Student Data Privacy & FERPA Compliance
Prepared for district IT directors, compliance officers, and technology committees reviewing Behavior School as a vendor.
April 2026
Overview
Behavior School is a professional learning platform used by BCBAs, behavior technicians, and school staff. We do not store or process student records (IEPs, evaluations, or identifying student data) as part of our core platform.
This document describes the security controls we have in place to protect any user data our platform does handle — and why those controls meet or exceed FERPA expectations for a school-contracted service provider.
Summary
| Control | Status |
|---|---|
| Audit logging (user, timestamp, action, IP) | Implemented |
| MFA for administrator accounts | Implemented |
| Password complexity + lockout policy | Implemented |
| 30-minute session timeout | Implemented |
| Encryption at rest (AES-256) | Via Convex |
| Encryption in transit (TLS) | Via Convex + Netlify |
| U.S. data residency | Implemented |
| No third-party data sharing | Implemented |
Technical Controls
Audit Logging
ImplementedEvery access to student-related data is logged with the user ID, timestamp (UTC), action type (read, write, export), and IP address. Logs are retained and reviewable. District compliance teams can request an access report at any time.
FERPA relevance: Audit trails let districts verify that only authorized personnel accessed education records, and support breach investigation if needed.
Multi-Factor Authentication (MFA)
ImplementedAll administrator accounts require MFA at login using time-based one-time passwords (TOTP — compatible with Google Authenticator, Authy, and similar apps). Standard staff accounts are encouraged to enable MFA and can be required by district policy.
FERPA relevance: MFA is a recognized best practice for preventing unauthorized access to systems with access to student data.
Password Policy
ImplementedAll accounts require a minimum of 12 characters with letters, numbers, and symbols. Accounts lock after 5 consecutive failed login attempts and require administrator reset or email verification to unlock.
FERPA relevance: Strong credential requirements reduce the risk of brute-force or credential-stuffing attacks.
Session Timeout
ImplementedUser sessions expire automatically after 30 minutes of inactivity. Users must reauthenticate to continue — across all platform interfaces.
FERPA relevance: Session timeouts limit exposure from unattended, authenticated browser sessions — a common risk in shared-device school environments.
Data Residency & Encryption
ConfirmedApplication data is stored in Convex, with encryption at rest (AES-256) and in transit (TLS 1.2+), hosted in the United States. The web application is hosted on Netlify with HTTPS enforced (TLS 1.3) on all connections. Neither Convex nor Netlify sells or shares customer data.
FERPA relevance: Encryption at rest and in transit is a baseline requirement for systems that may store education records.
Data Handling
What We Do Not Do
- We do not sell or rent user data to third parties
- We do not use student data to train AI models or for any purpose outside delivering our service
- We do not transfer data to vendors outside the United States
- We do not use student personally identifiable information (PII) in marketing communications
Ready to move forward with your district?
We can provide a signed Data Processing Agreement (DPA), Student Data Privacy Agreement (SDPA), or completed vendor security questionnaire. Reach out and we'll respond within 2 business days.
Request a DPAContact Us
To request a DPA, SDPA, or vendor security questionnaire:
We respond within 2 business days.
Contact
If your district requires additional documentation or wants to schedule a call with our team, contact us directly:
Behavior School is built and operated by a small team. We're happy to jump on a call with your district IT director or compliance officer — just reach out.