Legal

FERPA Compliance

Last updated June 11, 2026

The Family Educational Rights and Privacy Act (FERPA) governs how student educational records are handled by schools and the vendors that work with them. This page describes Tolus’s role under FERPA and the commitments we make to schools and families.

Our role

FERPA’s school-official exception (34 CFR § 99.31(a)(1)) lets a school share student educational records with an outside service that performs a function the school would otherwise do itself, provided the service is under the school’s direct control. Tolus is built to fulfill that “school official” role when a school engages us under a signed data privacy agreement (DPA) that establishes the school’s direct control over how we process its students’ records.

Under such an agreement, we process a student’s educational record only at the direction of the school, only to provide the assessment service the school has authorized, and subject to the school’s control and instructions. We do not assert an independent right to use student records for our own purposes.

What we commit to

  • Direct control. We process student data only as instructed by the school. We do not use it for any purpose unrelated to operating Tolus for that school.
  • No advertising or model training. Student data is not used to target advertising, is not used to build student profiles, and is not used to train machine-learning models — ours or our subprocessors’.
  • No selling of data. We do not sell, rent, or trade student data.
  • No re-disclosure. We do not disclose student records to third parties except as needed to operate the service (the subprocessors listed in our Privacy Policy) or as required by law.
  • Access and correction. Students and parents may request access to or correction of records we hold by going through their school or by contacting us at hlincontacts@gmail.com.
  • Written security program. Tolus maintains a Written Information Security Program (WISP), available to schools on request at hlincontacts@gmail.com.
  • Deletion and retention limits. A school may request deletion of any student record at any time. Deletion is synchronous: when a teacher deletes a defense or closes their account, the associated student records are removed promptly, not on a delayed schedule. Records are also deleted automatically at the end of our retention periods: as a current default, defense records are deleted 18 months after they are created unless your school requests a different period, and authentication logs are deleted after 90 days. See the Data retention and deletion section of our Privacy Policy for exactly what is removed.

Directory information

Tolus does not publish or display student names, photos, or any other FERPA-protected information outside of the teacher’s view of their own class. We treat all student data as non-directory information unless the school instructs otherwise.

Record types we process

  • Student name, email address, and Google Classroom ID, supplied by the teacher’s class roster.
  • The files the student attached to the assignment and the teacher’s assignment materials, read to provide context for the defense.
  • The transcript, score, and AI feedback of the oral defense, plus any feedback the student submits.

Audio is streamed for real-time transcription and is never stored by Tolus. Transcript documents are created in the teacher’s own Google Drive and governed by the teacher’s Google account.

Data residency

Tolus stores data in the United States. Our database provider (Supabase) hosts our project in a US region; our application is served by Vercel and processes requests primarily in the US.

For school administrators

We will sign your district’s data privacy agreement, including standard frameworks such as the National Data Privacy Agreement (NDPA) from the Student Data Privacy Consortium (SDPC), or your own DPA or data-sharing addendum. The signed DPA, not this page, is what establishes the school’s direct control over our processing. Reach out to hlincontacts@gmail.com with your DPA template and we will turn it around quickly.

For students under 13, see our COPPA School Notice, which describes what we collect and how a school may authorize its collection on parents’ behalf.

Contact

Privacy questions or record requests: hlincontacts@gmail.com.