The Short Version
"FERPA compliant" is not a certification — it's a legal posture that depends on what your district has signed. A tool can have all the right infrastructure and still expose your district if no DPA is in place. This guide explains what actually matters and which tools are worth evaluating.
The problem with "FERPA compliant"
If you search for AI tools for teachers, you'll find dozens of products that describe themselves as "FERPA compliant." The phrase has become a marketing checkbox, but it doesn't mean what most teachers think it means.
FERPA compliance is not a certification. There is no federal body that audits and certifies AI products as FERPA-safe. When a vendor says their tool is "FERPA compliant," they are making a claim about their own data practices, not a verified fact about your district's legal standing.
What actually determines whether your district is protected is this: has your district executed a signed Data Processing Agreement (DPA) with the vendor that designates them as a "school official" under FERPA? Without that document, it doesn't matter what the vendor's privacy page says.
What FERPA actually requires for AI tools
FERPA restricts how student education records can be shared with third parties. For AI tools, three things matter:
The three FERPA questions
Is student data being processed? If a teacher inputs student names, grades, IEP details, or any personally identifiable information into an AI tool, that tool is processing education records. That triggers FERPA obligations.
Is the vendor acting as a "school official"? FERPA allows schools to share student records with vendors without parental consent, but only if the vendor is established as a "school official" with a "legitimate educational interest" through a written agreement. That written agreement is the DPA.
Does the vendor's DPA meet FERPA's requirements? A DPA needs to specify that the vendor will only use student data for the contracted purpose, will not redisclose data to third parties, will maintain direct control under the school's supervision, and will return or destroy data when the relationship ends.
If a teacher uses an AI tool without a district-executed DPA, they are personally exposing student records, even if they have good intentions and the tool has a strong privacy policy.
What to look for in an AI tool for teachers
When evaluating any AI tool for classroom use, your checklist should include:
Evaluation checklist
DPA availability. Does the vendor offer a Data Processing Agreement? Some vendors only offer this to paying enterprise customers. For tools used with student data, this is non-negotiable.
SDPC National Data Privacy Agreement. The Student Data Privacy Consortium maintains a national DPA template that hundreds of vendors have signed. A vendor on the SDPC list has agreed to standardized, vetted data protection terms. This significantly reduces your district's legal review burden.
No student data used for model training. Any AI tool that uses student inputs to train or improve its underlying AI model is almost certainly in violation of FERPA. Check the privacy policy and DPA terms explicitly for this clause.
Subprocessor transparency. Most AI tools rely on underlying model providers (OpenAI, Anthropic, Google, etc.). Your DPA needs to cover those subprocessors, not just the vendor's own infrastructure.
Teacher-only vs. student-facing. Tools used only by teachers to generate lesson plans or grade templates carry lower FERPA risk than tools where students interact directly and enter personal information. Know the difference before approving.
Tools with FERPA-ready documentation
These are the tools K12SafeList has independently assessed and found to have the foundational compliance documentation in place. "FERPA-ready" means a DPA is available and the vendor has signed the SDPC national agreement. It does not mean your district is automatically protected without executing that DPA.
Built specifically for K-12. Has SDPC agreement, available DPA, and does not use student data for AI training. The student-facing product requires teacher oversight configuration to meet FERPA standards. Strong compliance foundation with district-side conditions.
Full assessment →ChatGPT comes in three versions with very different compliance profiles. ChatGPT Edu and Team versions include data processing agreements. The free consumer version does not. Most teachers are using the wrong version.
Full assessment →No DPA available. OpenAI explicitly states the free version is not intended for processing student data. District use without a signed agreement is a FERPA violation.
Full assessment →The tools teachers use most — and what's missing
The reality in most districts is that teachers are using AI tools that were never approved, never reviewed, and have no DPA in place. Our shadow AI research found that over 40% of districts have no AI policy, while 80% have teachers actively using AI tools.
The gap between what IT has approved and what teachers are actually using is where FERPA exposure lives. A teacher using a free AI tool to draft feedback on a student's IEP progress is creating a FERPA problem, even if the tool has a "for education" landing page.
The safest approach isn't to ban all AI tools. It's to build a short approved list, execute DPAs with those vendors, and give teachers clear guidance on what's in-bounds. That's what K12SafeList is designed to help with.
Frequently asked questions
Only if no student personally identifiable information is entered. If a teacher uses ChatGPT to draft generic lesson plans without any student names, grades, or identifying details, the FERPA risk is low. The moment student-specific information enters the prompt, a DPA is required.
Google Workspace for Education has a signed DPA with most districts and includes data processing terms that cover Google's AI features within Workspace. This only covers native Google tools, not third-party AI tools integrated through add-ons or extensions.
FERPA governs student education records for students of any age. COPPA governs the collection of personal data from children under 13 by commercial operators. For K-12 AI tools serving elementary students, both apply. See our COPPA guide for districts.
No. There is no federal FERPA certification process. Any vendor claiming to be "FERPA certified" is using the term inaccurately. What matters is whether the vendor offers a compliant DPA and whether your district has signed it.
This article reflects independent research based on publicly available information as of April 2026. It does not constitute legal advice. No edtech product can be "FERPA certified." Always verify current vendor documentation and consult your district's legal counsel before procurement decisions.