FERPA Compliance Checklist for Cloud SIS Platforms
Moving student records to the cloud is standard — but your obligations do not move to the vendor. Use this checklist before you sign.
The Family Educational Rights and Privacy Act (FERPA) protects education records at any school that receives federal funding. When you adopt a cloud SIS, you remain the custodian of that data — the vendor is a school official under contract, not the owner of student records.
Before you go live
- Execute a Data Processing Agreement (DPA) with clear roles and breach notification timelines
- Document legitimate educational interest for each staff role in the system
- Enable multi-factor authentication for registrar, finance, and admin accounts
- Confirm encryption in transit (TLS) and at rest for stored documents
- Review the subprocessor list (email, SMS, hosting) and notify stakeholders
- Train staff on what may and may not be shared with third parties
Ongoing operations
Audit logs should show who viewed or changed a record — not just who logged in. Parent and student portal access must respect consent rules for directory information.
When a student requests their record, your platform should produce exports without a custom SQL query. When an accreditor visits, reports should match the live system, not a spreadsheet someone rebuilt the night before.
Red flags during vendor review
- No DPA available or “sign our Terms only”
- Training data from your tenant used to improve public AI models
- Shared login credentials for clinical site coordinators
- No way to revoke access instantly when staff leave
Ready to modernize your campus stack?
Nexxora unifies admissions, student records, finance, and communications on one secure cloud platform built for nursing colleges and career schools.
