FERPA Statement

AIMGEO supports schools, colleges, universities, and education partners that are subject to the Family Educational Rights and Privacy Act (“FERPA”). For more details, please contact privacy@aimgeo.com. Our HIPAA Statement can be found here.

​

FERPA applies to educational agencies and institutions that receive funds under an applicable program of the U.S. Department of Education. When AIMGEO receives education records or personally identifiable information from education records from an educational institution in connection with the Services, AIMGEO handles that information only for the institution’s authorized educational purposes, subject to contractual restrictions, role-based access controls, security safeguards, audit logging, and limits on use and redisclosure.

​

When AIMGEO is engaged to perform an outsourced institutional service or function, AIMGEO may serve as a school official with a legitimate educational interest to the extent permitted by FERPA, the institution’s annual FERPA notice, and the parties’ written agreement. In that role, AIMGEO acts under the institution’s direct control with respect to the use and maintenance of education records and will not use or redisclose such information except as authorized by the institution, permitted by FERPA, or required by law.

​

AIMGEO does not sell student education records, does not use student education records for advertising or unrelated profiling, and does not use customer education records or prospective-student data to train generalized or shared AI models unless the institution has expressly authorized that use in writing.

​

AIMGEO also supports admissions, advising, enrollment, financial-aid, and prospective-student engagement workflows. Because certain applicant or prospective-student information may not become FERPA-protected education records until an individual is in attendance, AIMGEO nevertheless applies materially similar confidentiality, security, retention, and purpose-limitation controls to prospective-student data processed on behalf of an institution.

​

AIMGEO supports institutional obligations to provide appropriate access, auditability, and secure return or deletion of covered data at the end of the engagement, subject to applicable law and documented retention obligations.

​

AIMGEO does not assume that any data element is “directory information” unless the institution has specifically designated it as such under its own FERPA notice and opt-out process and has instructed AIMGEO accordingly.

​

​

FERPA Addendum for AIMGEO Educational Institution Customers

 

These FERPA Terms (“FERPA Addendum”) are incorporated into the Master Services Agreement or other underlying agreement (“Underlying Agreement”) between AIMGEO and the educational agency or institution customer (“Institution”) when Institution discloses Covered Education Records to AIMGEO, or instructs AIMGEO to process Prospective Student Data, in connection with the Services.

​

1. Definitions

​

“FERPA” means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 C.F.R. Part 99, as amended.

​

“Covered Education Records” means education records and personally identifiable information from education records disclosed by Institution to AIMGEO, or created, received, maintained, or transmitted by AIMGEO on Institution’s behalf, in connection with the Services.

​

“Prospective Student Data” means information submitted by or about an applicant, prospect, parent, guardian, counselor, or other individual for admissions, recruitment, advising, financial-aid, enrollment, or related education-facing purposes before the individual becomes a student in attendance.

​

“Authorized Purposes” means the admissions, advising, enrollment, financial-aid, communications, workflow, support, analytics, and other institutionally authorized education-related purposes described in the Underlying Agreement.

​

2. Role of AIMGEO

​

To the extent Institution discloses Covered Education Records to AIMGEO under FERPA’s school official exception, Institution may designate AIMGEO as a school official with a legitimate educational interest solely for the Authorized Purposes and only to the extent permitted by FERPA.

​

AIMGEO acknowledges that, where this Addendum applies under the school official exception, AIMGEO:

a. performs an institutional service or function for which Institution would otherwise use employees;
b. remains under Institution’s direct control with respect to the use and maintenance of Covered Education Records; and
c. is subject to FERPA’s restrictions on use and redisclosure.

Institution is responsible for determining whether AIMGEO meets Institution’s annual FERPA notice criteria for a school official with a legitimate educational interest.

 

3. Use and Redisclosure Restrictions

AIMGEO shall not use or disclose Covered Education Records except:

a. to perform the Authorized Purposes;
b. as directed in writing by Institution; or
c. as required by applicable law.

 

AIMGEO shall not sell Covered Education Records, use Covered Education Records for targeted advertising, use Covered Education Records to market products or services to students or families, or create unrelated commercial profiles from Covered Education Records.

AIMGEO shall not redisclose Covered Education Records to any third party except to approved subprocessors bound by written obligations no less protective than this Addendum, or as otherwise expressly authorized by Institution and permitted by FERPA.

​

4. AI and Model-Use Restrictions

​

AIMGEO shall not use Covered Education Records or Prospective Student Data to train, fine-tune, or improve generalized, shared, or public-facing AI models unless Institution has expressly authorized that use in a signed writing.

​

AIMGEO may perform service-specific quality assurance, safety review, abuse prevention, debugging, logging, auditability, and grounded-response optimization only to the extent necessary to provide and secure the Services and only in a manner consistent with this Addendum.

​

5. Access Controls and Security Safeguards

​

AIMGEO shall maintain reasonable administrative, technical, and physical safeguards designed to protect Covered Education Records and Prospective Student Data against unauthorized access, use, disclosure, alteration, or destruction.

​

Such safeguards shall include, as appropriate:

a. role-based access restrictions and need-to-know permissions;
b. authentication controls for workforce members and subprocessors;
c. encryption in transit and, where applicable, at rest;
d. logging and monitoring of access to sensitive records and policy-relevant actions; and
e. workforce confidentiality obligations and privacy/security training.

 

6. Subprocessors and Personnel

​

AIMGEO shall limit access to Covered Education Records and Prospective Student Data to personnel and subprocessors who require access to perform the Authorized Purposes.

AIMGEO shall bind all approved subprocessors by written obligations that impose confidentiality, security, use-restriction, and redisclosure protections no less protective than those in this Addendum. AIMGEO remains responsible for its subprocessors’ performance with respect to covered data.

​

7. Institutional Access, Parent/Eligible Student Rights, and Cooperation

 

AIMGEO shall provide Institution with information and assistance reasonably necessary for Institution to respond to requests by parents or eligible students to inspect or review education records, seek amendment of records, or otherwise exercise rights under FERPA.

AIMGEO shall provide requested Covered Education Records to Institution promptly so Institution can meet applicable response timelines.

​

8. Security Incidents

 

AIMGEO shall notify Institution without unreasonable delay, and in no event later than seventy-two (72) hours after confirmation, of any Security Incident involving unauthorized access to, acquisition of, or disclosure of Covered Education Records.

​

AIMGEO shall, as applicable:

a. describe the nature of the incident and the categories of data involved;
b. take reasonable steps to contain, investigate, and remediate the incident;
c. preserve relevant evidence; and
d. cooperate with Institution in meeting any legal, regulatory, or policy-driven response obligations.

 

9. Data Minimization and Retention

​

AIMGEO shall collect, access, and retain only the Covered Education Records and Prospective Student Data reasonably necessary to perform the Authorized Purposes.

AIMGEO shall not retain covered data longer than necessary to perform the Authorized Purposes, comply with applicable law, or meet documented archival or audit obligations.

​

10. Return, Deletion, and Destruction

​

Upon termination of the Underlying Agreement, or earlier upon Institution’s written request, AIMGEO shall return or securely delete Covered Education Records and Prospective Student Data in its possession or control, except to the extent retention is required by applicable law or reasonably necessary to document legal compliance, security events, or contractual obligations.

Upon request, AIMGEO shall provide written confirmation of deletion or destruction.

 

11. Directory Information

​

AIMGEO shall not independently determine that data qualifies as “directory information.”

If Institution instructs AIMGEO to treat certain data as directory information, Institution represents that it has made the required FERPA designation in its public notice and has addressed any applicable opt-out rights. AIMGEO shall follow Institution’s written instructions regarding such data.

​

12. Prospective Student Data and User-Directed Sharing

​

Where AIMGEO is used by prospective students or applicants to share information with Institution, AIMGEO shall process that information only for the Authorized Purposes and only in accordance with Institution’s instructions, the platform workflow presented to the user, and applicable law.

​

Although Prospective Student Data may not yet constitute FERPA-protected education records for Institution before the individual is in attendance, AIMGEO shall apply materially similar confidentiality, security, access, retention, and AI-use restrictions to such data while processing it on Institution’s behalf.

​

13. Consent-Based Workflows

​

If Institution elects to rely on user or student consent, rather than the school official exception, for any disclosure or processing of records, Institution is responsible for obtaining any consent required by law. AIMGEO shall process the relevant data only in accordance with such consent, Institution’s instructions, and the Underlying Agreement.

​

14. No Unilateral Amendment

​

This FERPA Addendum may be modified only by a written amendment signed by both parties. Website posting alone, click-through revision alone, or unilateral notice alone shall not amend this FERPA Addendum.

​

15. Order of Precedence

​

If there is a conflict between this FERPA Addendum and the Underlying Agreement with respect to Covered Education Records or Prospective Student Data, this FERPA Addendum shall control.