Compliance Report

FERPA Compliance Report

Protecting Student Education Records for Educational Institutions

v1.0 โ€” February 2026

What is FERPA?

FERPA โ€” 20 U.S.C. ยง 1232g

FERPA (Family Educational Rights and Privacy Act) is a United States federal law enacted in 1974 that protects the privacy of student education records. FERPA applies to all educational institutions that receive federal funding.

Under FERPA, educational institutions are required to control access to student records, prevent unauthorized disclosure, and maintain logs of record access. These requirements directly impact all document management systems used by institutions.

This report explains how YesPDF meets FERPA requirements point by point.

FERPA Key Rights

Right to Inspect Records

Parents (and students over 18) have the right to inspect and review education records.

Right to Amend Records

Parents may request correction of information they believe is inaccurate or misleading.

Consent for Disclosure

Education records cannot be shared with third parties without written consent (with certain exceptions).

Right to Complain

Parents may file complaints with the U.S. Department of Education regarding FERPA violations.

Protected Record Types

Education records protected under FERPA include:

  • Transcripts and grade reports
  • Class rosters and attendance records
  • Disciplinary files
  • Student health records (maintained by the educational institution)
  • Financial aid and scholarship documents
  • Student identification information (SSN, passport number, etc.)
  • Special education records (IEP/504 plans)
  • Graduation and diploma information

FERPA Requirements and YesPDF Solutions

1. Access Control

FERPA requires that only authorized personnel with a "legitimate educational interest" can access student records.

โœ… YesPDF Solution

  • Role-Based Access Control (RBAC): Granular authorization with dean, department head, faculty, registrar and counselor roles.
  • Document-Level Permissions: Read, edit, download and print permissions can be defined separately for each document.
  • LDAP/Active Directory Integration: Centralized access management through integration with the institution's existing authentication infrastructure.
  • IP Restriction: Document access can be restricted to the institutional network only.

2. Audit Trail

FERPA requires maintaining records of who has accessed education records and what information was disclosed.

โœ… YesPDF Solution

  • Comprehensive Audit Log: Every document access, edit, download and print operation is automatically recorded.
  • Immutable Records: Audit logs cannot be modified or deleted โ€” providing reliable evidence for FERPA audits.
  • Detailed Tracking: Who, when, which document, from which device โ€” all details are recorded.
  • Reporting: Access reports can be generated on a per-student or per-document basis.

3. Data Security

FERPA requires protection of education records against unauthorized access, modification and destruction.

โœ… YesPDF Solution

  • AES-256 Encryption: All student documents are encrypted with AES-256 both in transit and at rest.
  • On-Premise Architecture: Data is never sent to third-party cloud servers โ€” it remains entirely within institutional infrastructure.
  • PDF Encryption: Individual PDF files can be password-protected with permission restrictions.
  • Secure Deletion: Documents past their retention period can be securely destroyed.

4. Permanent Redaction

When sharing information under FERPA exceptions, unrelated student information must be redacted.

โœ… YesPDF Solution

  • Permanent Redaction: Student IDs, addresses, health information and other PII can be irreversibly removed from documents.
  • Batch Redaction: Apply redaction across multiple documents simultaneously.
  • Redaction Verification: Confirms that redacted data is truly removed โ€” no hidden layers or metadata leakage.
  • Selective Sharing: Different redaction levels can be applied to the same document for different recipients.

5. Record Retention and Destruction

FERPA requires certain records to be maintained for specific periods and securely destroyed afterward.

โœ… YesPDF Solution

  • Retention Policies: Automatic retention periods can be defined by document type.
  • Expiry Alerts: Automatic notifications for documents approaching their retention deadline.
  • Secure Archiving: Documents requiring long-term retention are protected in encrypted archives.
  • Destruction Records: Deletion logs are maintained for destroyed documents โ€” meeting audit requirements.

6. Consent and Notification

FERPA requires written consent before record disclosure and notification of rights to parents/students.

โœ… YesPDF Solution

  • Fill & Sign: Consent forms can be filled digitally and approved with e-signature.
  • Form Templates: FERPA consent forms and notification documents can be prepared as templates.
  • Digital Signature: Legally valid e-signatures accelerate consent workflows.
  • Document Tracking: Which consents were obtained and what information was shared is recorded.

Directory Information Management

FERPA allows certain "directory information" categories to be disclosed without consent (students have the right to opt out). This information includes:

  • Student name
  • Address and phone number
  • Email address
  • Date and place of birth
  • Major / department
  • Enrollment status and dates of attendance
  • Degrees and awards received
In YesPDF, directory information can be managed with a separate access level. Students who request opt-out can have their information automatically excluded from sharing.

On-Premise vs. Cloud Comparison

Comparing on-premise and cloud solutions for FERPA compliance:

Criteria YesPDF (On-Premise) Cloud PDF Tools
Data LocationInstitution's own serverThird-party data center
Data Control100% under institution controlDependent on service provider
Third-Party AccessNoneProvider staff may access
BAA RequirementNot requiredBusiness Associate Agreement needed
Data Breach RiskMinimized โ€” stays on internal networkExposed to external attacks
Audit EaseAll logs localDependent on provider

FERPA Compliance Checklist

To ensure FERPA compliance with YesPDF:

  1. 1
    Define access policies

    Determine which roles can access which student records and enforce with YesPDF RBAC.

  2. 2
    Enable audit logging

    Ensure all document access is logged. Regularly review access reports.

  3. 3
    Establish redaction procedures

    Define standard procedures for which information to redact before document sharing.

  4. 4
    Configure retention policies

    Define retention periods by document type and enable automatic alerts.

  5. 5
    Verify encryption

    Confirm AES-256 encryption is active and all documents are stored encrypted.

  6. 6
    Train staff

    Educate relevant staff on FERPA requirements and YesPDF usage.

  7. 7
    Publish annual notification

    Notify students and parents of FERPA rights annually.

  8. 8
    Create incident response plan

    Define and test steps to follow in case of a data breach.

Summary

YesPDF helps educational institutions meet FERPA requirements through its on-premise architecture, comprehensive access controls, audit logs, AES-256 encryption and permanent redaction capabilities. Student records never leave institutional infrastructure, every access is logged, and sensitive information can be securely redacted before sharing.

Technical Support

For questions about FERPA compliance and YesPDF configuration:

This document was prepared by the YesPDF technical team. This report does not constitute legal advice. We recommend consulting your institution's legal counsel for FERPA compliance assessment.