FERPA posture
Summary: Twinbook is designed so that an institution can use it in a FERPA-aligned way. When a university adopts Twinbook for coursework, we are prepared to operate as a "school official" with a legitimate educational interest under the institution's direct control, to sign a data-processing agreement, and to support deletion and access obligations.
This page describes our posture and the terms we are willing to enter. It is not legal advice. A university's own counsel should make the final determination for its use case.
Last updated: 2026-06.
Why FERPA matters here
The Family Educational Rights and Privacy Act (FERPA) protects students' "education records" and personally identifiable information (PII) from those records. The U.S. Department of Education has specific guidance for cloud computing and FERPA-protected education records: when a school uses a cloud/edtech service that handles education records, the service must be used in a way that keeps the school in control of those records.
When an institution uses Twinbook for a course, the materials a student uploads and the learning data Twinbook generates can constitute education records under the institution's policies.
How Twinbook supports FERPA-aligned use
- School-official model. Under an institutional agreement, Twinbook acts as a school official performing a service the institution would otherwise perform itself, under the institution's direct control, and uses education records only for the authorized educational purpose.
- No re-use of education records. We do not use student education records for advertising, for resale, or to train or fine-tune AI models (see the main Trust & Security page).
- Access control and isolation. Education records are isolated per user and per workspace and are accessible only to the authenticated student and the parties the institution authorizes.
- Deletion and return. We support deletion of student data and can agree to a defined deletion or return window after a contract ends. See Data retention & deletion.
- Subprocessor transparency. Our Subprocessors list is available for institutional review, and we provide change notice under agreement.
- Data-processing agreement. We are prepared to sign a DPA / FERPA-aligned addendum that codifies these commitments.
Direct-to-student use (no institutional agreement)
When an individual student uses Twinbook directly (not through an institutional contract), FERPA does not generally govern that relationship — the student is choosing to upload their own study materials to a consumer service. The protections on the Trust & Security page (ownership, no training or fine-tuning on your content, isolation, deletion) still apply.
What we need from the institution
FERPA compliance is a shared responsibility. To use Twinbook in a FERPA-aligned way, the institution typically:
- enters a written agreement designating Twinbook's role and authorized use,
- determines which data are education records under its own policy, and
- manages which students/courses are provisioned.
To start a FERPA review or request our DPA, contact us. We're happy to work through your institution's data-protection addendum.