FERPA & COPPA Compliance
Effective Date: February 22, 2026 | Last Updated: February 22, 2026
Perspicax, LLC takes the privacy and security of student education records seriously. Curriculum (Ai)ssist is designed and operated to support institutional compliance with the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA). This page describes our compliance posture, technical safeguards, and contractual commitments.
FERPA Compliance
The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) protects the privacy of student education records and applies to all educational institutions that receive federal funding. As a technology vendor serving higher education, Perspicax is committed to operating within the framework FERPA establishes for third-party service providers.
School Official Exception
Curriculum (Ai)ssist is designed to operate under FERPA's "school official" exception (34 CFR § 99.31(a)(1)(i)). Under this provision, an institution may disclose personally identifiable information from education records to a vendor without prior consent when:
- The vendor performs an institutional service or function for which the institution would otherwise use its own employees.
- The vendor has been determined to have a legitimate educational interest in the education records.
- The vendor is under the direct control of the institution with respect to the use and maintenance of education records.
- The vendor does not disclose PII from education records to any other party without authorization.
Perspicax meets all four criteria. We perform curriculum analysis services on behalf of the institution, use data only for the purposes specified by the institution, operate under contractual restrictions that give the institution direct control, and never re-disclose education records to unauthorized parties.
Data Minimization
We practice data minimization as a core principle. Curriculum (Ai)ssist is purpose-built for curriculum analysis — not student tracking, grading, or behavioral monitoring. While syllabi and course documents may incidentally contain student-related information, our platform does not require student-level PII to function. We encourage institutions to redact student-level data from uploaded documents where feasible.
No Re-Disclosure
We do not disclose any information from education records to third parties except as permitted under FERPA or as required by law. Our subprocessors (e.g., cloud infrastructure providers) are contractually bound to the same restrictions and do not have access to the content of your documents.
Institutional Control & Audit
Institutions retain full control over their data within Curriculum (Ai)ssist. Institutional administrators can manage user access, export data, and request deletion at any time. We maintain audit logs of data access events and will make these available to the institution upon request to support compliance reviews.
Data Protection Addendum
Perspicax is prepared to execute a Data Protection Addendum (DPA) or Student Data Privacy Agreement with any institution that requires one. Our standard DPA addresses data ownership, use limitations, security requirements, breach notification, data return and deletion, and FERPA-specific obligations. Please contact us at founder@perspicaxllc.com to request a copy.
COPPA Compliance
The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and the FTC's COPPA Rule (16 CFR Part 312), as amended effective April 22, 2025, impose requirements on operators of websites and online services directed to children under 13, or that have actual knowledge of collecting personal information from children under 13.
Primary Audience: Curriculum (Ai)ssist is designed for use by higher education faculty, administrators, and institutional leadership. It is not directed at children under 13 and is not intended for use in K–12 classroom settings where students would interact with the platform directly.
When COPPA May Apply
While our primary audience is higher education professionals, we recognize that some institutions may serve populations that include minors (e.g., dual-enrollment programs, early college initiatives). In those cases, the following safeguards apply:
No Direct Collection from Children
Curriculum (Ai)ssist does not collect personal information directly from children. The platform is used by authorized institutional personnel (faculty, staff, administrators) who upload institutional documents. Students — including minors — do not have accounts on the platform and do not interact with it.
Incidental Information in Documents
If an uploaded document incidentally contains information relating to a minor (e.g., a student name in a course roster embedded in a syllabus), we handle that information as follows:
- The information is processed only to deliver the curriculum analysis requested by the institution.
- It is not extracted, indexed, stored separately, profiled, or used for any other purpose.
- It is not shared with any third party.
- It is subject to the same data retention and deletion policies as all other uploaded content.
Parental Consent & School Authorization
Consistent with FTC guidance, when a school or institution authorizes the use of Curriculum (Ai)ssist for an educational purpose, the school may act as the agent of the parent for purposes of COPPA consent. Perspicax relies on the institution's representation that it has the appropriate authority to provide such consent on behalf of parents where applicable.
We do not use any information — whether relating to children or adults — for commercial purposes unrelated to the educational service, including advertising, behavioral profiling, or sale to third parties.
2025 COPPA Rule Amendments
In alignment with the FTC's April 2025 amendments to the COPPA Rule, Perspicax has reviewed and confirmed the following:
- Expanded PII definition: We do not collect biometric identifiers, government-issued identifiers, or persistent identifiers for tracking purposes from any user, including minors.
- Opt-in consent: Our platform does not use data for advertising or third-party sharing, so the amended opt-in consent requirements for such uses do not create additional obligations. Nevertheless, we operate on an opt-in basis by design.
- Data retention limits: We retain data only as long as necessary for the educational purpose. Institutions may request deletion at any time.
- Security program: We maintain a written information security program that includes designated security personnel, access controls, encryption (AES-256 at rest, TLS 1.2+ in transit), multi-factor authentication, and regular security assessments.
Technical Safeguards
The following technical measures support our FERPA and COPPA compliance commitments:
- Multi-Tenant Data Isolation: Each institution's data is logically isolated. There is no cross-tenant data access.
- Encryption: AES-256 encryption at rest and TLS 1.2+ encryption in transit for all data.
- Role-Based Access Control (RBAC): Granular permissions managed by institutional administrators.
- Audit Logging: Comprehensive logging of access events, available to institutions upon request.
- Secure Deletion: Data is securely deleted upon request or account termination using industry-standard methods.
- Breach Notification: In the event of a data breach affecting education records, Perspicax will notify the affected institution within 72 hours and cooperate fully with the institution's incident response.
- No AI Model Training: Uploaded data is never used to train, fine-tune, or improve AI/ML models.
Institutional Responsibilities
While Perspicax provides the technical and contractual framework for compliance, institutions are responsible for:
- Ensuring that the use of Curriculum (Ai)ssist is covered under their annual FERPA notification to students.
- Designating Perspicax as a "school official" with legitimate educational interest in their records policies, where applicable.
- Managing user access within their institutional account.
- Redacting unnecessary student-level PII from documents prior to upload, where feasible.
- Obtaining or providing appropriate consent or authorization for data sharing under COPPA, where applicable.
Contact & Data Protection Requests
For questions about our FERPA or COPPA compliance posture, to request a Data Protection Addendum, or to report a data concern, please contact:
Perspicax, LLC — Privacy & Compliance
Email: founder@perspicaxllc.com