We read the vendor's full privacy policy for clauses relevant to K-12 student data. Generic consumer policies are common — we look specifically for education-specific terms that address the requirements schools actually face.
- Does the school official exception language match FERPA's four-part test?
- Is student data used to train AI models — with or without consent?
- What is the data retention and deletion policy? Can districts request deletion?
- Are there third-party data sharing provisions that create exposure?
- Does the policy address COPPA age restrictions (under-13)?
The Student Data Privacy Consortium (SDPC) maintains a registry of vendors who have signed standardized Data Privacy Agreements. A vendor who has signed with the SDPC has made specific, auditable commitments on student data handling. We check the SDPC registry directly for every tool.
- Has the vendor signed the SDPC National Data Privacy Agreement (NDPA)?
- Which states or regions have active SDPC agreements?
- Are the agreement terms current with 2025-2026 COPPA amendments?
A Data Processing Agreement is the legal contract establishing school control over student data. We assess whether a district-friendly DPA exists and whether its key terms are reasonable.
- Is a formal DPA available for districts to sign?
- Does it establish the district as the data controller?
- Does it prohibit using student data for commercial purposes or model training?
- Does it include audit rights and breach notification requirements?
Compliance on paper only holds if the district can manage it in practice. We evaluate what tools districts have to configure, monitor, and audit AI tool usage.
- Can districts claim their domain and manage teacher accounts centrally?
- Are role-based access controls available?
- Is SAML SSO supported for enterprise deployment?
- Are audit logs available for compliance review?
We cross-reference Common Sense Media privacy ratings, any documented data incidents or enforcement actions, and public reporting on the vendor's privacy track record.
- Common Sense Media privacy rating (where available)
- Any documented data incidents or breaches
- FTC enforcement history and COPPA violations
- Reporting from credible education privacy organizations
Every assessment produces one of three verdicts. These are research findings, not legal certifications.
The tool has the compliance infrastructure to support appropriate district use. A DPA is available, data practices are transparent, and district controls exist. A signed DPA is still required.
The tool can be used appropriately, but only under specific conditions — specific versions, specific configuration, or restricted use cases. Read the full assessment before proceeding.
The tool creates FERPA or COPPA exposure that cannot be mitigated through configuration alone. Avoid using with any student data.
- Vendor privacy policies and education-specific terms of service
- SDPC National Data Privacy Agreement registry (sdpc.a4l.org)
- Vendor-published Student Data Privacy Agreements
- Common Sense Media privacy ratings (commonsense.org/education)
- Future of Privacy Forum AI in Education guidance
- CoSN Student Data Privacy Toolkit
- U.S. Department of Education FERPA guidance and Dear Colleague letters
- FTC enforcement actions and COPPA guidance
⚠ Research only — not legal advice
K12SafeList assessments are independent research findings. They do not constitute legal advice, FERPA certification, or any guarantee of compliance. Privacy policies and product terms change frequently. Always verify current documentation directly with the vendor before procurement decisions. Consult your district's legal counsel for guidance specific to your jurisdiction.