What contract terms are required for FERPA-compliant vendor agreements?

Under 34 CFR § 99.31(a)(1)(i)(B), the agreement must specify that the vendor is performing an institutional service or function, that the vendor is under the direct control of the school with respect to the use and maintenance of education records, and that the vendor will not redisclose personally identifiable information without authorization. Best practice — and increasingly required by state student privacy laws — also includes terms covering data minimization, security standards, breach notification, and return or deletion of data when the contract ends.

What should a school do if an EdTech vendor has a data breach?

FERPA itself does not have a breach notification requirement, but the school retains responsibility for the data even after sharing it with a vendor. The school should require breach notification in its vendor contract (with a specific timeframe, typically 24-72 hours). Upon learning of a breach, the school should assess what records were exposed, notify affected families as appropriate, report to the Department of Education if warranted, and evaluate whether to continue the vendor relationship. Many states have separate student data breach notification laws that impose additional obligations.

April 8, 2026·9 min read

FERPA and EdTech Vendors: How to Manage Student Data in Third-Party Platforms

Q: What is the school official exception under FERPA?

The school official exception (34 CFR § 99.31(a)(1)) allows schools to disclose education records to contractors, consultants, and other outside parties who perform institutional services or functions, without obtaining parental consent. The vendor must be under the direct control of the school regarding the use and maintenance of education records, must use the records only for authorized purposes, and must not redisclose the information without authorization. This exception is how most EdTech platforms legally access student data.

The average school district uses over 1,400 EdTech tools per month. Each one that touches student education records is a FERPA disclosure. Most districts do not have agreements in place for even a fraction of them.

How the school official exception works

FERPA generally requires written consent before a school discloses personally identifiable information from education records. The main exception schools rely on for vendors is the "school official" exception at 34 CFR § 99.31(a)(1). It allows disclosure to a party that the school has determined performs an institutional service or function — provided the party meets three conditions.

First, the vendor must perform a service that the school would otherwise use employees to perform. Second, the vendor must be under the direct control of the school regarding use and maintenance of education records. Third, the vendor must not redisclose the information except as authorized.

"Direct control" is the key phrase. It does not mean the school must supervise every action the vendor takes. It means there must be a written agreement that limits what the vendor can do with the data, and the school must have the ability to enforce those limits. Without that agreement, the exception does not apply, and the disclosure is unauthorized.

What the contract must include

At minimum, the agreement must specify that the vendor is performing an institutional service, is under the school's direct control regarding education records, and will comply with the FERPA redisclosure restrictions. But the regulatory floor is not enough.

A functional vendor agreement should also address:

Data scope.Exactly what student data the vendor will receive. Not "whatever is needed" — specific data elements.
Permitted uses. The vendor can use the data only to provide the contracted service. Not for product development, not for advertising, not for building profiles across districts.
Security requirements. Encryption in transit and at rest, access controls, incident response procedures.
Breach notification. A defined timeframe — typically 24 to 72 hours — in which the vendor must notify the school of any breach or unauthorized access.
Data retention and deletion. When the contract ends (or when the data is no longer needed), the vendor must return or destroy the data within a specified period. This is where many vendor relationships create long-term risk — data sitting in a decommissioned platform years after anyone stopped using it.

Data minimization

FERPA does not use the phrase "data minimization," but the principle applies. The school official exception allows disclosure for a legitimate educational interest. Sharing more data than the vendor needs to provide its service weakens the argument that the disclosure was limited to what was necessary. If a quiz app needs student names and class period, it does not need home addresses, disability status, or disciplinary records.

Before onboarding a new platform, ask: what data does it actually need to function? If the vendor wants a full SIS export when it only needs roster data, push back.

Evaluating new platforms

The biggest compliance gap in most districts is ungoverned adoption. A teacher finds a tool, signs up with a school email, uploads a class roster, and starts using it. No agreement, no review, no documentation. This is an unauthorized disclosure under FERPA, even if the teacher had good intentions.

Build a process — it does not need to be elaborate:

Require staff to submit new tool requests before entering student data.
Review the vendor's privacy policy and terms of service for FERPA compatibility.
Execute a data privacy agreement before the tool goes live. Many vendors have standard DPAs ready — check the Student Data Privacy Consortium for pre-negotiated agreements.
Maintain a registry of approved tools and their agreement status.

Common mistakes

Clicking through terms of service without FERPA review.A vendor's standard TOS is written to protect the vendor. It often includes broad data usage rights, limited deletion obligations, and no FERPA-specific terms. Accepting TOS is not the same as executing a FERPA-compliant agreement.

Assuming "free" means low risk.Free EdTech tools often monetize through data. If the vendor's business model depends on using student data for purposes beyond the institutional service, the school official exception does not apply.

Not tracking what data went where. When a vendor relationship ends, you need to know what data they have so you can request its return or deletion. If you never tracked what was shared, you cannot verify it was destroyed.

State laws add more requirements

Over 40 states have enacted student data privacy laws that go beyond FERPA. Many prohibit targeted advertising based on student data, require data governance plans, mandate breach notification specifically for student records, or create vendor transparency requirements. Your FERPA compliance program is the floor — check your state's specific requirements.

How BlackSheep helps

BlackSheep's FERPA compliance platform tracks vendor agreements, flags tools without current DPAs, and gives your team a single place to manage the vendor review process. When a teacher requests a new tool, you have a workflow — not a scramble.

Get your EdTech vendor agreements under control.

Start with BlackSheep