to deliver our services to educational institutions. Any staff and/or third parties who are granted access to enable us to provide services are also always under appropriate contractual obligations of confidentiality, data protection, and security. NameCoach does not disclose Student Education Records to any parties outside of the originating educational institution.
Every NameCoach employee receives FERPA training, and our policy is not to share any student information with anyone other than the originating school or the originating user.
We only use Student Education Records for the purpose(s) for which they were provided to us, or as otherwise authorized in applicable law and any agreement with the educational institution.
If a parent, legal guardian or student contacts NameCoach with a request to review or correct erroneous information in Student Educational Records, or if an agency, court, law enforcement or other entity contacts us and requests access to Student Educational Records, we will (unless prohibited by writ or compulsory legal process) promptly notify an authorized representative of the applicable originating educational institution, and will use reasonable and good faith efforts to assist the originating educational institution in fulfilling such requests.
If NameCoach determines that a breach or unauthorized release of Student Educational Records that would be subject to reporting under applicable federal or state law has occurred, NameCoach will take prompt and appropriate steps to mitigate further breach or release of Student Educational Records; provide notice to the affected originating educational institution promptly and without unreasonable delay; and work with the affected originating educational institution to provide information and assistance necessary to comply with any notification to parents, legal guardians or students, as required under applicable law.
Following expiration or termination of the agreement under which the originating educational institution purchased access to the NameCoach web-based products or services, and upon receipt of written request from the originating educational institution, NameCoach will destroy or, if agreed, return to the originating educational institution, the Student Educational Records in its possession within a commercially reasonable period of time. For clarity, data generated by NameCoach or our products, that is in aggregate, or that is anonymized (i.e, personally identifiable information has been removed), may be retained by NameCoach and used for product and service improvement purposes or other purposes consistent with applicable law and any agreement with an originating educational institution.
For questions or further information on our data privacy and security practices with respect to FERPA or Student Education Records, please contact email@example.com.